j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Implemented new authentication scheme from doc/SECURITY2.

Browse source
This commit is contained in:
Guus Sliepen 2001-02-25 19:09:45 +00:00
parent 54881faf6f
commit 82455be966
3 changed files with 30 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/net.c
View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: net.c,v 1.35.4.96 2001/02/25 16:34:17 guus Exp $ $Id: net.c,v 1.35.4.97 2001/02/25 19:09:41 guus Exp $
*/ */
#include "config.h" #include "config.h"
@ -1297,6 +1297,8 @@ cp
} }
connection_add(ncn); connection_add(ncn);
send_id(ncn);
cp cp
return 0; return 0;
} }

103
src/protocol.c
View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: protocol.c,v 1.28.4.80 2001/02/25 16:34:19 guus Exp $ $Id: protocol.c,v 1.28.4.81 2001/02/25 19:09:43 guus Exp $
*/ */
#include "config.h" #include "config.h"
@ -187,8 +187,6 @@ cp
int send_id(connection_t *cl) int send_id(connection_t *cl)
{ {
cp
cl->allow_request = CHALLENGE;
cp cp
return send_request(cl, "%d %s %d %lx %hd", ID, myself->name, myself->protocol_version, myself->options, myself->port); return send_request(cl, "%d %s %d %lx %hd", ID, myself->name, myself->protocol_version, myself->options, myself->port);
} }
@ -263,13 +261,14 @@ cp
cl->port = port; cl->port = port;
avl_insert_node(connection_tree, node); avl_insert_node(connection_tree, node);
/* Read in the public key, so that we can send a challenge */ /* Read in the public key, so that we can send a metakey */
if(read_rsa_public_key(cl)) if(read_rsa_public_key(cl))
return -1; return -1;
cl->allow_request = METAKEY;
cp cp
return send_challenge(cl); return send_metakey(cl);
} }
int send_challenge(connection_t *cl) int send_challenge(connection_t *cl)
@ -277,6 +276,8 @@ int send_challenge(connection_t *cl)
char *buffer; char *buffer;
int len, x; int len, x;
cp cp
/* CHECKME: what is most reasonable value for len? */
len = RSA_size(cl->rsa_key); len = RSA_size(cl->rsa_key);
/* Allocate buffers for the challenge */ /* Allocate buffers for the challenge */
@ -292,32 +293,15 @@ cp
RAND_bytes(cl->hischallenge, len); RAND_bytes(cl->hischallenge, len);
cl->hischallenge[0] &= 0x7F; /* Somehow if the first byte is more than 0xD0 or something like that, decryption fails... */
cp cp
if(debug_lvl >= DEBUG_SCARY_THINGS) /* Convert to hex */
{
bin2hex(cl->hischallenge, buffer, len);
buffer[len*2] = '\0';
syslog(LOG_DEBUG, _("Generated random challenge (unencrypted): %s"), buffer);
}
/* Encrypt the random data */ bin2hex(cl->hischallenge, buffer, len);
if(RSA_public_encrypt(len, cl->hischallenge, buffer, cl->rsa_key, RSA_NO_PADDING) != len) /* NO_PADDING because the message size equals the RSA key size and it is totally random */
{
syslog(LOG_ERR, _("Error during encryption of challenge for %s (%s)"), cl->name, cl->hostname);
free(buffer);
return -1;
}
cp
/* Convert the encrypted random data to a hexadecimal formatted string */
bin2hex(buffer, buffer, len);
buffer[len*2] = '\0'; buffer[len*2] = '\0';
cp cp
/* Send the challenge */ /* Send the challenge */
cl->allow_request = CHAL_REPLY;
x = send_request(cl, "%d %s", CHALLENGE, buffer); x = send_request(cl, "%d %s", CHALLENGE, buffer);
free(buffer); free(buffer);
cp cp
@ -352,22 +336,9 @@ cp
/* Convert the challenge from hexadecimal back to binary */ /* Convert the challenge from hexadecimal back to binary */
hex2bin(buffer,buffer,len); hex2bin(buffer,cl->mychallenge,len);
/* Decrypt the challenge */ cl->allow_request = CHAL_REPLY;
if(RSA_private_decrypt(len, buffer, cl->mychallenge, myself->rsa_key, RSA_NO_PADDING) != len) /* See challenge() */
{
syslog(LOG_ERR, _("Error during encryption of challenge for %s (%s)"), cl->name, cl->hostname);
return -1;
}
if(debug_lvl >= DEBUG_SCARY_THINGS)
{
bin2hex(cl->mychallenge, buffer, len);
buffer[len*2] = '\0';
syslog(LOG_DEBUG, _("Received random challenge (unencrypted): %s"), buffer);
}
/* Rest is done by send_chal_reply() */ /* Rest is done by send_chal_reply() */
cp cp
@ -395,11 +366,6 @@ cp
/* Send the reply */ /* Send the reply */
if(cl->status.outgoing)
cl->allow_request = ID;
else
cl->allow_request = METAKEY;
cp cp
return send_request(cl, "%d %s", CHAL_REPLY, hash); return send_request(cl, "%d %s", CHAL_REPLY, hash);
} }
@ -445,16 +411,11 @@ cp
return -1; return -1;
} }
/* Identity has now been positively verified. /* Identity has now been positively verified.
If we are accepting this new connection, then send our identity, ack_h() handles the rest from now on.
if we are making this connecting, acknowledge.
*/ */
cp cp
if(cl->status.outgoing) return ack_h(cl);
return send_metakey(cl);
else
return send_id(cl);
} }
int send_metakey(connection_t *cl) int send_metakey(connection_t *cl)
@ -503,15 +464,14 @@ cp
/* Send the meta key */ /* Send the meta key */
if(cl->status.outgoing)
cl->allow_request = METAKEY;
else
cl->allow_request = ACK;
x = send_request(cl, "%d %s", METAKEY, buffer); x = send_request(cl, "%d %s", METAKEY, buffer);
free(buffer); free(buffer);
/* Further outgoing requests are encrypted with the key we just generated */
EVP_EncryptInit(cl->cipher_outctx, EVP_bf_cfb(), cl->cipher_outkey, cl->cipher_outkey + EVP_bf_cfb()->key_len); EVP_EncryptInit(cl->cipher_outctx, EVP_bf_cfb(), cl->cipher_outkey, cl->cipher_outkey + EVP_bf_cfb()->key_len);
cl->status.encryptout = 1;
cp cp
return x; return x;
} }
@ -564,26 +524,15 @@ cp
syslog(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer); syslog(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer);
} }
/* All incoming requests will now be encrypted. */
EVP_DecryptInit(cl->cipher_inctx, EVP_bf_cfb(), cl->cipher_inkey, cl->cipher_inkey + EVP_bf_cfb()->key_len); EVP_DecryptInit(cl->cipher_inctx, EVP_bf_cfb(), cl->cipher_inkey, cl->cipher_inkey + EVP_bf_cfb()->key_len);
cp cl->status.decryptin = 1;
if(cl->status.outgoing)
return send_ack(cl);
else
return send_metakey(cl);
}
int send_ack(connection_t *cl) cl->allow_request = CHALLENGE;
{
int x;
cp cp
if(cl->status.outgoing) return send_challenge(cl);
cl->allow_request = ACK;
x = send_request(cl, "%d", ACK);
cl->status.encryptout = 1;
cp
return x;
} }
int ack_h(connection_t *cl) int ack_h(connection_t *cl)
@ -611,7 +560,6 @@ cp
cl->allow_request = ALL; cl->allow_request = ALL;
cl->status.active = 1; cl->status.active = 1;
cl->status.decryptin = 1;
cl->nexthop = cl; cl->nexthop = cl;
cl->cipher_pkttype = EVP_bf_cbc(); cl->cipher_pkttype = EVP_bf_cbc();
cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len; cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len;
@ -620,9 +568,6 @@ cp
syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
cp cp
if(!cl->status.outgoing)
send_ack(cl);
/* Check some options */ /* Check some options */
if((cfg = get_config_val(cl->config, config_indirectdata))) if((cfg = get_config_val(cl->config, config_indirectdata)))
@ -1349,7 +1294,7 @@ int tcppacket_h(connection_t *cl)
/* Jumptable for the request handlers */ /* Jumptable for the request handlers */
int (*request_handlers[])(connection_t*) = { int (*request_handlers[])(connection_t*) = {
id_h, challenge_h, chal_reply_h, metakey_h, ack_h, id_h, metakey_h, challenge_h, chal_reply_h,
status_h, error_h, termreq_h, status_h, error_h, termreq_h,
ping_h, pong_h, ping_h, pong_h,
add_host_h, del_host_h, add_host_h, del_host_h,
@ -1361,7 +1306,7 @@ int (*request_handlers[])(connection_t*) = {
/* Request names */ /* Request names */
char (*request_name[]) = { char (*request_name[]) = {
"ID", "CHALLENGE", "CHAL_REPLY", "METAKEY", "ACK", "ID", "METAKEY", "CHALLENGE", "CHAL_REPLY",
"STATUS", "ERROR", "TERMREQ", "STATUS", "ERROR", "TERMREQ",
"PING", "PONG", "PING", "PONG",
"ADD_HOST", "DEL_HOST", "ADD_HOST", "DEL_HOST",

