Allow Cipher and Digest "none".

This is for backwards compatibility with tinc 1.0, it has no effect on
the SPTPS protocol.
This commit is contained in:
Guus Sliepen 2014-05-18 21:51:42 +02:00
parent 666718998e
commit b0d80c7f28
4 changed files with 83 additions and 22 deletions

View file

@ -378,7 +378,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
return; return;
} }
if(!cipher_active(n->incipher)) { if(!n->status.validkey) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname); logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
return; return;
} }

View file

@ -514,14 +514,22 @@ bool metakey_h(connection_t *c, const char *request) {
/* Check and lookup cipher and digest algorithms */ /* Check and lookup cipher and digest algorithms */
if(!(c->incipher = cipher_open_by_nid(cipher)) || !cipher_set_key_from_rsa(c->incipher, key, len, false)) { if(cipher) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of cipher from %s (%s)", c->name, c->hostname); if(!(c->incipher = cipher_open_by_nid(cipher)) || !cipher_set_key_from_rsa(c->incipher, key, len, false)) {
return false; logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of cipher from %s (%s)", c->name, c->hostname);
return false;
}
} else {
c->incipher = NULL;
} }
if(!(c->indigest = digest_open_by_nid(digest, -1))) { if(digest) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname); if(!(c->indigest = digest_open_by_nid(digest, -1))) {
return false; logger(DEBUG_ALWAYS, LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname);
return false;
}
} else {
c->indigest = NULL;
} }
c->status.decryptin = true; c->status.decryptin = true;

View file

@ -260,25 +260,32 @@ bool send_ans_key(node_t *to) {
if(to->status.sptps) if(to->status.sptps)
abort(); abort();
size_t keylen = cipher_keylength(myself->incipher); size_t keylen = myself->incipher ? cipher_keylength(myself->incipher) : 1;
char key[keylen * 2 + 1]; char key[keylen * 2 + 1];
randomize(key, keylen);
cipher_close(to->incipher); cipher_close(to->incipher);
digest_close(to->indigest); digest_close(to->indigest);
to->incipher = cipher_open_by_nid(cipher_get_nid(myself->incipher)); if(myself->incipher) {
to->indigest = digest_open_by_nid(digest_get_nid(myself->indigest), digest_length(myself->indigest)); to->incipher = cipher_open_by_nid(cipher_get_nid(myself->incipher));
if(!to->incipher)
abort();
if(!cipher_set_key(to->incipher, key, false))
abort();
}
if(myself->indigest) {
to->indigest = digest_open_by_nid(digest_get_nid(myself->indigest), digest_length(myself->indigest));
if(!to->indigest)
abort();
if(!digest_set_key(to->indigest, key, keylen))
abort();
}
to->incompression = myself->incompression; to->incompression = myself->incompression;
if(!to->incipher || !to->indigest)
abort();
randomize(key, keylen);
if(!cipher_set_key(to->incipher, key, false))
abort();
if(!digest_set_key(to->indigest, key, keylen))
abort();
bin2hex(key, key, keylen); bin2hex(key, key, keylen);
// Reset sequence number and late packet window // Reset sequence number and late packet window
@ -422,16 +429,16 @@ bool ans_key_h(connection_t *c, const char *request) {
keylen = hex2bin(key, key, sizeof key); keylen = hex2bin(key, key, sizeof key);
if(keylen != cipher_keylength(from->outcipher)) { if(keylen != (from->outcipher ? cipher_keylength(from->outcipher) : 1)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
return true; return true;
} }
/* Update our copy of the origin's packet key */ /* Update our copy of the origin's packet key */
if(!cipher_set_key(from->outcipher, key, true)) if(from->outcipher && !cipher_set_key(from->outcipher, key, true))
return false; return false;
if(!digest_set_key(from->outdigest, key, keylen)) if(from->outdigest && !digest_set_key(from->outdigest, key, keylen))
return false; return false;
from->status.validkey = true; from->status.validkey = true;

46
test/algorithms.test Executable file
View file

@ -0,0 +1,46 @@
#!/bin/sh
. ./testlib.sh
# Initialize two nodes
$tinc $c1 <<EOF
init foo
set DeviceType dummy
set Port 32755
set Address localhost
set ExperimentalProtocol no
EOF
$tinc $c2 <<EOF
init bar
set DeviceType dummy
set Port 0
set ExperimentalProtocol no
EOF
# Exchange configuration
$tinc $c1 export | $tinc $c2 exchange | $tinc $c1 import
$tinc $c2 add ConnectTo foo
$tinc $c1 start $r1
# Test various ciphers and digests
for digest in none md5 sha1 sha256 sha512; do
for cipher in none bf-cbc aes-128-cbc aes-256-cbc camellia-128-cbc camellia-256-cbc; do
echo Testing $cipher $digest
$tinc $c2 <<EOF
set Digest $digest
set Cipher $cipher
EOF
$tinc $c2 start $r2
sleep 2;
$tinc $c1 info bar
$tinc $c1 info bar | grep -q 'directly with UDP'
$tinc $c2 stop
done
done
$tinc $c1 stop