Imported gnutls based branch.

diff --git a/Makefile.am b/Makefile.am
index eb800e1..072360c 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,7 +12,7 @@ ChangeLog:
        cvs2cl -U cvsusers --fsf
 
 svn-clean: maintainer-clean
        cvs2cl -U cvsusers --fsf
 
 svn-clean: maintainer-clean

-       svn status --no-ignore | grep '^\?' | sed 's/^\? \+//g' | xargs rm -rf
+       svn status --no-ignore | sed -n 's/^\? \+//p' | tr '\012' '\0' | xargs -r0 rm -rf

 
 deb:
        dpkg-buildpackage -rfakeroot
 
 deb:
        dpkg-buildpackage -rfakeroot

diff --git a/configure.in b/configure.in
index 708f171..be60b04 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -5,7 +5,7 @@ dnl $Id: configure.in,v 1.13.2.86 2004/01/10 23:21:36 guus Exp $
 AC_PREREQ(2.59)
 AC_INIT
 AC_CONFIG_SRCDIR([src/tincd.c])
 AC_PREREQ(2.59)
 AC_INIT
 AC_CONFIG_SRCDIR([src/tincd.c])

-AM_INIT_AUTOMAKE(tinc, 1.0-cvs)
+AM_INIT_AUTOMAKE(tinc, 1.0-gnutls)

 AC_CONFIG_HEADERS([config.h])
 AM_MAINTAINER_MODE
 
 AC_CONFIG_HEADERS([config.h])
 AM_MAINTAINER_MODE
 


@@ -279,7 +279,8 @@ case $host_os in
   ;;
 esac
 
   ;;
 esac
 

-tinc_OPENSSL
+dnl tinc_OPENSSL
+AM_PATH_LIBGNUTLS([1.0.4], [], [AC_MSG_ERROR([GNUTLS library not found.]); break;])

 tinc_ZLIB
 tinc_LZO
 
 tinc_ZLIB
 tinc_LZO
 

diff --git a/lib/fake-getaddrinfo.c b/lib/fake-getaddrinfo.c
index 14420b5..734f50a 100644 (file)
--- a/lib/fake-getaddrinfo.c
+++ b/lib/fake-getaddrinfo.c
@@ -64,7 +64,7 @@ static struct addrinfo *malloc_ai(uint16_t port, uint32_t addr)
 
 int getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res)
 {
 
 int getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res)
 {

-       struct addrinfo *prev = NULL;
+       struct addrinfo *ai, *prev = NULL;

        struct hostent *hp;
        struct in_addr in = {0};
        int i;
        struct hostent *hp;
        struct in_addr in = {0};
        int i;


@@ -92,12 +92,14 @@ int getaddrinfo(const char *hostname, const char *servname, const struct addrinf
                return EAI_NODATA;
 
        for (i = 0; hp->h_addr_list[i]; i++) {
                return EAI_NODATA;
 
        for (i = 0; hp->h_addr_list[i]; i++) {

-               *res = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr);
+               *ai = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr);

 
                if(prev)
                        prev->ai_next = *res;
 
                if(prev)
                        prev->ai_next = *res;

+               else
+                       *res = ai;

 
 

-               prev = *res;
+               prev = ai;

        }
 
        return 0;
        }
 
        return 0;

diff --git a/po/nl.po b/po/nl.po
index d06f7c5..4ef1fce 100644 (file)
--- a/po/nl.po
+++ b/po/nl.po
@@ -1,13 +1,13 @@
 # Dutch messages for tinc
 # Dutch messages for tinc

-# Copyright (C) 1999-2004 Ivo Timmermans, Guus Sliepen.
+# Copyright (C) 1999-2001 Ivo Timmermans, Guus Sliepen.

 # Ivo Timmermans <ivo@o2w.nl>, 1999-2003.
 # Guus Sliepen <guus@sliepen.eu.org>, 2000-2003.
 msgid ""
 msgstr ""
 # Ivo Timmermans <ivo@o2w.nl>, 1999-2003.
 # Guus Sliepen <guus@sliepen.eu.org>, 2000-2003.
 msgid ""
 msgstr ""

-"Project-Id-Version: tinc 1.0-svn\n"
+"Project-Id-Version: tinc 1.0-cvs\n"

 "Report-Msgid-Bugs-To: tinc-devel@nl.linux.org\n"
 "Report-Msgid-Bugs-To: tinc-devel@nl.linux.org\n"

-"POT-Creation-Date: 2004-03-15 19:28+0100\n"
-"PO-Revision-Date: 2004-03-15 19:28+0100\n"
+"POT-Creation-Date: 2004-03-15 23:20+0100\n"
+"PO-Revision-Date: 2003-10-11 16:21+0200\n"

 "Last-Translator: Guus Sliepen <guus@sliepen.eu.org>\n"
 "Language-Team: Dutch <vertaling@nl.linux.org>\n"
 "MIME-Version: 1.0\n"
 "Last-Translator: Guus Sliepen <guus@sliepen.eu.org>\n"
 "Language-Team: Dutch <vertaling@nl.linux.org>\n"
 "MIME-Version: 1.0\n"


@@ -55,29 +55,29 @@ msgstr ""
 msgid "Cannot open config file %s: %s"
 msgstr "Kan configuratie bestand %s niet openen: %s"
 
 msgid "Cannot open config file %s: %s"
 msgstr "Kan configuratie bestand %s niet openen: %s"
 

-#: src/conf.c:390
+#: src/conf.c:385

 #, c-format
 msgid "No value for variable `%s' on line %d while reading config file %s"
 msgstr ""
 "Geen waarde voor variabele `%s' op regel %d tijdens het lezen van "
 "configuratie bestand %s"
 
 #, c-format
 msgid "No value for variable `%s' on line %d while reading config file %s"
 msgstr ""
 "Geen waarde voor variabele `%s' op regel %d tijdens het lezen van "
 "configuratie bestand %s"
 

-#: src/conf.c:421
+#: src/conf.c:416

 #, c-format
 msgid "Failed to read `%s': %s"
 msgstr "Lezen van `%s' mislukte: %s"
 
 #, c-format
 msgid "Failed to read `%s': %s"
 msgstr "Lezen van `%s' mislukte: %s"
 

-#: src/conf.c:443
+#: src/conf.c:438

 #, c-format
 msgid "Please enter a file to save %s to [%s]: "
 msgstr "Geef een bestand om de %s naar de schrijven [%s]: "
 
 #, c-format
 msgid "Please enter a file to save %s to [%s]: "
 msgstr "Geef een bestand om de %s naar de schrijven [%s]: "
 

-#: src/conf.c:450
+#: src/conf.c:445

 #, c-format
 msgid "Error while reading stdin: %s\n"
 msgstr "Fout tijdens lezen van standaardinvoer: %s\n"
 
 #, c-format
 msgid "Error while reading stdin: %s\n"
 msgstr "Fout tijdens lezen van standaardinvoer: %s\n"
 

-#: src/conf.c:482
+#: src/conf.c:477

 #, c-format
 msgid "Error opening file `%s': %s\n"
 msgstr "Fout bij het openen van het bestand `%s': %s\n"
 #, c-format
 msgid "Error opening file `%s': %s\n"
 msgstr "Fout bij het openen van het bestand `%s': %s\n"


@@ -90,50 +90,56 @@ msgstr "iedereen"
 msgid "BROADCAST"
 msgstr "BROADCAST"
 
 msgid "BROADCAST"
 msgstr "BROADCAST"
 

-#: src/connection.c:120
+#: src/connection.c:105

 msgid "Connections:"
 msgstr "Verbindingen:"
 
 msgid "Connections:"
 msgstr "Verbindingen:"
 

-#: src/connection.c:124
-#, c-format
-msgid " %s at %s options %lx socket %d status %04x"
+#: src/connection.c:109
+#, fuzzy, c-format
+msgid ""
+" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method "
+"%s status %04x"

 msgstr " %s op %s opties %lx socket %d status %04x"
 
 msgstr " %s op %s opties %lx socket %d status %04x"
 

-#: src/connection.c:128
+#: src/connection.c:118

 msgid "End of connections."
 msgstr "Einde van verbindingen."
 
 msgid "End of connections."
 msgstr "Einde van verbindingen."
 

-#: src/meta.c:46
+#: src/meta.c:42

 #, c-format
 msgid "Sending %d bytes of metadata to %s (%s)"
 msgstr "Verzenden van %d bytes metadata naar %s (%s)"
 
 #, c-format
 msgid "Sending %d bytes of metadata to %s (%s)"
 msgstr "Verzenden van %d bytes metadata naar %s (%s)"
 

-#: src/meta.c:52
-#, c-format
-msgid "Error while encrypting metadata to %s (%s): %s"
-msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s"
-
-#: src/meta.c:65 src/meta.c:118
+#: src/meta.c:50 src/meta.c:114

 #, c-format
 msgid "Connection closed by %s (%s)"
 msgstr "Verbinding beëindigd door %s (%s)"
 
 #, c-format
 msgid "Connection closed by %s (%s)"
 msgstr "Verbinding beëindigd door %s (%s)"
 

-#: src/meta.c:70
+#: src/meta.c:55

 #, c-format
 msgid "Sending meta data to %s (%s) failed: %s"
 msgstr "Fout tijdens verzenden metadata naar %s (%s): %s"
 
 #, c-format
 msgid "Sending meta data to %s (%s) failed: %s"
 msgstr "Fout tijdens verzenden metadata naar %s (%s): %s"
 

-#: src/meta.c:123
+#: src/meta.c:97
+msgid "Continuing handshake..."
+msgstr ""
+
+#: src/meta.c:100
+#, fuzzy, c-format
+msgid "Handshake with %s (%s) completed!"
+msgstr "Verbinding met %s (%s) geactiveerd"
+
+#: src/meta.c:106
+#, fuzzy, c-format
+msgid "Handshake with %s (%s) failed: %s"
+msgstr "Fout tijdens verzenden metadata naar %s (%s): %s"
+
+#: src/meta.c:119

 #, c-format
 msgid "Metadata socket read error for %s (%s): %s"
 msgstr "Fout op metadata socket voor %s (%s) tijdens lezen: %s"
 
 #, c-format
 msgid "Metadata socket read error for %s (%s): %s"
 msgstr "Fout op metadata socket voor %s (%s) tijdens lezen: %s"
 

-#: src/meta.c:138
-#, c-format
-msgid "Error while decrypting metadata from %s (%s): %s"
-msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s"
-
-#: src/meta.c:191
+#: src/meta.c:172

 #, c-format
 msgid "Metadata read buffer overflow for %s (%s)"
 msgstr "Metadata leesbuffer overloop voor %s (%s)"
 #, c-format
 msgid "Metadata read buffer overflow for %s (%s)"
 msgstr "Metadata leesbuffer overloop voor %s (%s)"


@@ -191,329 +197,343 @@ msgstr "Legen taakrij"
 msgid "Unable to reread configuration file, exitting."
 msgstr "Kan configuratiebestand niet herlezen, beëindigen."
 
 msgid "Unable to reread configuration file, exitting."
 msgstr "Kan configuratiebestand niet herlezen, beëindigen."
 

-#: src/net_packet.c:75
-#, c-format
+#: src/net_packet.c:70
+#, fuzzy, c-format

 msgid "No response to MTU probes from %s (%s)"
 msgid "No response to MTU probes from %s (%s)"

-msgstr "Geen antwoord van %s (%s) op MTU probes"
+msgstr "%d pakketten van %s (%s) verloren"

 
 

-#: src/net_packet.c:82
+#: src/net_packet.c:77

 #, c-format
 msgid "Fixing MTU of %s (%s) to %d after %d probes"
 #, c-format
 msgid "Fixing MTU of %s (%s) to %d after %d probes"

-msgstr "MTU van %s (%s) vastgezet op %d na %d probes"
+msgstr ""

 
 

-#: src/net_packet.c:94
-#, c-format
+#: src/net_packet.c:89
+#, fuzzy, c-format

 msgid "Sending MTU probe length %d to %s (%s)"
 msgid "Sending MTU probe length %d to %s (%s)"

-msgstr "Verzending MTU probe lengte %d naar %s (%s)"
+msgstr "Verzending %s naar %s (%s)"

 
 

-#: src/net_packet.c:107
-#, c-format
+#: src/net_packet.c:102
+#, fuzzy, c-format

 msgid "Got MTU probe length %d from %s (%s)"
 msgid "Got MTU probe length %d from %s (%s)"

-msgstr "Kreeg MTU probe met verkeerde lengte %d van %s (%s)"
+msgstr "Kreeg verkeerde %s van %s (%s)"

 
 

-#: src/net_packet.c:164
+#: src/net_packet.c:159

 #, c-format
 msgid "Received packet of %d bytes from %s (%s)"
 msgstr "Ontvangst pakket van %d bytes van %s (%s)"
 
 #, c-format
 msgid "Received packet of %d bytes from %s (%s)"
 msgstr "Ontvangst pakket van %d bytes van %s (%s)"
 

-#: src/net_packet.c:185 src/route.c:108
+#: src/net_packet.c:181 src/route.c:108

 #, c-format
 msgid "Got too short packet from %s (%s)"
 msgstr "Kreeg te kort pakket van %s (%s)"
 
 #, c-format
 msgid "Got too short packet from %s (%s)"
 msgstr "Kreeg te kort pakket van %s (%s)"
 

-#: src/net_packet.c:198
+#: src/net_packet.c:195

 #, c-format
 msgid "Got unauthenticated packet from %s (%s)"
 msgstr "Kreeg niet-geauthenticeerd pakket van %s (%s)"
 
 #, c-format
 msgid "Got unauthenticated packet from %s (%s)"
 msgstr "Kreeg niet-geauthenticeerd pakket van %s (%s)"
 

-#: src/net_packet.c:213
+#: src/net_packet.c:210

 #, c-format
 msgid "Error decrypting packet from %s (%s): %s"
 msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"
 
 #, c-format
 msgid "Error decrypting packet from %s (%s): %s"
 msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"
 

-#: src/net_packet.c:229
-#, c-format
-msgid "Lost %d packets from %s (%s)"
+#: src/net_packet.c:235
+#, fuzzy, c-format
+msgid "Lost %u packets from %s (%s)"

 msgstr "%d pakketten van %s (%s) verloren"
 
 msgstr "%d pakketten van %s (%s) verloren"
 

-#: src/net_packet.c:235
-#, c-format
-msgid "Got late or replayed packet from %s (%s), seqno %d, last received %d"
+#: src/net_packet.c:241
+#, fuzzy, c-format
+msgid "Got late or replayed packet from %s (%s), seqno %u, last received %u"

 msgstr ""
 "Kreeg laat of gedupliceerd pakket van %s (%s), seqno %d, laatste ontvangen %d"
 
 msgstr ""
 "Kreeg laat of gedupliceerd pakket van %s (%s), seqno %d, laatste ontvangen %d"
 

-#: src/net_packet.c:255
+#: src/net_packet.c:263

 #, c-format
 msgid "Error while uncompressing packet from %s (%s)"
 msgstr "Fout tijdens decomprimeren pakket van %s (%s)"
 
 #, c-format
 msgid "Error while uncompressing packet from %s (%s)"
 msgstr "Fout tijdens decomprimeren pakket van %s (%s)"
 

-#: src/net_packet.c:303
+#: src/net_packet.c:313

 #, c-format
 msgid "No valid key known yet for %s (%s), queueing packet"
 msgstr ""
 "Nog geen geldige sleutel bekend voor %s (%s), pakket wordt in wachtrij gezet"
 
 #, c-format
 msgid "No valid key known yet for %s (%s), queueing packet"
 msgstr ""
 "Nog geen geldige sleutel bekend voor %s (%s), pakket wordt in wachtrij gezet"
 

-#: src/net_packet.c:332
+#: src/net_packet.c:342

 #, c-format
 msgid "Error while compressing packet to %s (%s)"
 msgstr "Fout tijdens comprimeren pakket naar %s (%s)"
 
 #, c-format
 msgid "Error while compressing packet to %s (%s)"
 msgstr "Fout tijdens comprimeren pakket naar %s (%s)"
 

-#: src/net_packet.c:354
+#: src/net_packet.c:386

 #, c-format
 msgid "Error while encrypting packet to %s (%s): %s"
 msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s"
 
 #, c-format
 msgid "Error while encrypting packet to %s (%s): %s"
 msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s"
 

-#: src/net_packet.c:386
+#: src/net_packet.c:400
+#, fuzzy, c-format
+msgid "Error while authenticating packet to %s (%s)"
+msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s"
+
+#: src/net_packet.c:424

 #, c-format
 msgid "Setting outgoing packet priority to %d"
 msgstr "Instellen prioriteit uitgaand pakket op %d"
 
 #, c-format
 msgid "Setting outgoing packet priority to %d"
 msgstr "Instellen prioriteit uitgaand pakket op %d"
 

