Handle UDP packets from different and ports than advertised.
Previously, tinc used a fixed address and port for each node for UDP packet exchange. The port was the one advertised by that node as its listening port. However, due to NAT the port might be different. Now, tinc sends a different session key to each node. This way, the sending node can be determined from incoming packets by checking the MAC against all session keys. If a match is found, the address and port for that node are updated.
This commit is contained in:
Guus Sliepen
parent
43fa7283ac
commit
3308d13e7e
9 changed files with 242 additions and 149 deletions
16
src/net.c
16
src/net.c
|
|
@ -414,11 +414,19 @@ int main_loop(void)
|
|||
/* Should we regenerate our key? */
|
||||
|
||||
if(keyexpires < now) {
|
||||
ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key"));
|
||||
avl_node_t *node;
|
||||
node_t *n;
|
||||
|
||||
ifdebug(STATUS) logger(LOG_INFO, _("Expiring symmetric keys"));
|
||||
|
||||
for(node = node_tree->head; node; node = node->next) {
|
||||
n = node->data;
|
||||
if(n->inkey) {
|
||||
free(n->inkey);
|
||||
n->inkey = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
RAND_pseudo_bytes((unsigned char *)myself->key, myself->keylength);
|
||||
if(myself->cipher)
|
||||
EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, (unsigned char *)myself->key, (unsigned char *)myself->key + myself->cipher->key_len);
|
||||
send_key_changed(broadcast, myself);
|
||||
keyexpires = now + keylifetime;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue