j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Merge remote-tracking branch 'guus/1.1' into thkr-20170131-merge

Browse source
This commit is contained in:
thorkill 2017-01-31 15:44:02 +01:00
commit 4b3c0aea78
28 changed files with 518 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/Makefile.am
View file

@ -1,6 +1,7 @@
## Produce this file with automake to get Makefile.in
sbin_PROGRAMS = tincd tinc sptps_test sptps_keypair
sbin_PROGRAMS = tincd tinc
EXTRA_PROGRAMS = sptps_test sptps_keypair
CLEANFILES = version_git.h
@ -18,7 +19,7 @@ version.c: ${srcdir}/version.c
endif
if LINUX
sbin_PROGRAMS += sptps_speed
EXTRA_PROGRAMS += sptps_speed
endif
ed25519_SOURCES = \

2
src/bsd/tunemu.c
View file

@ -88,7 +88,7 @@ static void tun_error(char *format, ...)
{
va_list vl;
va_start(vl, format);
vsnprintf(tunemu_error, ERROR_BUFFER_SIZE, format, vl);
vsnprintf(tunemu_error, sizeof tunemu_error, format, vl);
va_end(vl);
}

4
src/cipher.h
View file

@ -1,6 +1,6 @@
/*
cipher.h -- header file cipher.c
Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -30,10 +30,10 @@ typedef struct cipher cipher_t;
extern cipher_t *cipher_open_by_name(const char *) __attribute__ ((__malloc__));
extern cipher_t *cipher_open_by_nid(int) __attribute__ ((__malloc__));
extern cipher_t *cipher_open_blowfish_ofb(void) __attribute__ ((__malloc__));
extern void cipher_close(cipher_t *);
extern size_t cipher_keylength(const cipher_t *);
extern size_t cipher_blocksize(const cipher_t *);
extern uint64_t cipher_budget(const cipher_t *);
extern void cipher_get_key(const cipher_t *, void *);
extern bool cipher_set_key(cipher_t *, void *, bool) __attribute__ ((__warn_unused_result__));
extern bool cipher_set_key_from_rsa(cipher_t *, void *, size_t, bool) __attribute__ ((__warn_unused_result__));

2
src/connection.h
View file

@ -81,6 +81,8 @@ typedef struct connection_t {
cipher_t *outcipher; /* Cipher we will use to send data to him */
digest_t *indigest;
digest_t *outdigest;
uint64_t inbudget;
uint64_t outbudget;
#endif
ecdsa_t *ecdsa; /* his public ECDSA key */

3
src/digest.h
View file

@ -1,6 +1,6 @@
/*
digest.h -- header file digest.c
Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -28,7 +28,6 @@ typedef struct digest digest_t;
extern digest_t *digest_open_by_name(const char *name, int maclength) __attribute__ ((__malloc__));
extern digest_t *digest_open_by_nid(int nid, int maclength) __attribute__ ((__malloc__));
extern digest_t *digest_open_sha1(int maclength) __attribute__ ((__malloc__));
extern void digest_close(digest_t *);
extern bool digest_create(digest_t *, const void *indata, size_t inlen, void *outdata) __attribute__ ((__warn_unused_result__));
extern bool digest_verify(digest_t *, const void *indata, size_t inlen, const void *digestdata) __attribute__ ((__warn_unused_result__));

2
src/dropin.c
View file

@ -112,7 +112,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) {
*buf = xrealloc(*buf, status + 1);
if(status > len - 1) {
len = status;
len = status + 1;
va_copy(aq, ap);
status = vsnprintf(*buf, len, fmt, aq);
va_end(aq);

9
src/fsck.c
View file

@ -298,9 +298,10 @@ int fsck(const char *argv0) {
rsa_t *rsa_pub = NULL;
f = fopen(fname, "r");
if(f)
if(f) {
rsa_pub = rsa_read_pem_public_key(f);
fclose(f);
fclose(f);
}
if(rsa_priv) {
if(!rsa_pub) {
@ -353,12 +354,12 @@ int fsck(const char *argv0) {
f = fopen(fname, "r");
if(f) {
ecdsa_pub = get_pubkey(f);
if(!f) {
if(!ecdsa_pub) {
rewind(f);
ecdsa_pub = ecdsa_read_pem_public_key(f);
}
fclose(f);
}
fclose(f);
if(ecdsa_priv) {
if(!ecdsa_pub) {

8
src/logger.c
View file

@ -110,20 +110,22 @@ void logger(int level, int priority, const char *format, ...) {
va_start(ap, format);
int len = vsnprintf(message, sizeof message, format, ap);
message[sizeof message - 1] = 0;
va_end(ap);
if(len > 0 && len < sizeof message && message[len - 1] == '\n')
if(len > 0 && len < sizeof message - 1 && message[len - 1] == '\n')
message[len - 1] = 0;
real_logger(level, priority, message);
}
static void sptps_logger(sptps_t *s, int s_errno, const char *format, va_list ap) {
char message[1024] = "";
char message[1024];
size_t msglen = sizeof message;
int len = vsnprintf(message, msglen, format, ap);
if(len > 0 && len < sizeof message) {
message[sizeof message - 1] = 0;
if(len > 0 && len < sizeof message - 1) {
if(message[len - 1] == '\n')
message[--len] = 0;

14
src/meta.c
View file

@ -66,6 +66,13 @@ bool send_meta(connection_t *c, const char *buffer, int length) {
#ifdef DISABLE_LEGACY
return false;
#else
if(length > c->outbudget) {
logger(DEBUG_META, LOG_ERR, "Byte limit exceeded for encryption to %s (%s)", c->name, c->hostname);
return false;
} else {
c->outbudget -= length;
}
size_t outlen = length;
if(!cipher_encrypt(c->outcipher, buffer, length, buffer_prepare(&c->outbuf, length), &outlen, false) || outlen != length) {
@ -224,6 +231,13 @@ bool receive_meta(connection_t *c) {
#ifdef DISABLE_LEGACY
return false;
#else
if(inlen > c->inbudget) {
logger(DEBUG_META, LOG_ERR, "yte limit exceeded for decryption from %s (%s)", c->name, c->hostname);
return false;
} else {
c->inbudget -= inlen;
}
size_t outlen = inlen;
if(!cipher_decrypt(c->incipher, bufp, inlen, buffer_prepare(&c->inbuf, inlen), &outlen, false) || inlen != outlen) {

37
src/net.c
View file

@ -95,28 +95,31 @@ void purge(void) {
void terminate_connection(connection_t *c, bool report) {
logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Closing connection with %s (%s)", c->name, c->hostname);
if(c->node && c->node->connection == c)
c->node->connection = NULL;
if(c->node) {
if(c->node->connection == c)
c->node->connection = NULL;
if(c->edge) {
if(report && !tunnelserver)
send_del_edge(everyone, c->edge);
if(c->edge) {
if(report && !tunnelserver)
send_del_edge(everyone, c->edge);
edge_del(c->edge);
c->edge = NULL;
edge_del(c->edge);
c->edge = NULL;
/* Run MST and SSSP algorithms */
graph();
/* Run MST and SSSP algorithms */
/* If the node is not reachable anymore but we remember it had an edge to us, clean it up */
graph();
if(report && !c->node->status.reachable) {
edge_t *e;
e = lookup_edge(c->node, myself);
if(e) {
if(!tunnelserver)
send_del_edge(everyone, e);
edge_del(e);
/* If the node is not reachable anymore but we remember it had an edge to us, clean it up */
if(report && !c->node->status.reachable) {
edge_t *e;
e = lookup_edge(c->node, myself);
if(e) {
if(!tunnelserver)
send_del_edge(everyone, e);
edge_del(e);
}
}
}
}

10
src/net_packet.c
View file

@ -357,16 +357,16 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(seqno != n->received_seqno + 1) {
if(seqno >= n->received_seqno + replaywin * 8) {
if(n->farfuture++ < replaywin >> 2) {
logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
logger(DEBUG_TRAFFIC, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
return false;
}
logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
logger(DEBUG_TRAFFIC, LOG_WARNING, "Lost %d packets from %s (%s)",
seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin);
} else if (seqno <= n->received_seqno) {
if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
logger(DEBUG_TRAFFIC, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, seqno, n->received_seqno);
return false;
}
@ -438,7 +438,7 @@ void receive_tcppacket(connection_t *c, const char *buffer, int len) {
bool receive_tcppacket_sptps(connection_t *c, const char *data, int len) {
if (len < sizeof(node_id_t) + sizeof(node_id_t)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname);
return false;
}
@ -773,7 +773,7 @@ bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_
char buf[len + sizeof to->id + sizeof from->id]; char* buf_ptr = buf;
memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
memcpy(buf_ptr, data, len); buf_ptr += len;
memcpy(buf_ptr, data, len);
logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s) (TCP)", from->name, from->hostname, to->name, to->hostname, to->nexthop->name, to->nexthop->hostname);
return send_sptps_tcppacket(to->nexthop->connection, buf, sizeof buf);
}