7
src/protocol.h
View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: protocol.h,v 1.5.4.19 2001/01/07 20:19:35 guus Exp $ $Id: protocol.h,v 1.5.4.20 2001/02/25 19:09:45 guus Exp $
*/ */
#ifndef __TINC_PROTOCOL_H__ #ifndef __TINC_PROTOCOL_H__
@ -30,13 +30,13 @@
incompatible version have different protocols. incompatible version have different protocols.
*/ */
#define PROT_CURRENT 8 #define PROT_CURRENT 9
/* Request numbers */ /* Request numbers */
enum { enum {
ALL = -1, /* Guardian for allow_request */ ALL = -1, /* Guardian for allow_request */
ID = 0, CHALLENGE, CHAL_REPLY, METAKEY, ACK, ID = 0, METAKEY, CHALLENGE, CHAL_REPLY,
STATUS, ERROR, TERMREQ, STATUS, ERROR, TERMREQ,
PING, PONG, PING, PONG,
ADD_HOST, DEL_HOST, ADD_HOST, DEL_HOST,
@ -57,7 +57,6 @@ extern int send_id(connection_t*);
extern int send_challenge(connection_t*); extern int send_challenge(connection_t*);
extern int send_chal_reply(connection_t*); extern int send_chal_reply(connection_t*);
extern int send_metakey(connection_t*); extern int send_metakey(connection_t*);
extern int send_ack(connection_t*);
extern int send_status(connection_t*, int, char*); extern int send_status(connection_t*, int, char*);
extern int send_error(connection_t*, int, char*); extern int send_error(connection_t*, int, char*);
extern int send_termreq(connection_t*); extern int send_termreq(connection_t*);