From cd854fa86a9dc177dcaa56fa774afb127b29651a Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sun, 9 Jul 2017 15:57:51 +0200 Subject: [PATCH] Add configurable experation time for invitations. --- bash_completion.d/tinc | 2 +- doc/tinc.conf.5.in | 2 ++ doc/tinc.texi | 4 ++++ src/net_setup.c | 3 +++ src/protocol.h | 1 + src/protocol_auth.c | 13 +++++++++++++ src/tincctl.c | 1 + 7 files changed, 25 insertions(+), 1 deletion(-) diff --git a/bash_completion.d/tinc b/bash_completion.d/tinc index dec09f84..de2717ef 100644 --- a/bash_completion.d/tinc +++ b/bash_completion.d/tinc @@ -4,7 +4,7 @@ _tinc() { cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" opts="-c -d -D -K -n -o -L -R -U --config --no-detach --debug --net --option --mlock --logfile --pidfile --chroot --user --help --version" - confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode MTUInfoInterval Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryKeepaliveInterval UDPDiscoveryInterval UDPDiscoveryTimeout UDPInfoInterval UDPRcvBuf UDPSndBuf UPnP UPnPDiscoverWait UPnPRefreshPeriod VDEGroup VDEPort Weight" + confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface InvitationExpire KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode MTUInfoInterval Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryKeepaliveInterval UDPDiscoveryInterval UDPDiscoveryTimeout UDPInfoInterval UDPRcvBuf UDPSndBuf UPnP UPnPDiscoverWait UPnPRefreshPeriod VDEGroup VDEPort Weight" commands="add connect debug del disconnect dump edit export export-all generate-ed25519-keys generate-keys generate-rsa-keys get help import info init invite join list log network pcap pid purge reload restart retry set sign start stop top verify version" case ${prev} in diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index 9365184b..22b01d20 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -327,6 +327,8 @@ Under Windows, this variable is used to select which network interface will be u If you specified a .Va Device , this variable is almost always already correctly set. +.It Va InvitationExpire Li = Ar seconds Pq 604800 +This option controls the period invitations are valid. .It Va KeyExpire Li = Ar seconds Pq 3600 This option controls the period the encryption keys used to encrypt the data are valid. It is common practice to change keys at regular intervals to make it even harder for crackers, diff --git a/doc/tinc.texi b/doc/tinc.texi index 29e2bdc9..6b02f10e 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -1121,6 +1121,10 @@ every packet will be broadcast to the other daemons while no routing table is managed. @end table +@cindex InvitationExpire +@item InvitationExpire = <@var{seconds}> (604800) +This option controls the time invitations are valid. + @cindex KeyExpire @item KeyExpire = <@var{seconds}> (3600) This option controls the time the encryption keys used to encrypt the data diff --git a/src/net_setup.c b/src/net_setup.c index 6becfbb4..e164214f 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -611,6 +611,9 @@ bool setup_myself_reloadable(void) { get_config_bool(lookup_config(config_tree, "DisableBuggyPeers"), &disablebuggypeers); + if(!get_config_int(lookup_config(config_tree, "InvitationExpire"), &invitation_lifetime)) + invitation_lifetime = 604800; // 1 week + read_invitation_key(); return true; diff --git a/src/protocol.h b/src/protocol.h index dee6eb8b..5cb22946 100644 --- a/src/protocol.h +++ b/src/protocol.h @@ -62,6 +62,7 @@ extern bool tunnelserver; extern bool strictsubnets; extern bool experimental; +extern int invitation_lifetime; extern ecdsa_t *invitation_key; /* Maximum size of strings in a request. diff --git a/src/protocol_auth.c b/src/protocol_auth.c index baf9eac1..a99e1d61 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -47,6 +47,7 @@ #include "ed25519/sha512.h" +int invitation_lifetime; ecdsa_t *invitation_key = NULL; static bool send_proxyrequest(connection_t *c) { @@ -232,6 +233,18 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat return false; } + // Check the timestamp of the invitation + struct stat st; + if(stat(usedname, &st)) { + logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat %s", usedname); + return false; + } + + if(st.st_mtime + invitation_lifetime < now.tv_sec) { + logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s tried to use expired invitation %s", c->hostname, cookie); + return false; + } + // Open the renamed file FILE *f = fopen(usedname, "r"); if(!f) { diff --git a/src/tincctl.c b/src/tincctl.c index 6416ebe0..e460784f 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -1490,6 +1490,7 @@ const var_t variables[] = { {"Hostnames", VAR_SERVER}, {"IffOneQueue", VAR_SERVER}, {"Interface", VAR_SERVER}, + {"InvitationExpire", VAR_SERVER}, {"KeyExpire", VAR_SERVER}, {"ListenAddress", VAR_SERVER | VAR_MULTIPLE}, {"LocalDiscovery", VAR_SERVER}, -- 2.20.1