6
src/net_setup.c
View file

@ -726,7 +726,7 @@ static bool add_listen_address(char *address, bool bindto) {
int udp_fd = setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
if(tcp_fd < 0) {
if(udp_fd < 0) {
close(tcp_fd);
continue;
}
@ -909,7 +909,7 @@ static bool setup_myself(void) {
/* Generate packet encryption key */
if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
cipher = xstrdup("blowfish");
cipher = xstrdup("aes-256-cbc");
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
@ -933,7 +933,7 @@ static bool setup_myself(void) {
}
if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
digest = xstrdup("sha1");
digest = xstrdup("sha256");
if(!strcasecmp(digest, "none")) {
myself->indigest = NULL;

2
src/net_socket.c
View file

@ -526,6 +526,8 @@ begin:
} else if(proxytype == PROXY_EXEC) {
result = 0;
} else {
if(!proxyai)
abort();
result = connect(c->socket, proxyai->ai_addr, proxyai->ai_addrlen);
freeaddrinfo(proxyai);
}

64
src/openssl/cipher.c
View file

@ -1,6 +1,6 @@
/*
cipher.c -- Symmetric block cipher handling
Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -28,14 +28,16 @@
#include "../xalloc.h"
struct cipher {
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *cipher;
};
static cipher_t *cipher_open(const EVP_CIPHER *evp_cipher) {
cipher_t *cipher = xzalloc(sizeof *cipher);
cipher->cipher = evp_cipher;
EVP_CIPHER_CTX_init(&cipher->ctx);
cipher->ctx = EVP_CIPHER_CTX_new();
if(!cipher->ctx)
abort();
return cipher;
}
@ -60,15 +62,11 @@ cipher_t *cipher_open_by_nid(int nid) {
return cipher_open(evp_cipher);
}
cipher_t *cipher_open_blowfish_ofb(void) {
return cipher_open(EVP_bf_ofb());
}
void cipher_close(cipher_t *cipher) {
if(!cipher)
return;
EVP_CIPHER_CTX_cleanup(&cipher->ctx);
EVP_CIPHER_CTX_free(cipher->ctx);
free(cipher);
}
@ -76,23 +74,41 @@ size_t cipher_keylength(const cipher_t *cipher) {
if(!cipher || !cipher->cipher)
return 0;
return cipher->cipher->key_len + cipher->cipher->iv_len;
return EVP_CIPHER_key_length(cipher->cipher) + EVP_CIPHER_iv_length(cipher->cipher);
}
uint64_t cipher_budget(const cipher_t *cipher) {
/* Hopefully some failsafe way to calculate the maximum amount of bytes to
send/receive with a given cipher before we might run into birthday paradox
attacks. Because we might use different modes, the block size of the mode
might be 1 byte. In that case, use the IV length. Ensure the whole thing
is limited to what can be represented with a 64 bits integer.
*/
if(!cipher || !cipher->cipher)
return UINT64_MAX; // NULL cipher
int ivlen = EVP_CIPHER_iv_length(cipher->cipher);
int blklen = EVP_CIPHER_block_size(cipher->cipher);
int len = blklen > 1 ? blklen : ivlen > 1 ? ivlen : 8;
int bits = len * 4 - 1;
return bits < 64 ? UINT64_C(1) << bits : UINT64_MAX;
}
size_t cipher_blocksize(const cipher_t *cipher) {
if(!cipher || !cipher->cipher)
return 1;
return cipher->cipher->block_size;
return EVP_CIPHER_block_size(cipher->cipher);
}
bool cipher_set_key(cipher_t *cipher, void *key, bool encrypt) {
bool result;
if(encrypt)
result = EVP_EncryptInit_ex(&cipher->ctx, cipher->cipher, NULL, (unsigned char *)key, (unsigned char *)key + cipher->cipher->key_len);
result = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, (unsigned char *)key, (unsigned char *)key + EVP_CIPHER_key_length(cipher->cipher));
else
result = EVP_DecryptInit_ex(&cipher->ctx, cipher->cipher, NULL, (unsigned char *)key, (unsigned char *)key + cipher->cipher->key_len);
result = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, (unsigned char *)key, (unsigned char *)key + EVP_CIPHER_key_length(cipher->cipher));
if(result)
return true;
@ -105,9 +121,9 @@ bool cipher_set_key_from_rsa(cipher_t *cipher, void *key, size_t len, bool encry
bool result;
if(encrypt)
result = EVP_EncryptInit_ex(&cipher->ctx, cipher->cipher, NULL, (unsigned char *)key + len - cipher->cipher->key_len, (unsigned char *)key + len - cipher->cipher->iv_len - cipher->cipher->key_len);
result = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, (unsigned char *)key + len - EVP_CIPHER_key_length(cipher->cipher), (unsigned char *)key + len - EVP_CIPHER_iv_length(cipher->cipher) - EVP_CIPHER_key_length(cipher->cipher));
else
result = EVP_DecryptInit_ex(&cipher->ctx, cipher->cipher, NULL, (unsigned char *)key + len - cipher->cipher->key_len, (unsigned char *)key + len - cipher->cipher->iv_len - cipher->cipher->key_len);
result = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, (unsigned char *)key + len - EVP_CIPHER_key_length(cipher->cipher), (unsigned char *)key + len - EVP_CIPHER_iv_length(cipher->cipher) - EVP_CIPHER_key_length(cipher->cipher));
if(result)
return true;
@ -119,15 +135,15 @@ bool cipher_set_key_from_rsa(cipher_t *cipher, void *key, size_t len, bool encry
bool cipher_encrypt(cipher_t *cipher, const void *indata, size_t inlen, void *outdata, size_t *outlen, bool oneshot) {
if(oneshot) {
int len, pad;
if(EVP_EncryptInit_ex(&cipher->ctx, NULL, NULL, NULL, NULL)
&& EVP_EncryptUpdate(&cipher->ctx, (unsigned char *)outdata, &len, indata, inlen)
&& EVP_EncryptFinal(&cipher->ctx, (unsigned char *)outdata + len, &pad)) {
if(EVP_EncryptInit_ex(cipher->ctx, NULL, NULL, NULL, NULL)
&& EVP_EncryptUpdate(cipher->ctx, (unsigned char *)outdata, &len, indata, inlen)
&& EVP_EncryptFinal(cipher->ctx, (unsigned char *)outdata + len, &pad)) {
if(outlen) *outlen = len + pad;
return true;
}
} else {
int len;
if(EVP_EncryptUpdate(&cipher->ctx, outdata, &len, indata, inlen)) {
if(EVP_EncryptUpdate(cipher->ctx, outdata, &len, indata, inlen)) {
if(outlen) *outlen = len;
return true;
}
@ -140,15 +156,15 @@ bool cipher_encrypt(cipher_t *cipher, const void *indata, size_t inlen, void *ou
bool cipher_decrypt(cipher_t *cipher, const void *indata, size_t inlen, void *outdata, size_t *outlen, bool oneshot) {
if(oneshot) {
int len, pad;
if(EVP_DecryptInit_ex(&cipher->ctx, NULL, NULL, NULL, NULL)
&& EVP_DecryptUpdate(&cipher->ctx, (unsigned char *)outdata, &len, indata, inlen)
&& EVP_DecryptFinal(&cipher->ctx, (unsigned char *)outdata + len, &pad)) {
if(EVP_DecryptInit_ex(cipher->ctx, NULL, NULL, NULL, NULL)
&& EVP_DecryptUpdate(cipher->ctx, (unsigned char *)outdata, &len, indata, inlen)
&& EVP_DecryptFinal(cipher->ctx, (unsigned char *)outdata + len, &pad)) {
if(outlen) *outlen = len + pad;
return true;
}
} else {
int len;
if(EVP_EncryptUpdate(&cipher->ctx, outdata, &len, indata, inlen)) {
if(EVP_EncryptUpdate(cipher->ctx, outdata, &len, indata, inlen)) {
if(outlen) *outlen = len;
return true;
}
@ -162,9 +178,9 @@ int cipher_get_nid(const cipher_t *cipher) {
if(!cipher || !cipher->cipher)
return 0;
return cipher->cipher->nid;
return EVP_CIPHER_nid(cipher->cipher);
}
bool cipher_active(const cipher_t *cipher) {
return cipher && cipher->cipher && cipher->cipher->nid != 0;
return cipher && cipher->cipher && EVP_CIPHER_nid(cipher->cipher) != 0;
}