-#: src/net_packet.c:388 src/net_setup.c:475 src/net_socket.c:72
-#: src/net_socket.c:123 src/net_socket.c:152 src/tincd.c:434 src/tincd.c:468
-#: src/process.c:198 src/process.c:231 src/process.c:417
-#: src/cygwin/device.c:150 src/cygwin/device.c:181 src/mingw/device.c:82
-#: src/mingw/device.c:91 src/mingw/device.c:96 src/mingw/device.c:252
-#: src/mingw/device.c:259 src/mingw/device.c:264 src/mingw/device.c:271
-#: src/mingw/device.c:280 src/mingw/device.c:287
+#: src/net_packet.c:426 src/net_setup.c:488 src/net_socket.c:84
+#: src/net_socket.c:135 src/net_socket.c:164 src/net_socket.c:437
+#: src/tincd.c:436 src/tincd.c:468 src/process.c:198 src/process.c:231
+#: src/process.c:417 src/cygwin/device.c:150 src/cygwin/device.c:181
+#: src/mingw/device.c:82 src/mingw/device.c:91 src/mingw/device.c:96
+#: src/mingw/device.c:252 src/mingw/device.c:259 src/mingw/device.c:264
+#: src/mingw/device.c:271 src/mingw/device.c:280 src/mingw/device.c:287

 #, c-format
 msgid "System call `%s' failed: %s"
 msgstr "Systeemaanroep `%s' mislukte: %s"
 
 #, c-format
 msgid "System call `%s' failed: %s"
 msgstr "Systeemaanroep `%s' mislukte: %s"
 

-#: src/net_packet.c:399
+#: src/net_packet.c:437

 #, c-format
 msgid "Error sending packet to %s (%s): %s"
 msgstr "Fout tijdens verzenden pakket naar %s (%s): %s"
 
 #, c-format
 msgid "Error sending packet to %s (%s): %s"
 msgstr "Fout tijdens verzenden pakket naar %s (%s): %s"
 

-#: src/net_packet.c:422
+#: src/net_packet.c:460

 #, c-format
 msgid "Sending packet of %d bytes to %s (%s)"
 msgstr "Verzending pakket van %d bytes naar %s (%s)"
 
 #, c-format
 msgid "Sending packet of %d bytes to %s (%s)"
 msgstr "Verzending pakket van %d bytes naar %s (%s)"
 

-#: src/net_packet.c:426
+#: src/net_packet.c:464

 #, c-format
 msgid "Node %s (%s) is not reachable"
 msgstr "Node %s (%s) is niet bereikbaar"
 
 #, c-format
 msgid "Node %s (%s) is not reachable"
 msgstr "Node %s (%s) is niet bereikbaar"
 

-#: src/net_packet.c:434
+#: src/net_packet.c:472

 #, c-format
 msgid "Sending packet to %s via %s (%s)"
 msgstr "Verzending pakket naar %s via %s (%s)"
 
 #, c-format
 msgid "Sending packet to %s via %s (%s)"
 msgstr "Verzending pakket naar %s via %s (%s)"
 

-#: src/net_packet.c:453
+#: src/net_packet.c:491

 #, c-format
 msgid "Broadcasting packet of %d bytes from %s (%s)"
 msgstr "Verspreiding pakket van %d bytes van %s (%s)"
 
 #, c-format
 msgid "Broadcasting packet of %d bytes from %s (%s)"
 msgstr "Verspreiding pakket van %d bytes van %s (%s)"
 

-#: src/net_packet.c:470
+#: src/net_packet.c:508

 #, c-format
 msgid "Flushing queue for %s (%s)"
 msgstr "Legen van wachtrij voor %s (%s)"
 
 #, c-format
 msgid "Flushing queue for %s (%s)"
 msgstr "Legen van wachtrij voor %s (%s)"
 

-#: src/net_packet.c:492
+#: src/net_packet.c:530

 #, c-format
 msgid "Receiving packet failed: %s"
 msgstr "Ontvangst pakket mislukt: %s"
 
 #, c-format
 msgid "Receiving packet failed: %s"
 msgstr "Ontvangst pakket mislukt: %s"
 

-#: src/net_packet.c:502
+#: src/net_packet.c:540

 #, c-format
 msgid "Received UDP packet from unknown source %s"
 msgstr "Ontvangst UDP pakket van onbekende oorsprong %s"
 
 #, c-format
 msgid "Received UDP packet from unknown source %s"
 msgstr "Ontvangst UDP pakket van onbekende oorsprong %s"
 

-#: src/net_setup.c:77 src/net_setup.c:94
+#: src/net_setup.c:76 src/net_setup.c:93

 #, c-format
 msgid "Error reading RSA public key file `%s': %s"
 msgstr "Fout tijdens lezen RSA publieke sleutel bestand `%s': %s"
 
 #, c-format
 msgid "Error reading RSA public key file `%s': %s"
 msgstr "Fout tijdens lezen RSA publieke sleutel bestand `%s': %s"
 

-#: src/net_setup.c:109
+#: src/net_setup.c:108

 #, c-format
 msgid "Reading RSA public key file `%s' failed: %s"
 msgstr "Lezen RSA publieke sleutel bestand `%s' mislukt: %s"
 
 #, c-format
 msgid "Reading RSA public key file `%s' failed: %s"
 msgstr "Lezen RSA publieke sleutel bestand `%s' mislukt: %s"
 

-#: src/net_setup.c:145
+#: src/net_setup.c:144

 #, c-format
 msgid "No public key for %s specified!"
 msgstr "Geen publieke sleutel bekend voor %s gespecificeerd!"
 
 #, c-format
 msgid "No public key for %s specified!"
 msgstr "Geen publieke sleutel bekend voor %s gespecificeerd!"
 

-#: src/net_setup.c:160
-msgid "PrivateKey used but no PublicKey found!"
-msgstr "PrivateKey gebruikt maar geen PublicKey gevonden!"
-
-#: src/net_setup.c:179
-#, c-format
-msgid "Error reading RSA private key file `%s': %s"
+#: src/net_setup.c:163
+#, fuzzy, c-format
+msgid "Error reading trust file '%s': %s"

 msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
 
 msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
 

-#: src/net_setup.c:187
-#, c-format
-msgid "Could not stat RSA private key file `%s': %s'"
-msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s"
+#: src/net_setup.c:173
+#, fuzzy, c-format
+msgid "Error reading CRL file '%s': %s"
+msgstr "Fout bij het openen van het bestand `%s': %s\n"

 
 

-#: src/net_setup.c:194
-#, c-format
-msgid "Warning: insecure file permissions for RSA private key file `%s'!"
+#: src/net_setup.c:188
+msgid "JOEHOE"

 msgstr ""
 msgstr ""

-"Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!"

 
 

-#: src/net_setup.c:201
-#, c-format
-msgid "Reading RSA private key file `%s' failed: %s"
-msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
+#: src/net_setup.c:194
+#, fuzzy, c-format
+msgid "Error reading credentials from %s and %s: %s"
+msgstr "Fout tijdens lezen van %s %s: %s"

 
 

-#: src/net_setup.c:231 src/net_setup.c:232
+#: src/net_setup.c:226 src/net_setup.c:227

 msgid "MYSELF"
 msgstr "MIJZELF"
 
 msgid "MYSELF"
 msgstr "MIJZELF"
 

-#: src/net_setup.c:238
+#: src/net_setup.c:233

 msgid "Name for tinc daemon required!"
 msgstr "Naam voor tinc daemon verplicht!"
 
 msgid "Name for tinc daemon required!"
 msgstr "Naam voor tinc daemon verplicht!"
 

-#: src/net_setup.c:243
+#: src/net_setup.c:238

 msgid "Invalid name for myself!"
 msgstr "Ongeldige naam voor mijzelf!"
 
 msgid "Invalid name for myself!"
 msgstr "Ongeldige naam voor mijzelf!"
 

-#: src/net_setup.c:252
+#: src/net_setup.c:250

 msgid "Cannot open host configuration file for myself!"
 msgstr "Kan host configuratie bestand voor mijzelf niet openen!"
 
 msgid "Cannot open host configuration file for myself!"
 msgstr "Kan host configuratie bestand voor mijzelf niet openen!"
 

-#: src/net_setup.c:305
+#: src/net_setup.c:300

 msgid "Invalid routing mode!"
 msgstr "Ongeldige routing modus!"
 
 msgid "Invalid routing mode!"
 msgstr "Ongeldige routing modus!"
 

-#: src/net_setup.c:316
+#: src/net_setup.c:311

 msgid "PriorityInheritance not supported on this platform"
 msgstr "PriorityInheritance wordt niet ondersteund op dit platform"
 
 msgid "PriorityInheritance not supported on this platform"
 msgstr "PriorityInheritance wordt niet ondersteund op dit platform"
 

-#: src/net_setup.c:324
+#: src/net_setup.c:319

 msgid "Bogus maximum timeout!"
 msgstr "Onzinnige maximum timeout!"
 
 msgid "Bogus maximum timeout!"
 msgstr "Onzinnige maximum timeout!"
 

-#: src/net_setup.c:338
+#: src/net_setup.c:333

 msgid "Invalid address family!"
 msgstr "Ongeldige adresfamilie!"
 
 msgid "Invalid address family!"
 msgstr "Ongeldige adresfamilie!"
 

-#: src/net_setup.c:356
+#: src/net_setup.c:350

 msgid "Unrecognized cipher type!"
 msgstr "Onbekend cipher type!"
 
 msgid "Unrecognized cipher type!"
 msgstr "Onbekend cipher type!"
 

-#: src/net_setup.c:381 src/protocol_auth.c:189
+#: src/net_setup.c:361

 #, c-format
 msgid "Error during initialisation of cipher for %s (%s): %s"
 msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s"
 
 #, c-format
 msgid "Error during initialisation of cipher for %s (%s): %s"
 msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s"
 

-#: src/net_setup.c:398
+#: src/net_setup.c:375
+#, c-format
+msgid "Key %s len %d"
+msgstr ""
+
+#: src/net_setup.c:395

 msgid "Unrecognized digest type!"
 msgstr "Onbekend digest type!"
 
 msgid "Unrecognized digest type!"
 msgstr "Onbekend digest type!"
 

-#: src/net_setup.c:411
+#: src/net_setup.c:407
+#, fuzzy, c-format
+msgid "Error during initialisation of digest for %s (%s): %s"
+msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s"
+
+#: src/net_setup.c:428

 msgid "MAC length exceeds size of digest!"
 msgstr "MAC lengte is groter dan dat van digest!"
 
 msgid "MAC length exceeds size of digest!"
 msgstr "MAC lengte is groter dan dat van digest!"
 

-#: src/net_setup.c:414
+#: src/net_setup.c:431

 msgid "Bogus MAC length!"
 msgstr "Onzinnige MAC lengte!"
 
 msgid "Bogus MAC length!"
 msgstr "Onzinnige MAC lengte!"
 

-#: src/net_setup.c:428
+#: src/net_setup.c:443

 msgid "Bogus compression level!"
 msgstr "Onzinnig compressieniveau!"
 
 msgid "Bogus compression level!"
 msgstr "Onzinnig compressieniveau!"
 

-#: src/net_setup.c:497
+#: src/net_setup.c:510

 #, c-format
 msgid "Listening on %s"
 msgstr "Luisterend op %s"
 
 #, c-format
 msgid "Listening on %s"
 msgstr "Luisterend op %s"
 

-#: src/net_setup.c:508
+#: src/net_setup.c:521

 msgid "Ready"
 msgstr "Gereed"
 
 msgid "Ready"
 msgstr "Gereed"
 

-#: src/net_setup.c:510
+#: src/net_setup.c:523

 msgid "Unable to create any listening socket!"
 msgstr "Kon geen enkele luistersocket aanmaken!"
 
 msgid "Unable to create any listening socket!"
 msgstr "Kon geen enkele luistersocket aanmaken!"
 

-#: src/net_socket.c:62
+#: src/net_socket.c:74

 #, c-format
 msgid "Creating metasocket failed: %s"
 msgstr "Aanmaak van metasocket mislukt: %s"
 
 #, c-format
 msgid "Creating metasocket failed: %s"
 msgstr "Aanmaak van metasocket mislukt: %s"
 

-#: src/net_socket.c:103 src/net_socket.c:195
+#: src/net_socket.c:115 src/net_socket.c:207

 #, c-format
 msgid "Can't bind to interface %s: %s"
 msgstr "Kan niet aan interface %s binden: %s"
 
 #, c-format
 msgid "Can't bind to interface %s: %s"
 msgstr "Kan niet aan interface %s binden: %s"
 

-#: src/net_socket.c:108
+#: src/net_socket.c:120

 msgid "BindToInterface not supported on this platform"
 msgstr "BindToInterface wordt niet ondersteund op dit platform"
 
 msgid "BindToInterface not supported on this platform"
 msgstr "BindToInterface wordt niet ondersteund op dit platform"
 

-#: src/net_socket.c:115
+#: src/net_socket.c:127

 #, c-format
 msgid "Can't bind to %s/tcp: %s"
 msgstr "Kan niet aan %s/tcp binden: %s"
 
 #, c-format
 msgid "Can't bind to %s/tcp: %s"
 msgstr "Kan niet aan %s/tcp binden: %s"
 

-#: src/net_socket.c:142
+#: src/net_socket.c:154

 #, c-format
 msgid "Creating UDP socket failed: %s"
 msgstr "Aanmaak UDP socket mislukte: %s"
 
 #, c-format
 msgid "Creating UDP socket failed: %s"
 msgstr "Aanmaak UDP socket mislukte: %s"
 

-#: src/net_socket.c:206
+#: src/net_socket.c:218

 #, c-format
 msgid "Can't bind to %s/udp: %s"
 msgstr "Kan niet aan %s/udp binden: %s"
 
 #, c-format
 msgid "Can't bind to %s/udp: %s"
 msgstr "Kan niet aan %s/udp binden: %s"
 

-#: src/net_socket.c:233
+#: src/net_socket.c:245

 #, c-format
 msgid "Trying to re-establish outgoing connection in %d seconds"
 msgstr "Poging tot herstellen van uitgaande verbinding over %d seconden"
 
 #, c-format
 msgid "Trying to re-establish outgoing connection in %d seconds"
 msgstr "Poging tot herstellen van uitgaande verbinding over %d seconden"
 

-#: src/net_socket.c:241
+#: src/net_socket.c:255

 #, c-format
 msgid "Connected to %s (%s)"
 msgstr "Verbonden met %s (%s)"
 
 #, c-format
 msgid "Connected to %s (%s)"
 msgstr "Verbonden met %s (%s)"
 

-#: src/net_socket.c:258
+#: src/net_socket.c:278

 #, c-format
 msgid "Could not set up a meta connection to %s"
 msgstr "Kon geen metaverbinding aangaan met %s"
 
 #, c-format
 msgid "Could not set up a meta connection to %s"
 msgstr "Kon geen metaverbinding aangaan met %s"
 

-#: src/net_socket.c:292
+#: src/net_socket.c:312

 #, c-format
 msgid "Trying to connect to %s (%s)"
 msgstr "Poging tot verbinden met %s (%s)"
 
 #, c-format
 msgid "Trying to connect to %s (%s)"
 msgstr "Poging tot verbinden met %s (%s)"
 

-#: src/net_socket.c:298
+#: src/net_socket.c:318

 #, c-format
 msgid "Creating socket for %s failed: %s"
 msgstr "Aanmaken socket voor %s mislukt: %s"
 
 #, c-format
 msgid "Creating socket for %s failed: %s"
 msgstr "Aanmaken socket voor %s mislukt: %s"
 

-#: src/net_socket.c:322
+#: src/net_socket.c:342

 #, c-format
 msgid "fcntl for %s: %s"
 msgstr "fcntl voor %s: %s"
 
 #, c-format
 msgid "fcntl for %s: %s"
 msgstr "fcntl voor %s: %s"
 

-#: src/net_socket.c:338
+#: src/net_socket.c:358

 #, c-format
 msgid "%s: %s"
 msgstr "%s: %s"
 
 #, c-format
 msgid "%s: %s"
 msgstr "%s: %s"
 

-#: src/net_socket.c:359
+#: src/net_socket.c:363
+#, fuzzy
+msgid "finishing connection"
+msgstr "Einde van verbindingen."
+
+#: src/net_socket.c:380

 #, c-format
 msgid "Already connected to %s"
 msgstr "Reeds verbonden met %s"
 
 #, c-format
 msgid "Already connected to %s"
 msgstr "Reeds verbonden met %s"
 

-#: src/net_socket.c:378
+#: src/net_socket.c:395

 #, c-format
 msgid "No address specified for %s"
 msgstr "Geen adres gespecificeerd voor %s"
 
 #, c-format
 msgid "No address specified for %s"
 msgstr "Geen adres gespecificeerd voor %s"
 

-#: src/net_socket.c:408
+#: src/net_socket.c:426

 #, c-format
 msgid "Accepting a new connection failed: %s"
 msgstr "Aanname van nieuwe verbinding is mislukt: %s"
 
 #, c-format
 msgid "Accepting a new connection failed: %s"
 msgstr "Aanname van nieuwe verbinding is mislukt: %s"
 

-#: src/net_socket.c:426
+#: src/net_socket.c:453

 #, c-format
 msgid "Connection from %s"
 msgstr "Verbinding van %s"
 
 #, c-format
 msgid "Connection from %s"
 msgstr "Verbinding van %s"
 

-#: src/net_socket.c:450
+#: src/net_socket.c:484

 #, c-format
 msgid "Invalid name for outgoing connection in %s line %d"
 msgstr "Ongeldige naam voor uitgaande verbinding in %s regel %d"
 #, c-format
 msgid "Invalid name for outgoing connection in %s line %d"
 msgstr "Ongeldige naam voor uitgaande verbinding in %s regel %d"


@@ -613,112 +633,81 @@ msgstr "Verzoek reeds gezien"
 msgid "Aging past requests: deleted %d, left %d"
 msgstr "Veroudering vorige verzoeken: %d gewist, %d overgebleven"
 
 msgid "Aging past requests: deleted %d, left %d"
 msgstr "Veroudering vorige verzoeken: %d gewist, %d overgebleven"
 

-#: src/protocol_auth.c:58 src/protocol_auth.c:209 src/protocol_auth.c:338
-#: src/protocol_auth.c:405 src/protocol_auth.c:531 src/protocol_edge.c:73
-#: src/protocol_edge.c:188 src/protocol_key.c:62 src/protocol_key.c:105
-#: src/protocol_key.c:172 src/protocol_misc.c:54 src/protocol_misc.c:83
-#: src/protocol_misc.c:171 src/protocol_subnet.c:58 src/protocol_subnet.c:167
-#, c-format
-msgid "Got bad %s from %s (%s)"
-msgstr "Kreeg verkeerde %s van %s (%s)"
-
-#: src/protocol_auth.c:66 src/protocol_edge.c:81 src/protocol_edge.c:87
-#: src/protocol_edge.c:196 src/protocol_edge.c:202 src/protocol_subnet.c:66
-#: src/protocol_subnet.c:74 src/protocol_subnet.c:175
-#: src/protocol_subnet.c:196
-#, c-format
-msgid "Got bad %s from %s (%s): %s"
-msgstr "Kreeg verkeerde %s van %s (%s): %s"
-
-#: src/protocol_auth.c:75
-#, c-format
-msgid "Peer %s is %s instead of %s"
-msgstr "Ander %s is %s in plaats van %s"
-
-#: src/protocol_auth.c:85
+#: src/protocol_auth.c:53

 #, c-format
 #, c-format

-msgid "Peer %s (%s) uses incompatible version %d"
-msgstr "Ander %s (%s) gebruikt incompatibele versie %d"
-
-#: src/protocol_auth.c:101
-#, c-format
-msgid "Peer %s had unknown identity (%s)"
-msgstr "Ander %s heeft onbekende identiteit (%s)"
-
-#: src/protocol_auth.c:153
-#, c-format
-msgid "Generated random meta key (unencrypted): %s"
-msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s"
+msgid "No certificates from %s"
+msgstr ""

 
 

-#: src/protocol_auth.c:165 src/protocol_auth.c:238
-#, c-format
-msgid "Error during encryption of meta key for %s (%s)"
-msgstr "Fout tijdens versleutelen van meta key voor %s (%s)"
+#: src/protocol_auth.c:63
+#, fuzzy, c-format
+msgid "Error importing certificate from %s: %s"
+msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"

 
 

-#: src/protocol_auth.c:219 src/protocol_auth.c:348 src/protocol_auth.c:413
-#: src/protocol_auth.c:435
-#, c-format
-msgid "Possible intruder %s (%s): %s"
-msgstr "Mogelijke indringer %s (%s): %s"
+#: src/protocol_auth.c:70
+#, fuzzy, c-format
+msgid "No name in certificate from %s"
+msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"

 
 

-#: src/protocol_auth.c:246
-#, c-format
-msgid "Received random meta key (unencrypted): %s"
-msgstr "Ontving willekeurige meta key (niet versleuteld): %s"
+#: src/protocol_auth.c:79
+#, fuzzy, c-format
+msgid "Invalid name from %s"
+msgstr "Ongeldige naam voor mijzelf!"

 
 

-#: src/protocol_auth.c:257
+#: src/protocol_auth.c:85

 #, c-format
 #, c-format

-msgid "%s (%s) uses unknown cipher!"
-msgstr "%s (%s) gebruikt onbekende cipher!"
+msgid "Peer %s is %s instead of %s"
+msgstr "Ander %s is %s in plaats van %s"

 
 

-#: src/protocol_auth.c:265
+#: src/protocol_auth.c:96

 #, c-format
 #, c-format

-msgid "Error during initialisation of cipher from %s (%s): %s"
-msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s"
+msgid "Certificate from %s (%s) invalid"
+msgstr ""

 
 

-#: src/protocol_auth.c:281 src/protocol_key.c:242
+#: src/protocol_auth.c:98

 #, c-format
 #, c-format

-msgid "Node %s (%s) uses unknown digest!"
-msgstr "Node %s (%s) gebruikt onbekende digest!"
+msgid "Certificate from %s (%s) revoked"
+msgstr ""

 
 

-#: src/protocol_auth.c:286
+#: src/protocol_auth.c:100

 #, c-format
 #, c-format

-msgid "%s (%s) uses bogus MAC length!"
-msgstr "%s (%s) gebruikt onzinnige MAC lengte!"
+msgid "Certificate from %s (%s) has no known signer"
+msgstr ""

 
 

-#: src/protocol_auth.c:381
+#: src/protocol_auth.c:102

 #, c-format
 #, c-format

-msgid "Error during calculation of response for %s (%s): %s"
-msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s"
-
-#: src/protocol_auth.c:414
-msgid "wrong challenge reply length"
-msgstr "verkeerde lengte antwoord op uitdaging"
+msgid "Certificate from %s (%s) has no CA as signer"
+msgstr ""

 
 

-#: src/protocol_auth.c:427
+#: src/protocol_auth.c:109

 #, c-format
 #, c-format

-msgid "Error during calculation of response from %s (%s): %s"
-msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s"
-
-#: src/protocol_auth.c:436
-msgid "wrong challenge reply"
-msgstr "verkeerd antwoord op uitdaging"
+msgid "Peer %s had unknown identity (%s)"
+msgstr "Ander %s heeft onbekende identiteit (%s)"

 
 

-#: src/protocol_auth.c:441
+#: src/protocol_auth.c:188 src/protocol_edge.c:73 src/protocol_edge.c:188
+#: src/protocol_key.c:62 src/protocol_key.c:105 src/protocol_key.c:176
+#: src/protocol_misc.c:54 src/protocol_misc.c:83 src/protocol_misc.c:171
+#: src/protocol_subnet.c:58 src/protocol_subnet.c:167

 #, c-format
 #, c-format

-msgid "Expected challenge reply: %s"
-msgstr "Verwachtte antwoord op uitdaging: %s"
+msgid "Got bad %s from %s (%s)"
+msgstr "Kreeg verkeerde %s van %s (%s)"

 
 

-#: src/protocol_auth.c:547
+#: src/protocol_auth.c:204

 #, c-format
 msgid "Established a second connection with %s (%s), closing old connection"
 msgstr "Tweede verbinding met %s (%s) gemaakt, oude verbinding wordt gesloten"
 
 #, c-format
 msgid "Established a second connection with %s (%s), closing old connection"
 msgstr "Tweede verbinding met %s (%s) gemaakt, oude verbinding wordt gesloten"
 

-#: src/protocol_auth.c:570
+#: src/protocol_auth.c:227

 #, c-format
 msgid "Connection with %s (%s) activated"
 msgstr "Verbinding met %s (%s) geactiveerd"
 
 #, c-format
 msgid "Connection with %s (%s) activated"
 msgstr "Verbinding met %s (%s) geactiveerd"
 

+#: src/protocol_edge.c:81 src/protocol_edge.c:87 src/protocol_edge.c:196
+#: src/protocol_edge.c:202 src/protocol_subnet.c:66 src/protocol_subnet.c:74
+#: src/protocol_subnet.c:175 src/protocol_subnet.c:196
+#, c-format
+msgid "Got bad %s from %s (%s): %s"
+msgstr "Kreeg verkeerde %s van %s (%s): %s"
+

 #: src/protocol_edge.c:82 src/protocol_edge.c:88 src/protocol_edge.c:197
 #: src/protocol_edge.c:203 src/protocol_subnet.c:67 src/protocol_subnet.c:176
 msgid "invalid name"
 #: src/protocol_edge.c:82 src/protocol_edge.c:88 src/protocol_edge.c:197
 #: src/protocol_edge.c:203 src/protocol_subnet.c:67 src/protocol_subnet.c:176
 msgid "invalid name"


@@ -755,14 +744,14 @@ msgstr "Kreeg %s van %s (%s) voor onszelf"
 msgid "Got %s from %s (%s) origin %s which does not exist"
 msgstr "Kreeg %s van %s (%s) herkomst %s welke niet bestaat"
 
 msgid "Got %s from %s (%s) origin %s which does not exist"
 msgstr "Kreeg %s van %s (%s) herkomst %s welke niet bestaat"
 

-#: src/protocol_key.c:113 src/protocol_key.c:180
+#: src/protocol_key.c:113 src/protocol_key.c:184

 #, c-format
 msgid ""
 "Got %s from %s (%s) origin %s which does not exist in our connection list"
 msgstr ""
 "Kreeg %s van %s (%s) herkomst %s welke niet voorkomt in de verbindingslijst"
 
 #, c-format
 msgid ""
 "Got %s from %s (%s) origin %s which does not exist in our connection list"
 msgstr ""
 "Kreeg %s van %s (%s) herkomst %s welke niet voorkomt in de verbindingslijst"
 

-#: src/protocol_key.c:121 src/protocol_key.c:188
+#: src/protocol_key.c:121 src/protocol_key.c:192

 #, c-format
 msgid ""
 "Got %s from %s (%s) destination %s which does not exist in our connection "
 #, c-format
 msgid ""
 "Got %s from %s (%s) destination %s which does not exist in our connection "


@@ -770,27 +759,32 @@ msgid ""
 msgstr ""
 "Kreeg %s van %s (%s) doel %s welke niet voorkomt in de verbindingslijst"
 
 msgstr ""
 "Kreeg %s van %s (%s) doel %s welke niet voorkomt in de verbindingslijst"
 

-#: src/protocol_key.c:222
+#: src/protocol_key.c:211

 #, c-format
 msgid "Node %s (%s) uses unknown cipher!"
 msgstr "Node %s (%s) gebruikt onbekende cipher!"
 
 #, c-format
 msgid "Node %s (%s) uses unknown cipher!"
 msgstr "Node %s (%s) gebruikt onbekende cipher!"
 

-#: src/protocol_key.c:228
+#: src/protocol_key.c:227

 #, c-format
 #, c-format

-msgid "Node %s (%s) uses wrong keylength!"
-msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!"
+msgid "Node %s (%s) uses unknown digest!"
+msgstr "Node %s (%s) gebruikt onbekende digest!"

 
 

-#: src/protocol_key.c:248
+#: src/protocol_key.c:235

 #, c-format
 msgid "Node %s (%s) uses bogus MAC length!"
 msgstr "Node %s (%s) gebruikt onzinnige MAC lengte!"
 
 #, c-format
 msgid "Node %s (%s) uses bogus MAC length!"
 msgstr "Node %s (%s) gebruikt onzinnige MAC lengte!"
 

-#: src/protocol_key.c:257
+#: src/protocol_key.c:244

 #, c-format
 msgid "Node %s (%s) uses bogus compression level!"
 msgstr "Node %s (%s) gebruikt onzinnig compressieniveau!"
 
 #, c-format
 msgid "Node %s (%s) uses bogus compression level!"
 msgstr "Node %s (%s) gebruikt onzinnig compressieniveau!"
 

-#: src/protocol_key.c:265
+#: src/protocol_key.c:260
+#, fuzzy, c-format
+msgid "Node %s (%s) uses wrong keylength %d instead of %d!"
+msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!"
+
+#: src/protocol_key.c:277 src/protocol_key.c:288

 #, c-format
 msgid "Error during initialisation of key from %s (%s): %s"
 msgstr "Fout tijdens initialisatie van sleutel van %s (%s): %s"
 #, c-format
 msgid "Error during initialisation of key from %s (%s): %s"
 msgstr "Fout tijdens initialisatie van sleutel van %s (%s): %s"


@@ -843,12 +837,12 @@ msgstr " %s eigenaar %s"
 msgid "End of subnet list."
 msgstr "Einde van subnet lijst."
 
 msgid "End of subnet list."
 msgstr "Einde van subnet lijst."
 

-#: src/tincd.c:108
+#: src/tincd.c:105

 #, c-format
 msgid "Try `%s --help' for more information.\n"
 msgstr "Probeer `%s --help' voor meer informatie.\n"
 
 #, c-format
 msgid "Try `%s --help' for more information.\n"
 msgstr "Probeer `%s --help' voor meer informatie.\n"
 

-#: src/tincd.c:111
+#: src/tincd.c:108

 #, c-format
 msgid ""
 "Usage: %s [option]...\n"
 #, c-format
 msgid ""
 "Usage: %s [option]...\n"


@@ -857,7 +851,7 @@ msgstr ""
 "Gebruik: %s [optie]...\n"
 "\n"
 
 "Gebruik: %s [optie]...\n"
 "\n"
 

-#: src/tincd.c:112
+#: src/tincd.c:109

 #, c-format
 msgid ""
 "  -c, --config=DIR           Read configuration options from DIR.\n"
 #, c-format
 msgid ""
 "  -c, --config=DIR           Read configuration options from DIR.\n"


@@ -887,14 +881,14 @@ msgstr ""
 "      --version              Geef versie informatie en beëindig.\n"
 "\n"
 
 "      --version              Geef versie informatie en beëindig.\n"
 "\n"
 

-#: src/tincd.c:123
+#: src/tincd.c:120

 #, c-format
 msgid "Report bugs to tinc@nl.linux.org.\n"
 msgstr ""
 "Meld fouten in het programma aan tinc@nl.linux.org;\n"
 "Meld fouten in de vertaling aan vertaling@nl.linux.org.\n"
 
 #, c-format
 msgid "Report bugs to tinc@nl.linux.org.\n"
 msgstr ""
 "Meld fouten in het programma aan tinc@nl.linux.org;\n"
 "Meld fouten in de vertaling aan vertaling@nl.linux.org.\n"
 

-#: src/tincd.c:179
+#: src/tincd.c:176

 #, c-format
 msgid ""
 "Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, "
 #, c-format
 msgid ""
 "Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, "


@@ -903,7 +897,7 @@ msgstr ""
 "Ongeldig argument `%s'; SIGNAAL moet een getal zijn of één van HUP, TERM, "
 "KILL, USR1, USR2, WINCH, INT of ALRM.\n"
 
 "Ongeldig argument `%s'; SIGNAAL moet een getal zijn of één van HUP, TERM, "
 "KILL, USR1, USR2, WINCH, INT of ALRM.\n"
 

-#: src/tincd.c:201
+#: src/tincd.c:198

 #, c-format
 msgid ""
 "Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n"
 #, c-format
 msgid ""
 "Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n"


@@ -911,26 +905,31 @@ msgstr ""
 "Ongeldig argument `%s'; BITS moet een nummer zijn gelijk aan of groter dan "
 "512.\n"
 
 "Ongeldig argument `%s'; BITS moet een nummer zijn gelijk aan of groter dan "
 "512.\n"
 

-#: src/tincd.c:294
+#: src/tincd.c:286
+#, c-format
+msgid "Use certtool!\n"
+msgstr ""
+
+#: src/tincd.c:295

 #, c-format
 msgid "Generating %d bits keys:\n"
 msgstr "Bezig met genereren van een %d bits sleutel:\n"
 
 #, c-format
 msgid "Generating %d bits keys:\n"
 msgstr "Bezig met genereren van een %d bits sleutel:\n"
 

-#: src/tincd.c:298
+#: src/tincd.c:299

 #, c-format
 msgid "Error during key generation!\n"
 msgstr "Fout tijdens genereren sleutel!\n"
 
 #, c-format
 msgid "Error during key generation!\n"
 msgstr "Fout tijdens genereren sleutel!\n"
 

-#: src/tincd.c:301
+#: src/tincd.c:302

 #, c-format
 msgid "Done.\n"
 msgstr "Klaar.\n"
 
 #, c-format
 msgid "Done.\n"
 msgstr "Klaar.\n"
 

-#: src/tincd.c:304
+#: src/tincd.c:305

 msgid "private RSA key"
 msgstr "geheime RSA sleutel"
 
 msgid "private RSA key"
 msgstr "geheime RSA sleutel"
 

-#: src/tincd.c:315 src/tincd.c:334
+#: src/tincd.c:316 src/tincd.c:335

 #, c-format
 msgid ""
 "Appending key to existing contents.\n"
 #, c-format
 msgid ""
 "Appending key to existing contents.\n"


@@ -939,21 +938,21 @@ msgstr ""
 "Sleutel wordt toegevoegd aan bestaande inhoud.\n"
 "Let er op dat er slechts één sleutel in het bestand is.\n"
 
 "Sleutel wordt toegevoegd aan bestaande inhoud.\n"
 "Let er op dat er slechts één sleutel in het bestand is.\n"
 

-#: src/tincd.c:328
+#: src/tincd.c:329

 msgid "public RSA key"
 msgstr "openbare RSA sleutel"
 
 msgid "public RSA key"
 msgstr "openbare RSA sleutel"
 

-#: src/tincd.c:387
+#: src/tincd.c:389

 msgid "Both netname and configuration directory given, using the latter..."
 msgstr ""
 "Zowel netnaam als configuratiemap zijn gegeven, laatste wordt gebruikt..."
 
 msgid "Both netname and configuration directory given, using the latter..."
 msgstr ""
 "Zowel netnaam als configuratiemap zijn gegeven, laatste wordt gebruikt..."
 