25
src/openssl/digest.c
View file

@ -1,6 +1,6 @@
/*
digest.c -- Digest handling
Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -64,10 +64,6 @@ digest_t *digest_open_by_nid(int nid, int maclength) {
return digest_open(evp_md, maclength);
}
digest_t *digest_open_sha1(int maclength) {
return digest_open(EVP_sha1(), maclength);
}
bool digest_set_key(digest_t *digest, const void *key, size_t len) {
digest->key = xrealloc(digest->key, len);
memcpy(digest->key, key, len);
@ -93,14 +89,19 @@ bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *out
return false;
}
} else {
EVP_MD_CTX ctx;
EVP_MD_CTX *ctx = EVP_MD_CTX_create();
if(!ctx)
abort();
if(!EVP_DigestInit(&ctx, digest->digest)
|| !EVP_DigestUpdate(&ctx, indata, inlen)
|| !EVP_DigestFinal(&ctx, tmpdata, NULL)) {
if(!EVP_DigestInit(ctx, digest->digest)
|| !EVP_DigestUpdate(ctx, indata, inlen)
|| !EVP_DigestFinal(ctx, tmpdata, NULL)) {
logger(DEBUG_ALWAYS, LOG_DEBUG, "Error creating digest: %s", ERR_error_string(ERR_get_error(), NULL));
EVP_MD_CTX_destroy(ctx);
return false;
}
EVP_MD_CTX_destroy(ctx);
}
memcpy(outdata, tmpdata, digest->maclength);
@ -118,14 +119,14 @@ int digest_get_nid(const digest_t *digest) {
if(!digest || !digest->digest)
return 0;
return digest->digest->type;
return EVP_MD_type(digest->digest);
}
size_t digest_keylength(const digest_t *digest) {
if(!digest || !digest->digest)
return 0;
return digest->digest->md_size;
return EVP_MD_size(digest->digest);
}
size_t digest_length(const digest_t *digest) {
@ -136,5 +137,5 @@ size_t digest_length(const digest_t *digest) {
}
bool digest_active(const digest_t *digest) {
return digest && digest->digest && digest->digest->type != 0;
return digest && digest->digest && EVP_MD_type(digest->digest) != 0;
}

41
src/openssl/rsa.c
View file

@ -30,28 +30,51 @@ typedef RSA rsa_t;
// Set RSA keys
#ifndef HAVE_RSA_SET0_KEY
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
BN_free(r->n); r->n = n;
BN_free(r->e); r->e = e;
BN_free(r->d); r->d = d;
return 1;
}
#endif
rsa_t *rsa_set_hex_public_key(char *n, char *e) {
BIGNUM *bn_n = NULL;
BIGNUM *bn_e = NULL;
if(BN_hex2bn(&bn_n, n) != strlen(n) || BN_hex2bn(&bn_e, e) != strlen(e)) {
BN_free(bn_e);
BN_free(bn_n);
return false;
}
rsa_t *rsa = RSA_new();
if(!rsa)
return NULL;
if(BN_hex2bn(&rsa->n, n) != strlen(n) || BN_hex2bn(&rsa->e, e) != strlen(e)) {
RSA_free(rsa);
return false;
}
RSA_set0_key(rsa, bn_n, bn_e, NULL);
return rsa;
}
rsa_t *rsa_set_hex_private_key(char *n, char *e, char *d) {
BIGNUM *bn_n = NULL;
BIGNUM *bn_e = NULL;
BIGNUM *bn_d = NULL;
if(BN_hex2bn(&bn_n, n) != strlen(n) || BN_hex2bn(&bn_e, e) != strlen(e) || BN_hex2bn(&bn_d, d) != strlen(d)) {
BN_free(bn_d);
BN_free(bn_e);
BN_free(bn_n);
return false;
}
rsa_t *rsa = RSA_new();
if(!rsa)
return NULL;
if(BN_hex2bn(&rsa->n, n) != strlen(n) || BN_hex2bn(&rsa->e, e) != strlen(e) || BN_hex2bn(&rsa->d, d) != strlen(d)) {
RSA_free(rsa);
return false;
}
RSA_set0_key(rsa, bn_n, bn_e, bn_d);
return rsa;
}

40
src/openssl/rsagen.c
View file

@ -27,11 +27,10 @@ typedef RSA rsa_t;
#include "../logger.h"
#include "../rsagen.h"
#include "../xalloc.h"
/* This function prettyprints the key generation process */
static void indicator(int a, int b, void *p) {
UNUSED(p);
static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) {
case 0:
fprintf(stderr, ".");
@ -63,12 +62,45 @@ static void indicator(int a, int b, void *p) {
default:
fprintf(stderr, "?");
}
return 1;
}
// Generate RSA key
#ifndef HAVE_BN_GENCB_NEW
BN_GENCB *BN_GENCB_new(void) {
return xzalloc(sizeof(BN_GENCB));
}
void BN_GENCB_free(BN_GENCB *cb) {
free(cb);
}
#endif
rsa_t *rsa_generate(size_t bits, unsigned long exponent) {
return RSA_generate_key(bits, exponent, indicator, NULL);
BIGNUM *bn_e = BN_new();
rsa_t *rsa = RSA_new();
BN_GENCB *cb = BN_GENCB_new();
if(!bn_e || !rsa || !cb)
abort();
BN_set_word(bn_e, exponent);
BN_GENCB_set(cb, indicator, NULL);
int result = RSA_generate_key_ex(rsa, bits, bn_e, cb);
BN_GENCB_free(cb);
BN_free(bn_e);
if(!result) {
fprintf(stderr, "Error during key generation!\n");
RSA_free(rsa);
return NULL;
}
return rsa;
}
// Write PEM RSA keys

5
src/protocol.c
View file

@ -72,10 +72,11 @@ bool send_request(connection_t *c, const char *format, ...) {
input buffer anyway */
va_start(args, format);
len = vsnprintf(request, MAXBUFSIZE, format, args);
len = vsnprintf(request, sizeof request, format, args);
request[sizeof request - 1] = 0;
va_end(args);
if(len < 0 || len > MAXBUFSIZE - 1) {
if(len < 0 || len > sizeof request - 1) {
logger(DEBUG_ALWAYS, LOG_ERR, "Output buffer overflow while sending request to %s (%s)",
c->name, c->hostname);
return false;

26
src/protocol_auth.c
View file

@ -1,7 +1,7 @@
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -425,10 +425,24 @@ bool send_metakey(connection_t *c) {
if(!read_rsa_public_key(c))
return false;
if(!(c->outcipher = cipher_open_blowfish_ofb()))
/* We need to use a stream mode for the meta protocol. Use AES for this,
but try to match the key size with the one from the cipher selected
by Cipher.
*/
int keylen = cipher_keylength(myself->incipher);
if(keylen <= 16)
c->outcipher = cipher_open_by_name("aes-128-cfb");
else if(keylen <= 24)
c->outcipher = cipher_open_by_name("aes-192-cfb");
else
c->outcipher = cipher_open_by_name("aes-256-cfb");
if(!c)
return false;
if(!(c->outdigest = digest_open_sha1(-1)))
c->outbudget = cipher_budget(c->outcipher);
if(!(c->outdigest = digest_open_by_name("sha256", -1)))
return false;
const size_t len = rsa_size(c->rsa);
@ -540,6 +554,8 @@ bool metakey_h(connection_t *c, const char *request) {
c->incipher = NULL;
}
c->inbudget = cipher_budget(c->incipher);
if(digest) {
if(!(c->indigest = digest_open_by_nid(digest, -1))) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname);
@ -882,8 +898,10 @@ bool ack_h(connection_t *c, const char *request) {
socklen_t local_salen = sizeof local_sa;
if (getsockname(c->socket, &local_sa.sa, &local_salen) < 0)
logger(DEBUG_ALWAYS, LOG_WARNING, "Could not get local socket address for connection with %s", c->name);
else
else {
sockaddr_setport(&local_sa, myport);
c->edge->local_address = local_sa;
}
c->edge->weight = (weight + c->estimated_weight) / 2;
c->edge->connection = c;
c->edge->options = c->options;