-#: src/tincd.c:408
+#: src/tincd.c:410

 #, c-format
 msgid "%s version %s (built %s %s, protocol %d)\n"
 msgstr "%s versie %s (gemaakt %s %s, protocol %d)\n"
 
 #, c-format
 msgid "%s version %s (built %s %s, protocol %d)\n"
 msgstr "%s versie %s (gemaakt %s %s, protocol %d)\n"
 

-#: src/tincd.c:410
+#: src/tincd.c:412

 #, c-format
 msgid ""
 "Copyright (C) 1998-2003 Ivo Timmermans, Guus Sliepen and others.\n"
 #, c-format
 msgid ""
 "Copyright (C) 1998-2003 Ivo Timmermans, Guus Sliepen and others.\n"


@@ -971,7 +970,7 @@ msgstr ""
 "en je bent welkom om het te distribueren onder bepaalde voorwaarden;\n"
 "zie het bestand COPYING voor details.\n"
 
 "en je bent welkom om het te distribueren onder bepaalde voorwaarden;\n"
 "zie het bestand COPYING voor details.\n"
 

-#: src/tincd.c:438
+#: src/tincd.c:440

 msgid "mlockall() not supported on this platform!"
 msgstr "mlockall() wordt niet ondersteund op dit platform!"
 
 msgid "mlockall() not supported on this platform!"
 msgstr "mlockall() wordt niet ondersteund op dit platform!"
 


@@ -1059,9 +1058,9 @@ msgid "A tincd is already running with pid %ld.\n"
 msgstr "Een tincd draait al met pid %ld.\n"
 
 #: src/process.c:261
 msgstr "Een tincd draait al met pid %ld.\n"
 
 #: src/process.c:261

-#, c-format
+#, fuzzy, c-format

 msgid "Could write pid file %s: %s\n"
 msgid "Could write pid file %s: %s\n"

-msgstr "Kon pid bestand %s niet openen: %s\n"
+msgstr "Kon `%s' niet openen: %s"

 
 #: src/process.c:283
 #, c-format
 
 #: src/process.c:283
 #, c-format


@@ -1094,9 +1093,9 @@ msgid "Couldn't detach from terminal: %s"
 msgstr "Kon niet ontkoppelen van terminal: %s"
 
 #: src/process.c:341
 msgstr "Kon niet ontkoppelen van terminal: %s"
 
 #: src/process.c:341

-#, c-format
+#, fuzzy, c-format

 msgid "Could not write pid file %s: %s\n"
 msgid "Could not write pid file %s: %s\n"

-msgstr "Kon pid bestand %s niet schrijven: %s\n"
+msgstr "Kon `%s' niet openen: %s"

 
 #: src/process.c:352
 #, c-format
 
 #: src/process.c:352
 #, c-format


@@ -1184,52 +1183,48 @@ msgstr "Nieuw MAC adres %hx:%hx:%hx:%hx:%hx:%hx geleerd"
 #: src/route.c:165
 #, c-format
 msgid "Subnet %s expired"
 #: src/route.c:165
 #, c-format
 msgid "Subnet %s expired"

-msgstr "Subnet %s is verlopen"
+msgstr ""

 
 #: src/route.c:200 src/route.c:353 src/route.c:495
 
 #: src/route.c:200 src/route.c:353 src/route.c:495

-#, c-format
+#, fuzzy, c-format

 msgid "Packet looping back to %s (%s)!"
 msgid "Packet looping back to %s (%s)!"

-msgstr "Pakket komt terug naar %s (%s)!"
+msgstr "Pakket komt terug naar ons!"

 
 #: src/route.c:299
 #, c-format
 msgid "Length of packet (%d) doesn't match length in IPv4 header (%d)"
 msgstr ""
 
 #: src/route.c:299
 #, c-format
 msgid "Length of packet (%d) doesn't match length in IPv4 header (%d)"
 msgstr ""

-"Lengte van pakket (%d) komt niet overeen met lengte in IPv4 header (%d)"

 
 #: src/route.c:303
 
 #: src/route.c:303

-#, c-format
+#, fuzzy, c-format

 msgid "Fragmenting packet of %d bytes to %s (%s)"
 msgid "Fragmenting packet of %d bytes to %s (%s)"

-msgstr "Fragmentatie pakket van %d bytes naar %s (%s)"
+msgstr "Verzending pakket van %d bytes naar %s (%s)"

 
 #: src/route.c:341
 
 #: src/route.c:341

-#, c-format
+#, fuzzy, c-format

 msgid ""
 "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%"
 "d"
 msgid ""
 "Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%"
 "d"

-msgstr ""
-"Kan pakket van %s (%s) niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d"
+msgstr "Kan pakket niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d"

 
 #: src/route.c:366 src/route.c:505
 #, c-format
 msgid "Packet for %s (%s) length %d larger than MTU %d"
 
 #: src/route.c:366 src/route.c:505
 #, c-format
 msgid "Packet for %s (%s) length %d larger than MTU %d"

-msgstr "Packet voor %s (%s) lengte %d groter dan MTU %d"
+msgstr ""

 
 #: src/route.c:479
 
 #: src/route.c:479

-#, c-format
+#, fuzzy, c-format

 msgid ""
 "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%"
 "hx:%hx:%hx:%hx:%hx:%hx"
 msgstr ""
 msgid ""
 "Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%"
 "hx:%hx:%hx:%hx:%hx:%hx"
 msgstr ""

-"Kan pakket van %s (%s) niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%"
-"hx:%hx:%hx:%hx:%hx"
+"Kan pakket niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%hx:%hx:%hx:%"
+"hx:%hx"

 
 #: src/route.c:537
 #, c-format
 msgid "Got neighbor solicitation request from %s (%s) while in router mode!"
 msgstr ""
 
 #: src/route.c:537
 #, c-format
 msgid "Got neighbor solicitation request from %s (%s) while in router mode!"
 msgstr ""

-"Kreeg neighbor solicitation request van %s (%s) terwijl we in router mode "
-"werken!"

 
 #: src/route.c:556
 msgid ""
 
 #: src/route.c:556
 msgid ""


@@ -1253,9 +1248,9 @@ msgstr ""
 "hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"
 
 #: src/route.c:671
 "hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"
 
 #: src/route.c:671

-#, c-format
+#, fuzzy, c-format

 msgid "Got ARP request from %s (%s) while in router mode!"
 msgid "Got ARP request from %s (%s) while in router mode!"

-msgstr "Kreeg ARP request van %s (%s) terwijl we in router mode werken!"
+msgstr "Kreeg %s van %s (%s) voor %s welke niet voorkomt in de node boom"

 
 #: src/route.c:688
 msgid "Cannot route packet: received unknown type ARP request"
 
 #: src/route.c:688
 msgid "Cannot route packet: received unknown type ARP request"


@@ -1267,22 +1262,22 @@ msgid "Cannot route packet: ARP request for unknown address %d.%d.%d.%d"
 msgstr "Kan pakket niet routeren: ARP verzoek voor onbekend adres %d.%d.%d.%d"
 
 #: src/route.c:753
 msgstr "Kan pakket niet routeren: ARP verzoek voor onbekend adres %d.%d.%d.%d"
 
 #: src/route.c:753

-#, c-format
+#, fuzzy, c-format

 msgid "Cannot route packet from %s (%s): unknown type %hx"
 msgid "Cannot route packet from %s (%s): unknown type %hx"

-msgstr "Kan pakket van %s (%s) niet routeren: onbekend type %hx"
+msgstr "Kan pakket niet routeren: onbekend type %hx"

 
 #: src/node.c:183
 msgid "Nodes:"
 msgstr "Nodes:"
 
 #: src/node.c:187
 
 #: src/node.c:183
 msgid "Nodes:"
 msgstr "Nodes:"
 
 #: src/node.c:187

-#, c-format
+#, fuzzy, c-format

 msgid ""
 msgid ""

-" %s at %s cipher %d digest %d maclength %d compression %d options %lx status "
+" %s at %s cipher %s digest %s maclength %d compression %d options %lx status "

 "%04x nexthop %s via %s pmtu %d (min %d max %d)"
 msgstr ""
 " %s op %s cipher %d digest %d maclengte %d compressie %d opties %lx status %"
 "%04x nexthop %s via %s pmtu %d (min %d max %d)"
 msgstr ""
 " %s op %s cipher %d digest %d maclengte %d compressie %d opties %lx status %"

-"04x nexthop %s via %s pmtu %d (min %d max %d)"
+"04x nexthop %s via %s"

 
 #: src/node.c:194
 msgid "End of nodes."
 
 #: src/node.c:194
 msgid "End of nodes."


@@ -1506,6 +1501,65 @@ msgstr "Kan interface %s niet vinden: %s"
 msgid "Could not bind to %s: %s"
 msgstr "Kon niet aan interface `%s' binden: %s"
 
 msgid "Could not bind to %s: %s"
 msgstr "Kon niet aan interface `%s' binden: %s"
 

+#, fuzzy
+#~ msgid "%s is %s"
+#~ msgstr "%s is een %s"
+
+#~ msgid "Error while encrypting metadata to %s (%s): %s"
+#~ msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s"
+
+#~ msgid "Error while decrypting metadata from %s (%s): %s"
+#~ msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s"
+
+#~ msgid "Could not stat RSA private key file `%s': %s'"
+#~ msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s"
+
+#~ msgid "Warning: insecure file permissions for RSA private key file `%s'!"
+#~ msgstr ""
+#~ "Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!"
+
+#~ msgid "Reading RSA private key file `%s' failed: %s"
+#~ msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
+
+#~ msgid "Peer %s (%s) uses incompatible version %d"
+#~ msgstr "Ander %s (%s) gebruikt incompatibele versie %d"
+
+#~ msgid "Generated random meta key (unencrypted): %s"
+#~ msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s"
+
+#~ msgid "Error during encryption of meta key for %s (%s)"
+#~ msgstr "Fout tijdens versleutelen van meta key voor %s (%s)"
+
+#~ msgid "Possible intruder %s (%s): %s"
+#~ msgstr "Mogelijke indringer %s (%s): %s"
+
+#~ msgid "Received random meta key (unencrypted): %s"
+#~ msgstr "Ontving willekeurige meta key (niet versleuteld): %s"
+
+#~ msgid "%s (%s) uses unknown cipher!"
+#~ msgstr "%s (%s) gebruikt onbekende cipher!"
+
+#~ msgid "Error during initialisation of cipher from %s (%s): %s"
+#~ msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s"
+
+#~ msgid "%s (%s) uses bogus MAC length!"
+#~ msgstr "%s (%s) gebruikt onzinnige MAC lengte!"
+
+#~ msgid "Error during calculation of response for %s (%s): %s"
+#~ msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s"
+
+#~ msgid "wrong challenge reply length"
+#~ msgstr "verkeerde lengte antwoord op uitdaging"
+
+#~ msgid "Error during calculation of response from %s (%s): %s"
+#~ msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s"
+
+#~ msgid "wrong challenge reply"
+#~ msgstr "verkeerd antwoord op uitdaging"
+
+#~ msgid "Expected challenge reply: %s"
+#~ msgstr "Verwachtte antwoord op uitdaging: %s"
+

 #~ msgid "Restarting in %d seconds!"
 #~ msgstr "Herstart in %d seconden!"
 
 #~ msgid "Restarting in %d seconds!"
 #~ msgstr "Herstart in %d seconden!"
 

diff --git a/src/Makefile.am b/src/Makefile.am
index a3b7202..146ff94 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -21,7 +21,7 @@ noinst_HEADERS = conf.h connection.h device.h edge.h event.h graph.h logger.h me
 LIBS = @LIBS@ @LIBINTL@
 
 tincd_LDADD = \
 LIBS = @LIBS@ @LIBINTL@
 
 tincd_LDADD = \

-       $(top_builddir)/lib/libvpn.a
+       $(top_builddir)/lib/libvpn.a -lgnutls

 
 localedir = $(datadir)/locale
 
 
 localedir = $(datadir)/locale
 

diff --git a/src/conf.c b/src/conf.c
index 369a5fb..d0a2d2d 100644 (file)
--- a/src/conf.c
+++ b/src/conf.c
@@ -321,7 +321,7 @@ int read_config_file(avl_tree_t *config_tree, const char *fname)
        int err = -2;                           /* Parse error */
        FILE *fp;
        char *buffer, *line;
        int err = -2;                           /* Parse error */
        FILE *fp;
        char *buffer, *line;

-       char *variable, *value, *eol;
+       char *variable, *value;

        int lineno = 0;
        int len;
        bool ignore = false;
        int lineno = 0;
        int len;
        bool ignore = false;


@@ -372,10 +372,6 @@ int read_config_file(avl_tree_t *config_tree, const char *fname)
 
                variable = value = line;
 
 
                variable = value = line;
 

-               eol = line + strlen(line);
-               while(strchr("\t ", *--eol))
-                       *eol = '\0';
-

                len = strcspn(value, "\t =");
                value += len;
                value += strspn(value, "\t ");
                len = strcspn(value, "\t =");
                value += len;
                value += strspn(value, "\t ");


@@ -385,7 +381,6 @@ int read_config_file(avl_tree_t *config_tree, const char *fname)
                }
                variable[len] = '\0';
 
                }
                variable[len] = '\0';
 

-       

                if(!*value) {
                        logger(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"),
                                   variable, lineno, fname);
                if(!*value) {
                        logger(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"),
                                   variable, lineno, fname);

diff --git a/src/connection.c b/src/connection.c
index b4a17ad..4d036ed 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -78,21 +78,6 @@ void free_connection(connection_t *c)
 {
        cp();
 
 {
        cp();
 

-       if(c->hostname)
-               free(c->hostname);
-
-       if(c->inkey)
-               free(c->inkey);
-
-       if(c->outkey)
-               free(c->outkey);
-
-       if(c->mychallenge)
-               free(c->mychallenge);
-
-       if(c->hischallenge)
-               free(c->hischallenge);
-

        free(c);
 }
 
        free(c);
 }
 


@@ -121,8 +106,13 @@ void dump_connections(void)
 
        for(node = connection_tree->head; node; node = node->next) {
                c = node->data;
 
        for(node = connection_tree->head; node; node = node->next) {
                c = node->data;

-               logger(LOG_DEBUG, _(" %s at %s options %lx socket %d status %04x"),
-                          c->name, c->hostname, c->options, c->socket, *(uint32_t *)&c->status);
+               logger(LOG_DEBUG, _(" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method %s status %04x"),
+                               c->name, c->hostname, c->options, c->socket,
+                               c->session ? gnutls_cipher_get_name(gnutls_cipher_get(c->session)) : "-",
+                               c->session ? gnutls_mac_get_name(gnutls_mac_get(c->session)) : "-",
+                               c->session ? gnutls_compression_get_name(gnutls_compression_get(c->session)) : "-",
+                               c->session ? gnutls_kx_get_name(gnutls_kx_get(c->session)) : "-",
+                          *(uint32_t *)&c->status);

        }
 
        logger(LOG_DEBUG, _("End of connections."));
        }
 
        logger(LOG_DEBUG, _("End of connections."));

diff --git a/src/connection.h b/src/connection.h
index b1c35af..0c93fed 100644 (file)
--- a/src/connection.h
+++ b/src/connection.h
@@ -23,8 +23,7 @@
 #ifndef __TINC_CONNECTION_H__
 #define __TINC_CONNECTION_H__
 
 #ifndef __TINC_CONNECTION_H__
 #define __TINC_CONNECTION_H__
 

-#include <openssl/rsa.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>

 
 #include "avl_tree.h"
 
 
 #include "avl_tree.h"
 


@@ -51,14 +50,14 @@ typedef struct connection_status_t {
 #include "node.h"
 
 typedef struct connection_t {
 #include "node.h"
 
 typedef struct connection_t {

-       char *name;                                     /* name he claims to have */
+       char *name;                     /* name he claims to have */

 
 

-       union sockaddr_t address;                       /* his real (internet) ip */
-       char *hostname;                         /* the hostname of its real ip */
+       union sockaddr_t address;       /* his real (internet) ip */
+       char *hostname;                 /* the hostname of its real ip */

        int protocol_version;           /* used protocol */
 
        int protocol_version;           /* used protocol */
 

-       int socket;                                     /* socket used for this connection */
-       long int options;                       /* options for this connection */
+       int socket;                     /* socket used for this connection */
+       long int options;               /* options for this connection */

        struct connection_status_t status;      /* status info */
        int estimated_weight;           /* estimation for the weight of the edge for this connection */
        struct timeval start;           /* time this connection was started, used for above estimation */
        struct connection_status_t status;      /* status info */
        int estimated_weight;           /* estimation for the weight of the edge for this connection */
        struct timeval start;           /* time this connection was started, used for above estimation */


@@ -67,29 +66,14 @@ typedef struct connection_t {
        struct node_t *node;            /* node associated with the other end */
        struct edge_t *edge;            /* edge associated with this connection */
 
        struct node_t *node;            /* node associated with the other end */
        struct edge_t *edge;            /* edge associated with this connection */
 

-       RSA *rsa_key;                           /* his public/private key */
-       const EVP_CIPHER *incipher;     /* Cipher he will use to send data to us */
-       const EVP_CIPHER *outcipher;    /* Cipher we will use to send data to him */
-       EVP_CIPHER_CTX *inctx;          /* Context of encrypted meta data that will come from him to us */
-       EVP_CIPHER_CTX *outctx;         /* Context of encrypted meta data that will be sent from us to him */
-       char *inkey;                            /* His symmetric meta key + iv */
-       char *outkey;                           /* Our symmetric meta key + iv */
-       int inkeylength;                        /* Length of his key + iv */
-       int outkeylength;                       /* Length of our key + iv */
-       const EVP_MD *indigest;
-       const EVP_MD *outdigest;
-       int inmaclength;
-       int outmaclength;
-       int incompression;
-       int outcompression;
-       char *mychallenge;                      /* challenge we received from him */
-       char *hischallenge;                     /* challenge we sent to him */
+       gnutls_session session;
+       gnutls_certificate_credentials credentials;

 
        char buffer[MAXBUFSIZE];        /* metadata input buffer */
 
        char buffer[MAXBUFSIZE];        /* metadata input buffer */

-       int buflen;                                     /* bytes read into buffer */
-       int reqlen;                                     /* length of incoming request */
-       int tcplen;                                     /* length of incoming TCPpacket */
-       int allow_request;                      /* defined if there's only one request possible */
+       int buflen;                     /* bytes read into buffer */
+       int reqlen;                     /* length of incoming request */
+       int tcplen;                     /* length of incoming TCPpacket */
+       int allow_request;              /* defined if there's only one request possible */

 
        time_t last_ping_time;          /* last time we saw some activity from the other end */
 
 
        time_t last_ping_time;          /* last time we saw some activity from the other end */
 

diff --git a/src/meta.c b/src/meta.c
index 0071eb5..4153c44 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -22,8 +22,7 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>

 
 #include "avl_tree.h"
 #include "connection.h"
 
 #include "avl_tree.h"
 #include "connection.h"


@@ -36,9 +35,6 @@
 
 bool send_meta(connection_t *c, const char *buffer, int length)
 {
 
 bool send_meta(connection_t *c, const char *buffer, int length)
 {

-       const char *bufp;
-       int outlen;
-       char outbuf[MAXBUFSIZE];

        int result;
 
        cp();
        int result;
 
        cp();


@@ -46,32 +42,21 @@ bool send_meta(connection_t *c, const char *buffer, int length)
        ifdebug(META) logger(LOG_DEBUG, _("Sending %d bytes of metadata to %s (%s)"), length,
                           c->name, c->hostname);
 
        ifdebug(META) logger(LOG_DEBUG, _("Sending %d bytes of metadata to %s (%s)"), length,
                           c->name, c->hostname);
 

-       if(c->status.encryptout) {
-               result = EVP_EncryptUpdate(c->outctx, outbuf, &outlen, buffer, length);
-               if(!result || outlen != length) {
-                       logger(LOG_ERR, _("Error while encrypting metadata to %s (%s): %s"),
-                                       c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-                       return false;
-               }
-               bufp = outbuf;
-               length = outlen;
-       } else
-               bufp = buffer;
-

        while(length) {
        while(length) {

-               result = send(c->socket, bufp, length, 0);
+               result = gnutls_record_send(c->session, buffer, length);
+

                if(result <= 0) {
                if(result <= 0) {

-                       if(!errno || errno == EPIPE) {
+                       if(!result) {

                                ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
                                                   c->name, c->hostname);
                                ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
                                                   c->name, c->hostname);

-                       } else if(errno == EINTR)
+                       } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)

                                continue;
                        else
                                logger(LOG_ERR, _("Sending meta data to %s (%s) failed: %s"), c->name,
                                continue;
                        else
                                logger(LOG_ERR, _("Sending meta data to %s (%s) failed: %s"), c->name,

-                                          c->hostname, strerror(errno));
+                                          c->hostname, gnutls_strerror(result));

                        return false;
                }
                        return false;
                }

-               bufp += result;
+               buffer += result;

                length -= result;
        }
        
                length -= result;
        }
        


@@ -96,53 +81,51 @@ void broadcast_meta(connection_t *from, const char *buffer, int length)
 bool receive_meta(connection_t *c)
 {
        int oldlen, i, result;
 bool receive_meta(connection_t *c)
 {
        int oldlen, i, result;

-       int lenin, lenout, reqlen;
-       bool decrypted = false;
-       char inbuf[MAXBUFSIZE];
+       int reqlen;

 
        cp();
 
        /* Strategy:
           - Read as much as possible from the TCP socket in one go.
 
        cp();
 
        /* Strategy:
           - Read as much as possible from the TCP socket in one go.

-          - Decrypt it.

           - Check if a full request is in the input buffer.
           - If yes, process request and remove it from the buffer,
           then check again.
           - If not, keep stuff in buffer and exit.
         */
 
           - Check if a full request is in the input buffer.
           - If yes, process request and remove it from the buffer,
           then check again.
           - If not, keep stuff in buffer and exit.
         */
 

-       lenin = recv(c->socket, c->buffer + c->buflen, MAXBUFSIZE - c->buflen, 0);
+       if(c->allow_request == ID) {
+               logger(LOG_DEBUG, _("Continuing handshake..."));
+               result = gnutls_handshake(c->session);
+               if(!result) {
+                       logger(LOG_DEBUG, _("Handshake with %s (%s) completed!"), c->name, c->hostname);
+                       c->allow_request = ACK;
+                       return send_ack(c);
+               }
+               if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
+                       return true;
+               logger(LOG_DEBUG, _("Handshake with %s (%s) failed: %s"), c->name, c->hostname, gnutls_strerror(result));
+               return false;
+       }
+
+       result = gnutls_record_recv(c->session, c->buffer + c->buflen, MAXBUFSIZE - c->buflen);

 
 

-       if(lenin <= 0) {
-               if(!lenin || !errno) {
+       if(result <= 0) {
+               if(!result) {

                        ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
                                           c->name, c->hostname);
                        ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
                                           c->name, c->hostname);

-               } else if(errno == EINTR)
+               } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)

                        return true;
                else
                        logger(LOG_ERR, _("Metadata socket read error for %s (%s): %s"),
                        return true;
                else
                        logger(LOG_ERR, _("Metadata socket read error for %s (%s): %s"),

-                                  c->name, c->hostname, strerror(errno));
+                                  c->name, c->hostname, gnutls_strerror(result));

 
                return false;
        }
 
        oldlen = c->buflen;
 
                return false;
        }
 
        oldlen = c->buflen;

-       c->buflen += lenin;
-
-       while(lenin > 0) {
-               /* Decrypt */
-
-               if(c->status.decryptin && !decrypted) {
-                       result = EVP_DecryptUpdate(c->inctx, inbuf, &lenout, c->buffer + oldlen, lenin);
-                       if(!result || lenout != lenin) {
-                               logger(LOG_ERR, _("Error while decrypting metadata from %s (%s): %s"),
-                                               c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-                               return false;
-                       }
-                       memcpy(c->buffer + oldlen, inbuf, lenin);
-                       decrypted = true;
-               }
+       c->buflen += result;

 
 

+       while(c->buflen > 0) {

                /* Are we receiving a TCPpacket? */
 
                if(c->tcplen) {
                /* Are we receiving a TCPpacket? */
 
                if(c->tcplen) {


@@ -150,7 +133,6 @@ bool receive_meta(connection_t *c)
                                receive_tcppacket(c, c->buffer, c->tcplen);
 
                                c->buflen -= c->tcplen;
                                receive_tcppacket(c, c->buffer, c->tcplen);
 
                                c->buflen -= c->tcplen;

-                               lenin -= c->tcplen - oldlen;

                                memmove(c->buffer, c->buffer + c->tcplen, c->buflen);
                                oldlen = 0;
                                c->tcplen = 0;
                                memmove(c->buffer, c->buffer + c->tcplen, c->buflen);
                                oldlen = 0;
                                c->tcplen = 0;


@@ -178,7 +160,6 @@ bool receive_meta(connection_t *c)
                                return false;
 
                        c->buflen -= reqlen;
                                return false;
 
                        c->buflen -= reqlen;

-                       lenin -= reqlen - oldlen;

                        memmove(c->buffer, c->buffer + reqlen, c->buflen);
                        oldlen = 0;
                        continue;
                        memmove(c->buffer, c->buffer + reqlen, c->buflen);
                        oldlen = 0;
                        continue;

diff --git a/src/net.c b/src/net.c
index a6d2bb7..24f520c 100644 (file)
--- a/src/net.c
+++ b/src/net.c
@@ -22,7 +22,7 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

-#include <openssl/rand.h>
+#include <gcrypt.h>

 
 #include "utils.h"
 #include "avl_tree.h"
 
 #include "utils.h"
 #include "avl_tree.h"


@@ -377,9 +377,9 @@ int main_loop(void)
                        if(keyexpires < now) {
                                ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key"));
 
                        if(keyexpires < now) {
                                ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key"));
 

-                               RAND_pseudo_bytes(myself->key, myself->keylength);
+                               gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM);

                                if(myself->cipher)
                                if(myself->cipher)

-                                       EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);
+                                       gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen);

                                send_key_changed(broadcast, myself);
                                keyexpires = now + keylifetime;
                        }
                                send_key_changed(broadcast, myself);
                                keyexpires = now + keylifetime;
                        }

diff --git a/src/net.h b/src/net.h
index 5b14553..0cd4b8d 100644 (file)
--- a/src/net.h
+++ b/src/net.h
@@ -23,7 +23,7 @@
 #ifndef __TINC_NET_H__
 #define __TINC_NET_H__
 
 #ifndef __TINC_NET_H__
 #define __TINC_NET_H__
 

-#include <openssl/evp.h>
+#include <gcrypt.h>

 
 #include "ipv6.h"
 
 
 #include "ipv6.h"
 


@@ -33,7 +33,7 @@
 #define MTU 1514                               /* 1500 bytes payload + 14 bytes ethernet header */
 #endif
 
 #define MTU 1514                               /* 1500 bytes payload + 14 bytes ethernet header */
 #endif
 

-#define MAXSIZE (MTU + 4 + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + MTU/64 + 20)       /* MTU + seqno + padding + HMAC + compressor overhead */
+#define MAXSIZE (MTU + 4 + 64 + 64 + MTU/64 + 20)      /* MTU + seqno + padding + HMAC + compressor overhead */

 #define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128)   /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
 
 #define MAXSOCKETS 128                 /* Overkill... */
 #define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128)   /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
 
 #define MAXSOCKETS 128                 /* Overkill... */


@@ -126,7 +126,8 @@ extern bool do_prune;
 extern bool do_purge;
 extern char *myport;
 extern time_t now;
 extern bool do_purge;
 extern char *myport;
 extern time_t now;

-extern EVP_CIPHER_CTX packet_ctx;
+extern gcry_cipher_hd_t packet_ctx;
+extern gcry_md_hd_t digest_ctx;

 
 /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
 #include "connection.h"
 
 /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
 #include "connection.h"

diff --git a/src/net_packet.c b/src/net_packet.c
index 255453e..b3cd8d4 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -22,11 +22,7 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
+#include <gcrypt.h>

 
 #include <zlib.h>
 #include <lzo1x.h>
 
 #include <zlib.h>
 #include <lzo1x.h>


@@ -54,7 +50,6 @@
 
 int keylifetime = 0;
 int keyexpires = 0;
 
 int keylifetime = 0;
 int keyexpires = 0;

-EVP_CIPHER_CTX packet_ctx;

 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
 
 static void send_udppacket(node_t *, vpn_packet_t *);
 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
 
 static void send_udppacket(node_t *, vpn_packet_t *);


@@ -88,7 +83,7 @@ void send_mtu_probe(node_t *n)
                        len = 64;
                
                memset(packet.data, 0, 14);
                        len = 64;
                
                memset(packet.data, 0, 14);

-               RAND_pseudo_bytes(packet.data + 14, len - 14);
+               gcry_randomize(packet.data + 14, len - 14, GCRY_WEAK_RANDOM);

                packet.len = len;
 
                ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
                packet.len = len;
 
                ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);


@@ -173,9 +168,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
        vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
        int nextpkt = 0;
        vpn_packet_t *outpkt = pkt[0];
        vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
        int nextpkt = 0;
        vpn_packet_t *outpkt = pkt[0];

-       int outlen, outpad;
-       char hmac[EVP_MAX_MD_SIZE];
+       char *hmac = NULL;
+       int result;

        int i;
        int i;

+       static char iv[32] = {0};

 
        cp();
 
 
        cp();
 


@@ -191,10 +187,11 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
 
        if(myself->digest && myself->maclength) {
                inpkt->len -= myself->maclength;
 
        if(myself->digest && myself->maclength) {
                inpkt->len -= myself->maclength;

-               HMAC(myself->digest, myself->key, myself->keylength,
-                        (char *) &inpkt->seqno, inpkt->len, hmac, NULL);
-
-               if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
+               gcry_md_reset(myself->digest_ctx);
+               gcry_md_write(myself->digest_ctx, (char *)&inpkt->seqno, inpkt->len);
+               hmac = gcry_md_read(myself->digest_ctx, 0);
+       
+               if(!hmac || memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength)) {

                        ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
                                           n->name, n->hostname);
                        return;
                        ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
                                           n->name, n->hostname);
                        return;


@@ -204,19 +201,28 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
        /* Decrypt the packet */
 
        if(myself->cipher) {
        /* Decrypt the packet */
 
        if(myself->cipher) {

-               outpkt = pkt[nextpkt++];
+               gcry_cipher_reset(myself->cipher_ctx);
+               //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno);
+               //gcry_cipher_setiv(myself->cipher_ctx, iv, myself->cipherblklen);
+               result = gcry_cipher_decrypt(myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0);

 
 

-               if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
-                               || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
-                                       (char *) &inpkt->seqno, inpkt->len)
-                               || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+               if(result) {

                        ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
                        ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),

-                                               n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+                                               n->name, n->hostname, gpg_strerror(result));
+                       logger(LOG_DEBUG, "%p %p %d", myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len);

                        return;
                }
                        return;
                }

+       }
+
+       /* Remove padding */
+
+       if(myself->cipherblklen > 1) {
+               int padlen;

                
                

-               outpkt->len = outlen + outpad;
-               inpkt = outpkt;
+               padlen = ((uint8_t *)&inpkt->seqno)[inpkt->len - 1];
+               
+               if(padlen && padlen <= myself->cipherblklen)
+                       inpkt->len -= padlen;

        }
 
        /* Check the sequence number */
        }
 
        /* Check the sequence number */


@@ -226,13 +232,13 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
 
        if(inpkt->seqno != n->received_seqno + 1) {
                if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
 
        if(inpkt->seqno != n->received_seqno + 1) {
                if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {

-                       logger(LOG_WARNING, _("Lost %d packets from %s (%s)"),
+                       logger(LOG_WARNING, _("Lost %u packets from %s (%s)"),