126
src/protocol_edge.c
View file

@ -135,69 +135,56 @@ bool add_edge_h(connection_t *c, const char *request) {
e = lookup_edge(from, to);
if(e) {
if(e->weight != weight || e->options != options || sockaddrcmp(&e->address, &address)) {
if(from == myself) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) for ourself which does not match existing entry",
"ADD_EDGE", c->name, c->hostname);
send_add_edge(c, e);
sockaddrfree(&local_address);
return true;
} else {
/* Update weight first */
if(e->weight != weight){
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) with new weight %s -> %s %d -> %d",
"ADD_EDGE", c->name, c->hostname, e->from->name, e->to->name, e->weight, weight);
edge_update_weigth(e, weight);
}
if (e->options != options) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) with new options %s -> %s %x -> %x",
"ADD_EDGE", c->name, c->hostname, e->from->name, e->to->name, e->options, options);
e->options = options;
}
if (sockaddrcmp(&e->address, &address)) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) with new address %s -> %s",
"ADD_EDGE", c->name, c->hostname, e->from->name, e->to->name);
e->address = address;
}
goto done;
}
} else if(sockaddrcmp(&e->local_address, &local_address)) {
if(from == myself) {
if(e->local_address.sa.sa_family && local_address.sa.sa_family) {
// Someone has the wrong local address for ourself. Correct then.
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) for ourself which does not match existing entry",
"ADD_EDGE", c->name, c->hostname);
send_add_edge(c, e);
sockaddrfree(&local_address);
return true;
}
// Otherwise, just ignore it.
sockaddrfree(&local_address);
return true;
} else if(local_address.sa.sa_family && local_address.sa.sa_family != AF_UNKNOWN) {
// We learned a new local address for this edge.
// local_address.sa.sa_family will be 0 if we got it from older tinc versions
// local_address.sa.sa_family will be 255 (AF_UNKNOWN) if we got it from newer versions
// but for edge which does not have local_address
sockaddrfree(&e->local_address);
e->local_address = local_address;
// Tell others about it.
if(!tunnelserver)
forward_request(c, request);
return true;
} else {
logger(DEBUG_PROTOCOL, LOG_WARNING, "%s:%d %s -> %s - got edge we know from older version? (%d.%d)",
__FUNCTION__, __LINE__, e->from->name, e->to->name, c->protocol_major, c->protocol_minor);
sockaddrfree(&local_address);
return true;
}
} else {
bool new_address = sockaddrcmp(&e->address, &address);
// local_address.sa.sa_family will be 0 if we got it from older tinc versions
// local_address.sa.sa_family will be 255 (AF_UNKNOWN) if we got it from newer versions
// but for edge which does not have local_address
bool new_local_address = local_address.sa.sa_family && local_address.sa.sa_family != AF_UNKNOWN &&
sockaddrcmp(&e->local_address, &local_address);
if(e->weight == weight && e->options == options && !new_address && !new_local_address) {
sockaddrfree(&address);
sockaddrfree(&local_address);
return true;
}
if(from == myself) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) for ourself which does not match existing entry",
"ADD_EDGE", c->name, c->hostname);
send_add_edge(c, e);
sockaddrfree(&address);
sockaddrfree(&local_address);
return true;
}
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) which does not match existing entry",
"ADD_EDGE", c->name, c->hostname);
if (e->options != options) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) with new options %s -> %s %x -> %x",
"ADD_EDGE", c->name, c->hostname, e->from->name, e->to->name, e->options, options);
e->options = options;
}
if(new_address) {
sockaddrfree(&e->address);
e->address = address;
} else {
sockaddrfree(&address);
}
if(new_local_address) {
sockaddrfree(&e->local_address);
e->local_address = local_address;
} else {
sockaddrfree(&local_address);
}
if(e->weight != weight) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) with new weight %s -> %s %d -> %d",
"ADD_EDGE", c->name, c->hostname, e->from->name, e->to->name, e->weight, weight);
edge_update_weigth(e, weight);
}
} else if(from == myself) {
logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) for ourself which does not exist",
"ADD_EDGE", c->name, c->hostname);
@ -207,21 +194,20 @@ bool add_edge_h(connection_t *c, const char *request) {
e->to = to;
send_del_edge(c, e);
free_edge(e);
sockaddrfree(&address);
sockaddrfree(&local_address);
return true;
} else {
e = new_edge();
e->from = from;
e->to = to;
e->address = address;
e->local_address = local_address;
e->options = options;
e->weight = weight;
edge_add(e);
}
e = new_edge();
e->from = from;
e->to = to;
e->address = address;
e->local_address = local_address;
e->options = options;
e->weight = weight;
e->avg_rtt = weight/10;
edge_add(e);
done:
/* Tell the rest about the new edge */
if(!tunnelserver)
forward_request(c, request);