                                           inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
                        
                        memset(n->late, 0, sizeof(n->late));
                } else if (inpkt->seqno <= n->received_seqno) {
                        if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
                                           inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
                        
                        memset(n->late, 0, sizeof(n->late));
                } else if (inpkt->seqno <= n->received_seqno) {
                        if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {

-                               logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
+                               logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %u, last received %u"),

                                           n->name, n->hostname, inpkt->seqno, n->received_seqno);
                        } else
                                for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
                                           n->name, n->hostname, inpkt->seqno, n->received_seqno);
                        } else
                                for(i = n->received_seqno + 1; i < inpkt->seqno; i++)


@@ -240,8 +246,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
                }
        }
        
                }
        }
        

-       n->received_seqno = inpkt->seqno;
-       n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+       if(inpkt->seqno > n->received_seqno) {
+               n->received_seqno = inpkt->seqno;
+               n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+       }

                        
        if(n->received_seqno > MAX_SEQNO)
                keyexpires = 0;
                        
        if(n->received_seqno > MAX_SEQNO)
                keyexpires = 0;


@@ -288,11 +296,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt)
        int nextpkt = 0;
        vpn_packet_t *outpkt;
        int origlen;
        int nextpkt = 0;
        vpn_packet_t *outpkt;
        int origlen;

-       int outlen, outpad;
+       int result;

        vpn_packet_t *copy;
        static int priority = 0;
        int origpriority;
        int sock;
        vpn_packet_t *copy;
        static int priority = 0;
        int origpriority;
        int sock;

+       char *hmac = NULL;
+       static char iv[32] = {0};

 
        cp();
 
 
        cp();
 


@@ -345,26 +355,54 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt)
        /* Encrypt the packet */
 
        if(n->cipher) {
        /* Encrypt the packet */
 
        if(n->cipher) {

-               outpkt = pkt[nextpkt++];
+               /* Add padding */
+
+               if(n->cipherblklen > 1) {
+                       int padlen, i;
+                       uint8_t *p;
+
+                       padlen = n->cipherblklen - inpkt->len % n->cipherblklen;
+                       p = (char *)&inpkt->seqno + inpkt->len;
+
+                       if(padlen == n->cipherblklen) {
+                               if(p[-1] != 0 && p[-1] <= n->cipherblklen) {
+                                       inpkt->len += n->cipherblklen;
+                                       for(i = 0; i < n->cipherblklen; i++)
+                                               *p++ = i + 1;
+                               }
+                       } else {
+                               inpkt->len += padlen;
+                               for(i = 0; i < padlen; i++)
+                                       *p++ = i + 1;
+                       }
+               }
+                                       
+               gcry_cipher_reset(n->cipher_ctx);
+               //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno);
+               //gcry_cipher_setiv(n->cipher_ctx, iv, n->cipherblklen);
+               result = gcry_cipher_encrypt(n->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0);

 
 

-               if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
-                               || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
-                                       (char *) &inpkt->seqno, inpkt->len)
-                               || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+               if(result) {

                        ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
                        ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),

-                                               n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+                                               n->name, n->hostname, gpg_strerror(result));

                        goto end;
                }
                        goto end;
                }

-
-               outpkt->len = outlen + outpad;
-               inpkt = outpkt;

        }
 
        /* Add the message authentication code */
 
        if(n->digest && n->maclength) {
        }
 
        /* Add the message authentication code */
 
        if(n->digest && n->maclength) {

-               HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno,
-                        inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen);
+               gcry_md_reset(n->digest_ctx);
+               gcry_md_write(n->digest_ctx, (char *)&inpkt->seqno, inpkt->len);
+               hmac = gcry_md_read(n->digest_ctx, 0);
+
+               if(!hmac) {
+                       ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while authenticating packet to %s (%s)"),
+                                               n->name, n->hostname);
+                       goto end;
+               }
+               
+               memcpy((char *)&inpkt->seqno + inpkt->len, hmac, n->maclength);

                inpkt->len += n->maclength;
        }
 
                inpkt->len += n->maclength;
        }
 

diff --git a/src/net_setup.c b/src/net_setup.c
index aa2fbfb..58d80da 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -22,11 +22,9 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gcrypt.h>

 
 #include "avl_tree.h"
 #include "conf.h"
 
 #include "avl_tree.h"
 #include "conf.h"


@@ -46,6 +44,7 @@
 
 char *myport;
 
 
 char *myport;
 

+#if 0

 bool read_rsa_public_key(connection_t *c)
 {
        FILE *fp;
 bool read_rsa_public_key(connection_t *c)
 {
        FILE *fp;


@@ -146,65 +145,61 @@ bool read_rsa_public_key(connection_t *c)
 
        return false;
 }
 
        return false;
 }

+#endif

 
 

-bool read_rsa_private_key(void)
+bool setup_credentials(void)

 {
 {

-       FILE *fp;
-       char *fname, *key, *pubkey;
-       struct stat s;
+       char *trust = NULL, *crl = NULL;
+       char *key = NULL, *cert = NULL;
+       int result;

 
        cp();
 
 
        cp();
 

-       if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
-               if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) {
-                       logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
+       gnutls_certificate_allocate_credentials(&myself->connection->credentials);
+
+       if(get_config_string(lookup_config(config_tree, "TrustFile"), &trust)) {
+               result = gnutls_certificate_set_x509_trust_file(myself->connection->credentials, trust, GNUTLS_X509_FMT_PEM);
+               if(result < 0) {
+                       logger(LOG_ERR, _("Error reading trust file '%s': %s"), trust, gnutls_strerror(result));
+                       free(trust);

                        return false;
                }
                        return false;
                }

-               myself->connection->rsa_key = RSA_new();
-//             RSA_blinding_on(myself->connection->rsa_key, NULL);
-               BN_hex2bn(&myself->connection->rsa_key->d, key);
-               BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
-               BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
-               free(key);
-               free(pubkey);
-               return true;
+               free(trust);

        }
 
        }
 

-       if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
-               asprintf(&fname, "%s/rsa_key.priv", confbase);
-
-       fp = fopen(fname, "r");
-
-       if(!fp) {
-               logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
-                          fname, strerror(errno));
-               free(fname);
-               return false;
+       if(get_config_string(lookup_config(config_tree, "CRLFile"), &crl)) {
+               result = gnutls_certificate_set_x509_crl_file(myself->connection->credentials, crl, GNUTLS_X509_FMT_PEM);
+               if(result) {
+                       logger(LOG_ERR, _("Error reading CRL file '%s': %s"), crl, gnutls_strerror(result));
+                       free(crl);
+                       return false;
+               }
+               free(crl);

        }
 
        }
 

-#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
-       if(fstat(fileno(fp), &s)) {
-               logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
-                               fname, strerror(errno));
-               free(fname);
-               return false;
-       }
+       if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &key))
+               asprintf(&key, "%s/rsa_key.priv", confbase);

 
 

-       if(s.st_mode & ~0100700)
-               logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
-#endif
+       if(!get_config_string(lookup_config(config_tree, "CertificateFile"), &cert))
+               asprintf(&cert, "%s/hosts/%s", confbase, myself->name);

 
 

-       myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-       fclose(fp);
+       
+       gnutls_certificate_set_x509_trust_file(myself->connection->credentials, cert, GNUTLS_X509_FMT_PEM);
+       logger(LOG_DEBUG, _("JOEHOE"));
+       gnutls_certificate_set_verify_flags(myself->connection->credentials, GNUTLS_VERIFY_DISABLE_CA_SIGN);
+       
+       result = gnutls_certificate_set_x509_key_file(myself->connection->credentials, cert, key, GNUTLS_X509_FMT_PEM);

 
 

-       if(!myself->connection->rsa_key) {
-               logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
-                          fname, strerror(errno));
-               free(fname);
+       if(result) {
+               logger(LOG_ERR, _("Error reading credentials from %s and %s: %s"), cert, key, gnutls_strerror(result));
+               free(key);
+               free(cert);

                return false;
        }
 
                return false;
        }
 

-       free(fname);
+       free(key);
+       free(cert);
+       

        return true;
 }
 
        return true;
 }
 


@@ -220,7 +215,7 @@ bool setup_myself(void)
        char *envp[5];
        struct addrinfo *ai, *aip, hint = {0};
        bool choice;
        char *envp[5];
        struct addrinfo *ai, *aip, hint = {0};
        bool choice;

-       int i, err;
+       int i, err, result;

 
        cp();
 
 
        cp();
 


@@ -248,15 +243,15 @@ bool setup_myself(void)
        myself->name = name;
        myself->connection->name = xstrdup(name);
 
        myself->name = name;
        myself->connection->name = xstrdup(name);
 

+       if(!setup_credentials())
+               return false;
+

        if(!read_connection_config(myself->connection)) {
                logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
                return false;
        }
 
        if(!read_connection_config(myself->connection)) {
                logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
                return false;
        }
 

-       if(!read_rsa_private_key())
-               return false;
-
-       if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
+       if(!get_config_string (lookup_config(myself->connection->config_tree, "Port"), &myport))

                asprintf(&myport, "655");
 
        /* Read in all the subnets specified in the host configuration file */
                asprintf(&myport, "655");
 
        /* Read in all the subnets specified in the host configuration file */


@@ -345,12 +340,11 @@ bool setup_myself(void)
 
        /* Generate packet encryption key */
 
 
        /* Generate packet encryption key */
 

-       if(get_config_string
-          (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {
+       if(get_config_string (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {

                if(!strcasecmp(cipher, "none")) {
                if(!strcasecmp(cipher, "none")) {

-                       myself->cipher = NULL;
+                       myself->cipher = GCRY_CIPHER_NONE;

                } else {
                } else {

-                       myself->cipher = EVP_get_cipherbyname(cipher);
+                       myself->cipher = gcry_cipher_map_name(cipher);

 
                        if(!myself->cipher) {
                                logger(LOG_ERR, _("Unrecognized cipher type!"));
 
                        if(!myself->cipher) {
                                logger(LOG_ERR, _("Unrecognized cipher type!"));


@@ -358,41 +352,44 @@ bool setup_myself(void)
                        }
                }
        } else
                        }
                }
        } else

-               myself->cipher = EVP_bf_cbc();
+               myself->cipher = GCRY_CIPHER_AES;

 
 

-       if(myself->cipher)
-               myself->keylength = myself->cipher->key_len + myself->cipher->iv_len;
-       else
-               myself->keylength = 1;
+       if(myself->cipher) {
+               result = gcry_cipher_open(&myself->cipher_ctx, myself->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE);
+
+               if(result) {
+                       logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
+                                       myself->name, myself->hostname, gcry_strerror(result));
+                       return false;
+               }
+
+       }

 
 

-       myself->connection->outcipher = EVP_bf_ofb();
+       if(myself->cipher) {
+               myself->cipherkeylen = gcry_cipher_get_algo_keylen(myself->cipher);
+               myself->cipherblklen = gcry_cipher_get_algo_blklen(myself->cipher);
+       } else {
+               myself->cipherkeylen = 1;
+       }

 
 

-       myself->key = xmalloc(myself->keylength);
-       RAND_pseudo_bytes(myself->key, myself->keylength);
+       logger(LOG_DEBUG, _("Key %s len %d"), gcry_cipher_algo_name(myself->cipher), myself->cipherkeylen);
+       myself->cipherkey = xmalloc(myself->cipherkeylen);
+       gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM);
+       if(myself->cipher)
+               gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen);

 
        if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
                keylifetime = 3600;
 
        keyexpires = now + keylifetime;
        
 
        if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
                keylifetime = 3600;
 
        keyexpires = now + keylifetime;
        

-       if(myself->cipher) {
-               EVP_CIPHER_CTX_init(&packet_ctx);
-               if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) {
-                       logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
-                                       myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
-                       return false;
-               }
-
-       }
-

        /* Check if we want to use message authentication codes... */
 
        /* Check if we want to use message authentication codes... */
 

-       if(get_config_string
-          (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {
+       if(get_config_string (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {

                if(!strcasecmp(digest, "none")) {
                if(!strcasecmp(digest, "none")) {

-                       myself->digest = NULL;
+                       myself->digest = GCRY_MD_NONE;

                } else {
                } else {

-                       myself->digest = EVP_get_digestbyname(digest);
+                       myself->digest = gcry_md_map_name(digest);

 
                        if(!myself->digest) {
                                logger(LOG_ERR, _("Unrecognized digest type!"));
 
                        if(!myself->digest) {
                                logger(LOG_ERR, _("Unrecognized digest type!"));


@@ -400,14 +397,34 @@ bool setup_myself(void)
                        }
                }
        } else
                        }
                }
        } else

-               myself->digest = EVP_sha1();
+               myself->digest = GCRY_MD_SHA1;
+
+
+       if(myself->digest) {
+               result = gcry_md_open(&myself->digest_ctx, myself->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC);
+
+               if(result) {
+                       logger(LOG_ERR, _("Error during initialisation of digest for %s (%s): %s"),
+                                       myself->name, myself->hostname, gcry_strerror(result));
+                       return false;
+               }
+
+       }

 
 

-       myself->connection->outdigest = EVP_sha1();
+       if(myself->digest) {
+               myself->digestlen = gcry_md_get_algo_dlen(myself->digest);
+       } else {
+               myself->digestlen = 1;
+       }

 
 

-       if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"),
-               &myself->maclength)) {
+       myself->digestkey = xmalloc(myself->digestlen);
+       gcry_randomize(myself->digestkey, myself->digestlen, GCRY_STRONG_RANDOM);
+       if(myself->digest)
+               gcry_md_setkey(myself->digest_ctx, myself->digestkey, myself->digestlen);
+
+       if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->maclength)) {

                if(myself->digest) {
                if(myself->digest) {

-                       if(myself->maclength > myself->digest->md_size) {
+                       if(myself->maclength > myself->digestlen) {

                                logger(LOG_ERR, _("MAC length exceeds size of digest!"));
                                return false;
                        } else if(myself->maclength < 0) {
                                logger(LOG_ERR, _("MAC length exceeds size of digest!"));
                                return false;
                        } else if(myself->maclength < 0) {


@@ -418,8 +435,6 @@ bool setup_myself(void)
        } else
                myself->maclength = 4;
 
        } else
                myself->maclength = 4;
 

-       myself->connection->outmaclength = 0;
-

        /* Compression */
 
        if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"),
        /* Compression */
 
        if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"),


@@ -431,8 +446,6 @@ bool setup_myself(void)
        } else
                myself->compression = 0;
 
        } else
                myself->compression = 0;
 

-       myself->connection->outcompression = 0;
-

        /* Done */
 
        myself->nexthop = myself;
        /* Done */
 
        myself->nexthop = myself;

diff --git a/src/net_socket.c b/src/net_socket.c
index 3d1be21..ff903e8 100644 (file)
--- a/src/net_socket.c
+++ b/src/net_socket.c
@@ -22,6 +22,8 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

+#include <gnutls/gnutls.h>
+

 #include "avl_tree.h"
 #include "conf.h"
 #include "connection.h"
 #include "avl_tree.h"
 #include "conf.h"
 #include "connection.h"


@@ -45,6 +47,16 @@ int seconds_till_retry = 5;
 listen_socket_t listen_socket[MAXSOCKETS];
 int listen_sockets;
 
 listen_socket_t listen_socket[MAXSOCKETS];
 int listen_sockets;
 

+int certselfunc(gnutls_session session,  const gnutls_datum *client_cert, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) {
+       logger(LOG_DEBUG, "Client certificate select function called with %d certs, %d requests\n", ncerts, nreqs);
+       return 0;
+}
+
+int scertselfunc(gnutls_session session,  const gnutls_datum *server_cert, int ncerts) {
+       logger(LOG_DEBUG, "Server certificate select function called with %d certs\n", ncerts);
+       return 0;
+}
+

 /* Setup sockets */
 
 int setup_listen_socket(const sockaddr_t *sa)
 /* Setup sockets */
 
 int setup_listen_socket(const sockaddr_t *sa)


@@ -236,13 +248,21 @@ void retry_outgoing(outgoing_t *outgoing)
 
 void finish_connecting(connection_t *c)
 {
 
 void finish_connecting(connection_t *c)
 {

+       int result;
+

        cp();
 
        ifdebug(CONNECTIONS) logger(LOG_INFO, _("Connected to %s (%s)"), c->name, c->hostname);
 
        c->last_ping_time = now;
 
        cp();
 
        ifdebug(CONNECTIONS) logger(LOG_INFO, _("Connected to %s (%s)"), c->name, c->hostname);
 
        c->last_ping_time = now;
 

-       send_id(c);
+       gnutls_init(&c->session, GNUTLS_SERVER);
+       gnutls_set_default_priority(c->session);
+       gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials);
+       gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST);
+//     gnutls_certificate_client_set_select_function(c->session, certselfunc);
+//     gnutls_certificate_server_set_select_function(c->session, scertselfunc);
+       gnutls_transport_set_ptr(c->session, c->socket);