2
src/sptps.c
View file

@ -603,8 +603,6 @@ size_t sptps_receive_data(sptps_t *s, const void *data, size_t len) {
memcpy(s->inbuf + s->buflen, data, toread);
total_read += toread;
s->buflen += toread;
len -= toread;
data += toread;
// If we don't have a whole record, exit.
if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))

22
src/tincctl.c
View file

@ -445,11 +445,13 @@ static bool rsa_keygen(int bits, bool ask) {
// Make sure the key size is a multiple of 8 bits.
bits &= ~0x7;
// Force them to be between 1024 and 8192 bits long.
if(bits < 1024)
bits = 1024;
if(bits > 8192)
bits = 8192;
// Make sure that a valid key size is used.
if(bits < 1024 || bits > 8192) {
fprintf(stderr, "Invalid key size %d specified! It should be between 1024 and 8192 bits.\n", bits);
return false;
} else if(bits < 2048) {
fprintf(stderr, "WARNING: generating a weak %d bits RSA key! 2048 or more bits are recommended.\n", bits);
}
fprintf(stderr, "Generating %d bits keys:\n", bits);
@ -559,6 +561,7 @@ bool sendline(int fd, char *format, ...) {
va_start(ap, format);
blen = vsnprintf(buffer, sizeof buffer, format, ap);
buffer[sizeof buffer - 1] = 0;
va_end(ap);
if(blen < 1 || blen >= sizeof buffer)
@ -884,7 +887,7 @@ static int cmd_start(int argc, char *argv[]) {
if(!pid) {
close(pfd[0]);
char buf[100] = "";
char buf[100];
snprintf(buf, sizeof buf, "%d", pfd[1]);
setenv("TINC_UMBILICAL", buf, true);
exit(execvp(c, nargv));
@ -2538,6 +2541,7 @@ static int cmd_verify(int argc, char *argv[]) {
char *newline = memchr(data, '\n', len);
if(!newline || (newline - data > MAX_STRING_SIZE - 1)) {
fprintf(stderr, "Invalid input\n");
free(data);
return 1;
}
@ -2550,11 +2554,13 @@ static int cmd_verify(int argc, char *argv[]) {
if(sscanf(data, "Signature = %s %ld %s", signer, &t, sig) != 3 || strlen(sig) != 86 || !t || !check_id(signer)) {
fprintf(stderr, "Invalid input\n");
free(data);
return 1;
}
if(node && strcmp(node, signer)) {
fprintf(stderr, "Signature is not made by %s\n", node);
free(data);
return 1;
}
@ -2851,8 +2857,10 @@ static int cmd_shell(int argc, char *argv[]) {
if(nargc == argc)
continue;
if(!strcasecmp(nargv[argc], "exit") || !strcasecmp(nargv[argc], "quit"))
if(!strcasecmp(nargv[argc], "exit") || !strcasecmp(nargv[argc], "quit")) {
free(nargv);
return result;
}
bool found = false;

2
src/upnp.c
View file

@ -57,7 +57,7 @@ static struct UPNPDev *upnp_discover(int delay, int *error) {
#elif MINIUPNPC_API_VERSION <= 14
return upnpDiscover(delay, NULL NULL, false, false, 2, error);
return upnpDiscover(delay, NULL, NULL, false, false, 2, error);
#else