 }
 
 void do_outgoing_connection(connection_t *c)
 }
 
 void do_outgoing_connection(connection_t *c)


@@ -340,6 +360,7 @@ begin:
                goto begin;
        }
 
                goto begin;
        }
 

+       logger(LOG_DEBUG, _("finishing connection"));

        finish_connecting(c);
 
        return;
        finish_connecting(c);
 
        return;


@@ -364,10 +385,6 @@ void setup_outgoing_connection(outgoing_t *outgoing)
 
        c = new_connection();
        c->name = xstrdup(outgoing->name);
 
        c = new_connection();
        c->name = xstrdup(outgoing->name);

-       c->outcipher = myself->connection->outcipher;
-       c->outdigest = myself->connection->outdigest;
-       c->outmaclength = myself->connection->outmaclength;
-       c->outcompression = myself->connection->outcompression;

 
        init_configuration(&c->config_tree);
        read_connection_config(c);
 
        init_configuration(&c->config_tree);
        read_connection_config(c);


@@ -399,6 +416,7 @@ bool handle_new_meta_connection(int sock)
        connection_t *c;
        sockaddr_t sa;
        int fd, len = sizeof(sa);
        connection_t *c;
        sockaddr_t sa;
        int fd, len = sizeof(sa);

+       int result;

 
        cp();
 
 
        cp();
 


@@ -410,13 +428,22 @@ bool handle_new_meta_connection(int sock)
                return false;
        }
 
                return false;
        }
 

+#ifdef O_NONBLOCK
+       {
+               int flags = fcntl(fd, F_GETFL);
+
+               if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+                       closesocket(fd);
+                       logger(LOG_ERR, _("System call `%s' failed: %s"), "fcntl",
+                                  strerror(errno));
+                       return -1;
+               }
+       }
+#endif
+

        sockaddrunmap(&sa);
 
        c = new_connection();
        sockaddrunmap(&sa);
 
        c = new_connection();

-       c->outcipher = myself->connection->outcipher;
-       c->outdigest = myself->connection->outdigest;
-       c->outmaclength = myself->connection->outmaclength;
-       c->outcompression = myself->connection->outcompression;

 
        c->address = sa;
        c->hostname = sockaddr2hostname(&sa);
 
        c->address = sa;
        c->hostname = sockaddr2hostname(&sa);


@@ -428,7 +455,14 @@ bool handle_new_meta_connection(int sock)
        connection_add(c);
 
        c->allow_request = ID;
        connection_add(c);
 
        c->allow_request = ID;

-       send_id(c);
+       gnutls_init(&c->session, GNUTLS_CLIENT);
+       gnutls_set_default_priority(c->session);
+       gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials);
+       gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST);
+//     gnutls_certificate_client_set_select_function(c->session, certselfunc);
+//     gnutls_certificate_server_set_select_function(c->session, scertselfunc);
+       gnutls_transport_set_ptr(c->session, c->socket);
+       gnutls_handshake(c->session);

 
        return true;
 }
 
        return true;
 }

diff --git a/src/node.c b/src/node.c
index 3519916..cba598d 100644 (file)
--- a/src/node.c
+++ b/src/node.c
@@ -79,7 +79,6 @@ node_t *new_node(void)
        n->subnet_tree = new_subnet_tree();
        n->edge_tree = new_edge_tree();
        n->queue = list_alloc((list_action_t) free);
        n->subnet_tree = new_subnet_tree();
        n->edge_tree = new_edge_tree();
        n->queue = list_alloc((list_action_t) free);

-       EVP_CIPHER_CTX_init(&n->packet_ctx);

        n->mtu = MTU;
        n->maxmtu = MTU;
 
        n->mtu = MTU;
        n->maxmtu = MTU;
 


@@ -99,8 +98,11 @@ void free_node(node_t *n)
        if(n->hostname)
                free(n->hostname);
 
        if(n->hostname)
                free(n->hostname);
 

-       if(n->key)
-               free(n->key);
+       if(n->cipherkey)
+               free(n->cipherkey);
+
+       if(n->digestkey)
+               free(n->digestkey);

 
        if(n->subnet_tree)
                free_subnet_tree(n->subnet_tree);
 
        if(n->subnet_tree)
                free_subnet_tree(n->subnet_tree);


@@ -110,8 +112,6 @@ void free_node(node_t *n)
 
        sockaddrfree(&n->address);
 
 
        sockaddrfree(&n->address);
 

-       EVP_CIPHER_CTX_cleanup(&n->packet_ctx);
-

        if(n->mtuevent)
                event_del(n->mtuevent);
        
        if(n->mtuevent)
                event_del(n->mtuevent);
        


@@ -184,9 +184,9 @@ void dump_nodes(void)
 
        for(node = node_tree->head; node; node = node->next) {
                n = node->data;
 
        for(node = node_tree->head; node; node = node->next) {
                n = node->data;

-               logger(LOG_DEBUG, _(" %s at %s cipher %d digest %d maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"),
-                          n->name, n->hostname, n->cipher ? n->cipher->nid : 0,
-                          n->digest ? n->digest->type : 0, n->maclength, n->compression,
+               logger(LOG_DEBUG, _(" %s at %s cipher %s digest %s maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"),
+                          n->name, n->hostname, gcry_cipher_algo_name(n->cipher),
+                          gcry_md_algo_name(n->digest), n->maclength, n->compression,

                           n->options, *(uint32_t *)&n->status, n->nexthop ? n->nexthop->name : "-",
                           n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
        }
                           n->options, *(uint32_t *)&n->status, n->nexthop ? n->nexthop->name : "-",
                           n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
        }

diff --git a/src/node.h b/src/node.h
index dd9c7a1..e79902b 100644 (file)
--- a/src/node.h
+++ b/src/node.h
@@ -23,6 +23,8 @@
 #ifndef __TINC_NODE_H__
 #define __TINC_NODE_H__
 
 #ifndef __TINC_NODE_H__
 #define __TINC_NODE_H__
 

+#include <gcrypt.h>
+

 #include "avl_tree.h"
 #include "connection.h"
 #include "event.h"
 #include "avl_tree.h"
 #include "connection.h"
 #include "event.h"


@@ -48,13 +50,17 @@ typedef struct node_t {
 
        node_status_t status;
 
 
        node_status_t status;
 

-       const EVP_CIPHER *cipher;               /* Cipher type for UDP packets */
-       char *key;                              /* Cipher key and iv */
-       int keylength;                          /* Cipher key and iv length */
-       EVP_CIPHER_CTX packet_ctx;              /* Cipher context */
+       int cipher;                             /* Cipher type for UDP packets */
+       char *cipherkey;                        /* Cipher key */
+       int cipherkeylen;                       /* Cipher key length */
+       int cipherblklen;
+       gcry_cipher_hd_t cipher_ctx;            /* Cipher context */

        
        

-       const EVP_MD *digest;                   /* Digest type for MAC */
+       int digest;                             /* Digest type for MAC */
+       char *digestkey;
+       int digestlen;

        int maclength;                          /* Length of MAC */
        int maclength;                          /* Length of MAC */

+       gcry_md_hd_t digest_ctx;

 
        int compression;                        /* Compressionlevel, 0 = no compression */
 
 
        int compression;                        /* Compressionlevel, 0 = no compression */
 

diff --git a/src/protocol.c b/src/protocol.c
index e6c13f4..a4025ae 100644 (file)
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -35,7 +35,7 @@ bool tunnelserver = false;
 /* Jumptable for the request handlers */
 
 static bool (*request_handlers[])(connection_t *) = {
 /* Jumptable for the request handlers */
 
 static bool (*request_handlers[])(connection_t *) = {

-               id_h, metakey_h, challenge_h, chal_reply_h, ack_h,
+               NULL, NULL, NULL, NULL, ack_h,

                status_h, error_h, termreq_h,
                ping_h, pong_h,
                add_subnet_h, del_subnet_h,
                status_h, error_h, termreq_h,
                ping_h, pong_h,
                add_subnet_h, del_subnet_h,

diff --git a/src/protocol.h b/src/protocol.h
index 8951cbc..d2a767c 100644 (file)
--- a/src/protocol.h
+++ b/src/protocol.h
@@ -80,10 +80,6 @@ extern void age_past_requests(void);
 
 /* Requests */
 
 
 /* Requests */
 

-extern bool send_id(struct connection_t *);
-extern bool send_metakey(struct connection_t *);
-extern bool send_challenge(struct connection_t *);
-extern bool send_chal_reply(struct connection_t *);

 extern bool send_ack(struct connection_t *);
 extern bool send_status(struct connection_t *, int, const char *);
 extern bool send_error(struct connection_t *, int,const  char *);
 extern bool send_ack(struct connection_t *);
 extern bool send_status(struct connection_t *, int, const char *);
 extern bool send_error(struct connection_t *, int,const  char *);


@@ -96,15 +92,11 @@ extern bool send_add_edge(struct connection_t *, const struct edge_t *);
 extern bool send_del_edge(struct connection_t *, const struct edge_t *);
 extern bool send_key_changed(struct connection_t *, const struct node_t *);
 extern bool send_req_key(struct connection_t *, const struct node_t *, const struct node_t *);
 extern bool send_del_edge(struct connection_t *, const struct edge_t *);
 extern bool send_key_changed(struct connection_t *, const struct node_t *);
 extern bool send_req_key(struct connection_t *, const struct node_t *, const struct node_t *);

-extern bool send_ans_key(struct connection_t *, const struct node_t *, const struct node_t *);
+extern bool send_ans_key(struct connection_t *, const struct node_t *);

 extern bool send_tcppacket(struct connection_t *, struct vpn_packet_t *);
 
 /* Request handlers  */
 
 extern bool send_tcppacket(struct connection_t *, struct vpn_packet_t *);
 
 /* Request handlers  */
 

-extern bool id_h(struct connection_t *);
-extern bool metakey_h(struct connection_t *);
-extern bool challenge_h(struct connection_t *);
-extern bool chal_reply_h(struct connection_t *);

 extern bool ack_h(struct connection_t *);
 extern bool status_h(struct connection_t *);
 extern bool error_h(struct connection_t *);
 extern bool ack_h(struct connection_t *);
 extern bool status_h(struct connection_t *);
 extern bool error_h(struct connection_t *);

diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 77561b8..497d43f 100644 (file)
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -22,10 +22,8 @@
 
 #include "system.h"
 
 
 #include "system.h"
 

-#include <openssl/sha.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>

 
 #include "avl_tree.h"
 #include "conf.h"
 
 #include "avl_tree.h"
 #include "conf.h"


@@ -40,60 +38,70 @@
 #include "utils.h"
 #include "xalloc.h"
 
 #include "utils.h"
 #include "xalloc.h"
 

-bool send_id(connection_t *c)
+bool send_ack(connection_t *c)

 {
 {

-       cp();
+       char buf[MAX_STRING_SIZE];
+       size_t len;
+       gnutls_x509_crt cert;
+       const gnutls_datum *cert_list;
+       int cert_list_size = 0, result;
+       char *p, *name;

 
 

-       return send_request(c, "%d %s %d", ID, myself->connection->name,
-                                               myself->connection->protocol_version);
-}
+       cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size);

 
 

-bool id_h(connection_t *c)
-{
-       char name[MAX_STRING_SIZE];
+       if (!cert_list || !cert_list_size) {
+               logger(LOG_ERR, _("No certificates from %s"), c->hostname);
+               return false;
+       }

 
 

-       cp();
+       len = sizeof buf;
+       gnutls_x509_crt_init(&cert);
+       result = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)
+               ?: gnutls_x509_crt_get_dn(cert, buf, &len);

 
 

-       if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) {
-               logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name,
-                          c->hostname);
+       if(result) {
+               logger(LOG_ERR, _("Error importing certificate from %s: %s"), c->hostname, gnutls_strerror(errno));
+               gnutls_x509_crt_deinit(cert);

                return false;
        }
 
                return false;
        }
 

-       /* Check if identity is a valid name */
+       name = strstr(buf, "CN=");
+       if(!name) {
+               logger(LOG_ERR, _("No name in certificate from %s"), c->hostname);
+               gnutls_x509_crt_deinit(cert);
+               return false;
+       }
+       name += 3;
+       for(p = name; *p && *p != ','; p++);
+       *p = '\0';

 
        if(!check_id(name)) {
 
        if(!check_id(name)) {

-               logger(LOG_ERR, _("Got bad %s from %s (%s): %s"), "ID", c->name,
-                          c->hostname, "invalid name");
+               logger(LOG_ERR, _("Invalid name from %s"), c->hostname);

                return false;
        }
 
                return false;
        }
 

-       /* If we set c->name in advance, make sure we are connected to the right host */
-

        if(c->name) {
                if(strcmp(c->name, name)) {
        if(c->name) {
                if(strcmp(c->name, name)) {

-                       logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name,
-                                  c->name);
+                       logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, c->hostname);

                        return false;
                }
                        return false;
                }

-       } else
+       } else {

                c->name = xstrdup(name);
                c->name = xstrdup(name);

-
-       /* Check if version matches */
-
-       if(c->protocol_version != myself->connection->protocol_version) {
-               logger(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"),
-                          c->name, c->hostname, c->protocol_version);
-               return false;

        }
        }

-
-       if(bypass_security) {
-               if(!c->config_tree)
-                       init_configuration(&c->config_tree);
-               c->allow_request = ACK;
-               return send_ack(c);
+       
+       result = gnutls_certificate_verify_peers(c->session);
+
+       if(result) {
+               if(result & GNUTLS_CERT_INVALID)
+                       logger(LOG_ERR, _("Certificate from %s (%s) invalid"), c->name, c->hostname);
+               if(result & GNUTLS_CERT_REVOKED)
+                       logger(LOG_ERR, _("Certificate from %s (%s) revoked"), c->name, c->hostname);
+               if(result & GNUTLS_CERT_SIGNER_NOT_FOUND)
+                       logger(LOG_ERR, _("Certificate from %s (%s) has no known signer"), c->name, c->hostname);
+               if(result & GNUTLS_CERT_SIGNER_NOT_CA)
+                       logger(LOG_ERR, _("Certificate from %s (%s) has no CA as signer"), c->name, c->hostname);

        }
        }

-
+       

        if(!c->config_tree) {
                init_configuration(&c->config_tree);
 
        if(!c->config_tree) {
                init_configuration(&c->config_tree);
 


@@ -104,357 +112,6 @@ bool id_h(connection_t *c)
                }
        }
 
                }
        }
 

-       if(!read_rsa_public_key(c)) {
-               return false;
-       }
-
-       c->allow_request = METAKEY;
-
-       return send_metakey(c);
-}
-
-bool send_metakey(connection_t *c)
-{
-       char buffer[MAX_STRING_SIZE];
-       int len;
-       bool x;
-
-       cp();
-
-       len = RSA_size(c->rsa_key);
-
-       /* Allocate buffers for the meta key */
-
-       if(!c->outkey)
-               c->outkey = xmalloc(len);
-
-       if(!c->outctx)
-               c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
-       cp();
-       /* Copy random data to the buffer */
-
-       RAND_pseudo_bytes(c->outkey, len);
-
-       /* The message we send must be smaller than the modulus of the RSA key.
-          By definition, for a key of k bits, the following formula holds:
-
-          2^(k-1) <= modulus < 2^(k)
-
-          Where ^ means "to the power of", not "xor".
-          This means that to be sure, we must choose our message < 2^(k-1).
-          This can be done by setting the most significant bit to zero.
-        */
-
-       c->outkey[0] &= 0x7F;
-
-       ifdebug(SCARY_THINGS) {
-               bin2hex(c->outkey, buffer, len);
-               buffer[len * 2] = '\0';
-               logger(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"),
-                          buffer);
-       }
-
-       /* Encrypt the random data
-
-          We do not use one of the PKCS padding schemes here.
-          This is allowed, because we encrypt a totally random string
-          with a length equal to that of the modulus of the RSA key.
-        */
-
-       if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) {
-               logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
-                          c->name, c->hostname);
-               return false;
-       }
-
-       /* Convert the encrypted random data to a hexadecimal formatted string */
-
-       bin2hex(buffer, buffer, len);
-       buffer[len * 2] = '\0';
-
-       /* Send the meta key */
-
-       x = send_request(c, "%d %d %d %d %d %s", METAKEY,
-                                        c->outcipher ? c->outcipher->nid : 0,
-                                        c->outdigest ? c->outdigest->type : 0, c->outmaclength,
-                                        c->outcompression, buffer);
-
-       /* Further outgoing requests are encrypted with the key we just generated */
-
-       if(c->outcipher) {
-               if(!EVP_EncryptInit(c->outctx, c->outcipher,
-                                       c->outkey + len - c->outcipher->key_len,
-                                       c->outkey + len - c->outcipher->key_len -
-                                       c->outcipher->iv_len)) {
-                       logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
-                                       c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-                       return false;
-               }
-
-               c->status.encryptout = true;
-       }
-
-       return x;
-}
-
-bool metakey_h(connection_t *c)
-{
-       char buffer[MAX_STRING_SIZE];
-       int cipher, digest, maclength, compression;
-       int len;
-
-       cp();
-
-       if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) {
-               logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name,
-                          c->hostname);
-               return false;
-       }
-
-       len = RSA_size(myself->connection->rsa_key);
-
-       /* Check if the length of the meta key is all right */
-
-       if(strlen(buffer) != len * 2) {
-               logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength");
-               return false;
-       }
-
-       /* Allocate buffers for the meta key */
-
-       if(!c->inkey)
-               c->inkey = xmalloc(len);
-
-       if(!c->inctx)
-               c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
-
-       /* Convert the challenge from hexadecimal back to binary */
-
-       hex2bin(buffer, buffer, len);
-
-       /* Decrypt the meta key */
-
-       if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) {    /* See challenge() */
-               logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
-                          c->name, c->hostname);
-               return false;
-       }
-
-       ifdebug(SCARY_THINGS) {
-               bin2hex(c->inkey, buffer, len);
-               buffer[len * 2] = '\0';
-               logger(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer);
-       }
-
-       /* All incoming requests will now be encrypted. */
-
-       /* Check and lookup cipher and digest algorithms */
-
-       if(cipher) {
-               c->incipher = EVP_get_cipherbynid(cipher);
-               
-               if(!c->incipher) {
-                       logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname);
-                       return false;
-               }
-
-               if(!EVP_DecryptInit(c->inctx, c->incipher,
-                                       c->inkey + len - c->incipher->key_len,
-                                       c->inkey + len - c->incipher->key_len -
-                                       c->incipher->iv_len)) {
-                       logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"),
-                                       c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-                       return false;
-               }
-
-               c->status.decryptin = true;
-       } else {
-               c->incipher = NULL;
-       }
-
-       c->inmaclength = maclength;
-
-       if(digest) {
-               c->indigest = EVP_get_digestbynid(digest);
-
-               if(!c->indigest) {
-                       logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname);
-                       return false;
-               }
-
-               if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
-                       logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname);
-                       return false;
-               }
-       } else {
-               c->indigest = NULL;
-       }
-
-       c->incompression = compression;
-
-       c->allow_request = CHALLENGE;
-
-       return send_challenge(c);
-}
-
-bool send_challenge(connection_t *c)
-{
-       char buffer[MAX_STRING_SIZE];
-       int len;
-
-       cp();
-
-       /* CHECKME: what is most reasonable value for len? */
-
-       len = RSA_size(c->rsa_key);
-
-       /* Allocate buffers for the challenge */
-
-       if(!c->hischallenge)
-               c->hischallenge = xmalloc(len);
-
-       /* Copy random data to the buffer */
-
-       RAND_pseudo_bytes(c->hischallenge, len);
-
-       /* Convert to hex */
-
-       bin2hex(c->hischallenge, buffer, len);
-       buffer[len * 2] = '\0';
-
-       /* Send the challenge */
-
-       return send_request(c, "%d %s", CHALLENGE, buffer);
-}
-
-bool challenge_h(connection_t *c)
-{
-       char buffer[MAX_STRING_SIZE];
-       int len;
-
-       cp();
-
-       if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) {
-               logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name,
-                          c->hostname);
-               return false;
-       }
-
-       len = RSA_size(myself->connection->rsa_key);
-
-       /* Check if the length of the challenge is all right */
-
-       if(strlen(buffer) != len * 2) {
-               logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
-                          c->hostname, "wrong challenge length");
-               return false;
-       }
-
-       /* Allocate buffers for the challenge */
-
-       if(!c->mychallenge)
-               c->mychallenge = xmalloc(len);
-
-       /* Convert the challenge from hexadecimal back to binary */
-
-       hex2bin(buffer, c->mychallenge, len);
-
-       c->allow_request = CHAL_REPLY;
-
-       /* Rest is done by send_chal_reply() */
-
-       return send_chal_reply(c);
-}
-
-bool send_chal_reply(connection_t *c)
-{
-       char hash[EVP_MAX_MD_SIZE * 2 + 1];
-       EVP_MD_CTX ctx;
-
-       cp();
-
-       /* Calculate the hash from the challenge we received */
-
-       if(!EVP_DigestInit(&ctx, c->indigest)
-                       || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
-                       || !EVP_DigestFinal(&ctx, hash, NULL)) {
-               logger(LOG_ERR, _("Error during calculation of response for %s (%s): %s"),
-                       c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-               return false;
-       }
-
-       /* Convert the hash to a hexadecimal formatted string */
-
-       bin2hex(hash, hash, c->indigest->md_size);
-       hash[c->indigest->md_size * 2] = '\0';
-
-       /* Send the reply */
-
-       return send_request(c, "%d %s", CHAL_REPLY, hash);
-}
-
-bool chal_reply_h(connection_t *c)
-{
-       char hishash[MAX_STRING_SIZE];
-       char myhash[EVP_MAX_MD_SIZE];
-       EVP_MD_CTX ctx;
-
-       cp();
-
-       if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
-               logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name,
-                          c->hostname);
-               return false;
-       }
-
-       /* Check if the length of the hash is all right */
-
-       if(strlen(hishash) != c->outdigest->md_size * 2) {
-               logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
-                          c->hostname, _("wrong challenge reply length"));
-               return false;
-       }
-
-       /* Convert the hash to binary format */
-
-       hex2bin(hishash, hishash, c->outdigest->md_size);
-
-       /* Calculate the hash from the challenge we sent */
-
-       if(!EVP_DigestInit(&ctx, c->outdigest)
-                       || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
-                       || !EVP_DigestFinal(&ctx, myhash, NULL)) {
-               logger(LOG_ERR, _("Error during calculation of response from %s (%s): %s"),
-                       c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
-               return false;
-       }
-
-       /* Verify the incoming hash with the calculated hash */
-
-       if(memcmp(hishash, myhash, c->outdigest->md_size)) {
-               logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
-                          c->hostname, _("wrong challenge reply"));
-
-               ifdebug(SCARY_THINGS) {
-                       bin2hex(myhash, hishash, SHA_DIGEST_LENGTH);
-                       hishash[SHA_DIGEST_LENGTH * 2] = '\0';
-                       logger(LOG_DEBUG, _("Expected challenge reply: %s"), hishash);
-               }
-
-               return false;
-       }
-
-       /* Identity has now been positively verified.
-          Send an acknowledgement with the rest of the information needed.
-        */
-
-       c->allow_request = ACK;
-
-       return send_ack(c);
-}
-
-bool send_ack(connection_t *c)
-{

        /* ACK message contains rest of the information the other end needs
           to create node_t and edge_t structures. */
 
        /* ACK message contains rest of the information the other end needs
           to create node_t and edge_t structures. */
 

diff --git a/src/protocol_key.c b/src/protocol_key.c
index 5067a81..6caba59 100644 (file)
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -129,7 +129,7 @@ bool req_key_h(connection_t *c)
                mykeyused = true;
                from->received_seqno = 0;
                memset(from->late, 0, sizeof(from->late));
                mykeyused = true;
                from->received_seqno = 0;
                memset(from->late, 0, sizeof(from->late));

-               send_ans_key(c, myself, from);
+               send_ans_key(c, from);

        } else {
                if(tunnelserver)
                        return false;
        } else {
                if(tunnelserver)
                        return false;


@@ -140,35 +140,39 @@ bool req_key_h(connection_t *c)
        return true;
 }
 
        return true;
 }
 

-bool send_ans_key(connection_t *c, const node_t *from, const node_t *to)
+bool send_ans_key(connection_t *c, const node_t *to)

 {
 {

-       char key[MAX_STRING_SIZE];
+       char cipherkey[myself->cipherkeylen * 2 + 1];
+       char digestkey[myself->digestlen * 2 + 1];

 
        cp();
 
 
        cp();
 

-       bin2hex(from->key, key, from->keylength);
-       key[from->keylength * 2] = '\0';
+       bin2hex(myself->cipherkey, cipherkey, myself->cipherkeylen);
+       cipherkey[myself->cipherkeylen * 2] = '\0';

 
 

-       return send_request(c, "%d %s %s %s %d %d %d %d", ANS_KEY,
-                                               from->name, to->name, key,
-                                               from->cipher ? from->cipher->nid : 0,
-                                               from->digest ? from->digest->type : 0, from->maclength,
-                                               from->compression);
+       bin2hex(myself->digestkey, digestkey, myself->digestlen);
+       digestkey[myself->digestlen * 2] = '\0';
+
+       return send_request(c, "%d %s %s %s %s %d %d %d %d", ANS_KEY,
+                                               myself->name, to->name, cipherkey, digestkey,
+                                               myself->cipher,
+                                               myself->digest, myself->maclength,
+                                               myself->compression);

 }
 
 bool ans_key_h(connection_t *c)
 {
        char from_name[MAX_STRING_SIZE];
        char to_name[MAX_STRING_SIZE];
 }
 
 bool ans_key_h(connection_t *c)
 {
        char from_name[MAX_STRING_SIZE];
        char to_name[MAX_STRING_SIZE];

-       char key[MAX_STRING_SIZE];
+       char cipherkey[MAX_STRING_SIZE];
+       char digestkey[MAX_STRING_SIZE];

        int cipher, digest, maclength, compression;
        node_t *from, *to;
 
        cp();
 
        int cipher, digest, maclength, compression;
        node_t *from, *to;
 
        cp();
 

-       if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d",
-               from_name, to_name, key, &cipher, &digest, &maclength,
-               &compression) != 7) {
+       if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d",
+                       from_name, to_name, cipherkey, digestkey, &cipher, &digest, &maclength, &compression) != 8) {

                logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ANS_KEY", c->name,
                           c->hostname);
                return false;
                logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ANS_KEY", c->name,
                           c->hostname);
                return false;


@@ -199,58 +203,41 @@ bool ans_key_h(connection_t *c)
                return send_request(to->nexthop->connection, "%s", c->buffer);
        }
 
                return send_request(to->nexthop->connection, "%s", c->buffer);
        }
 

-       /* Update our copy of the origin's packet key */
-
-       if(from->key)
-               free(from->key);
-
-       from->key = xstrdup(key);
-       from->keylength = strlen(key) / 2;
-       hex2bin(from->key, from->key, from->keylength);
-       from->key[from->keylength] = '\0';
-
-       from->status.validkey = true;
-       from->status.waitingforkey = false;
-       from->sent_seqno = 0;
-

        /* Check and lookup cipher and digest algorithms */
 
        if(cipher) {
        /* Check and lookup cipher and digest algorithms */
 
        if(cipher) {

-               from->cipher = EVP_get_cipherbynid(cipher);
-
-               if(!from->cipher) {
+               from->cipher = cipher;
+               if(!*gcry_cipher_algo_name(from->cipher)) {

                        logger(LOG_ERR, _("Node %s (%s) uses unknown cipher!"), from->name,
                                   from->hostname);
                        return false;
                }
 
                        logger(LOG_ERR, _("Node %s (%s) uses unknown cipher!"), from->name,
                                   from->hostname);
                        return false;
                }
 

-               if(from->keylength != from->cipher->key_len + from->cipher->iv_len) {
-                       logger(LOG_ERR, _("Node %s (%s) uses wrong keylength!"), from->name,
-                                  from->hostname);
-                       return false;
-               }
+               from->cipherblklen = gcry_cipher_get_algo_blklen(from->cipher);

        } else {
        } else {

-               from->cipher = NULL;
+               from->cipher = GCRY_CIPHER_NONE;

        }
 
        from->maclength = maclength;
 
        if(digest) {
        }
 
        from->maclength = maclength;
 
        if(digest) {

-               from->digest = EVP_get_digestbynid(digest);
+               from->digest = digest;

 
 

-               if(!from->digest) {
+               if(!*gcry_md_algo_name(from->digest)) {

                        logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), from->name,
                                   from->hostname);
                        return false;
                }
 
                        logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), from->name,
                                   from->hostname);
                        return false;
                }
 

-               if(from->maclength > from->digest->md_size || from->maclength < 0) {
+               from->digestlen = gcry_md_get_algo_dlen(from->digest);
+               
+               if(from->maclength > from->digestlen || from->maclength < 0) {

                        logger(LOG_ERR, _("Node %s (%s) uses bogus MAC length!"),
                                   from->name, from->hostname);
                        return false;
                }
        } else {
                        logger(LOG_ERR, _("Node %s (%s) uses bogus MAC length!"),
                                   from->name, from->hostname);
                        return false;
                }
        } else {

-               from->digest = NULL;
+               from->digest = GCRY_MD_NONE;

        }
 
        if(compression < 0 || compression > 11) {
        }
 
        if(compression < 0 || compression > 11) {


@@ -260,12 +247,53 @@ bool ans_key_h(connection_t *c)
        
        from->compression = compression;
 
        
        from->compression = compression;
 

-       if(from->cipher)
-               if(!EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len)) {
+       /* Update our copy of the origin's packet key */
+
+       if(from->cipherkey)
+               free(from->cipherkey);
+
+       from->cipherkeylen = strlen(cipherkey) / 2;
+       from->cipherkey = xmalloc(from->cipherkeylen);
+       hex2bin(cipherkey, from->cipherkey, from->cipherkeylen);
+
+       if(from->cipherkeylen != gcry_cipher_get_algo_keylen(from->cipher)) {
+               logger(LOG_ERR, _("Node %s (%s) uses wrong keylength %d instead of %d!"), from->name,
+                          from->hostname, from->cipherkeylen, gcry_cipher_get_algo_keylen(from->cipher) );
+               return false;
+       }
+
+       if(from->digestkey)
+               free(from->digestkey);
+
+       from->digestlen = strlen(digestkey) / 2;
+       from->digestkey = xmalloc(from->digestlen);
+       hex2bin(digestkey, from->digestkey, from->digestlen);
+       
+       if(from->cipher) {
+               int result;
+               result = gcry_cipher_open(&from->cipher_ctx, from->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE);
+               gcry_cipher_setkey(from->cipher_ctx, from->cipherkey, from->cipherkeylen);
+               if(result) {
+                       logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"),
+                                       from->name, from->hostname, gcry_strerror(result));
+                       return false;
+               }
+       }
+
+       if(from->digest) {
+               int result;
+               result = gcry_md_open(&from->digest_ctx, from->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC);
+               gcry_md_setkey(from->digest_ctx, from->digestkey, from->digestlen);
+               if(result) {

                        logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"),
                        logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"),

-                                       from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
+                                       from->name, from->hostname, gcry_strerror(result));

                        return false;
                }
                        return false;
                }

+       }
+
+       from->status.validkey = true;
+       from->status.waitingforkey = false;
+       from->sent_seqno = 0;

 
        if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes)
                send_mtu_probe(from);
 
        if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes)
                send_mtu_probe(from);

diff --git a/src/tincd.c b/src/tincd.c
index dd6b1e7..ce22b7b 100644 (file)
--- a/src/tincd.c
+++ b/src/tincd.c
@@ -31,10 +31,7 @@
 #include <sys/mman.h>
 #endif
 
 #include <sys/mman.h>
 #endif
 

-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>

 
 #include <lzo1x.h>
 
 
 #include <lzo1x.h>
 


@@ -286,6 +283,10 @@ static void indicator(int a, int b, void *p)
 */
 static bool keygen(int bits)
 {
 */
 static bool keygen(int bits)
 {

+       fprintf(stderr, _("Use certtool!\n"));
+       return false;
+
+#if 0

        RSA *rsa_key;
        FILE *f;
        char *name = NULL;
        RSA *rsa_key;
        FILE *f;
        char *name = NULL;


@@ -338,6 +339,7 @@ static bool keygen(int bits)
        free(filename);
 
        return true;
        free(filename);
 
        return true;

+#endif

 }
 
 /*
 }
 
 /*


@@ -437,7 +439,7 @@ int main(int argc, char **argv)
        {
                logger(LOG_ERR, _("mlockall() not supported on this platform!"));
 #endif
        {
                logger(LOG_ERR, _("mlockall() not supported on this platform!"));
 #endif

-               return -1;
+               return 1;

        }
 
        g_argv = argv;
        }
 
        g_argv = argv;


@@ -446,9 +448,7 @@ int main(int argc, char **argv)
 
        /* Slllluuuuuuurrrrp! */
 
 
        /* Slllluuuuuuurrrrp! */
 

-       RAND_load_file("/dev/urandom", 1024);
-
-       OpenSSL_add_all_algorithms();
+       gnutls_global_init();

 
        if(generate_keys) {
                read_server_config();
 
        if(generate_keys) {
                read_server_config();