lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.29

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:47 +02:00
parent d08a5d8f0b
commit 1077a20a8c
39 changed files with 865 additions and 375 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/Makefile.in
View file

@ -105,8 +105,11 @@ sbin_PROGRAMS = tincd$(EXEEXT)
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

2
src/avl_tree.c
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by
library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>.
*/

2
src/avl_tree.h
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by
library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>.
*/

11
src/bsd/device.c
View file

@ -198,18 +198,19 @@ static bool setup_device(void) {
// Guess what the corresponding interface is called
char *realname;
char *realname = NULL;
#if defined(HAVE_FDEVNAME)
realname = fdevname(device_fd) ? : device;
realname = fdevname(device_fd);
#elif defined(HAVE_DEVNAME)
struct stat buf;
if(!fstat(device_fd, &buf))
realname = devname(buf.st_rdev, S_IFCHR) ? : device;
#else
realname = device;
realname = devname(buf.st_rdev, S_IFCHR);
#endif
if(!realname)
realname = device;
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
iface = xstrdup(strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname);
else if(strcmp(iface, strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname))

3
src/dropin.c
View file

@ -1,7 +1,7 @@
/*
dropin.c -- a set of drop-in replacements for libc functions
Copyright (C) 2000-2005 Ivo Timmermans,
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -140,6 +140,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) {
va_copy(aq, ap);
status = vsnprintf(*buf, len, fmt, aq);
buf[len - 1] = 0;
va_end(aq);
if(status >= 0)

3
src/logger.c
View file

@ -1,6 +1,6 @@
/*
logger.c -- logging code
Copyright (C) 2004-2006 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2004-2016 Guus Sliepen <guus@tinc-vpn.org>
2004-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -109,6 +109,7 @@ void logger(int priority, const char *format, ...) {
char message[4096];
const char *messages[] = {message};
vsnprintf(message, sizeof(message), format, ap);
message[sizeof message - 1] = 0;
ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL);
}
#else

4
src/net.c
View file

@ -246,7 +246,7 @@ static void check_dead_connections(void) {
if(c->status.active) {
if(c->status.pinged) {
ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds",
c->name, c->hostname, (long)now - c->last_ping_time);
c->name, c->hostname, (long)(now - c->last_ping_time));
c->status.timeout = true;
terminate_connection(c, true);
} else if(c->last_ping_time + pinginterval <= now) {
@ -275,7 +275,7 @@ static void check_dead_connections(void) {
if(c->status.active) {
ifdebug(CONNECTIONS) logger(LOG_INFO,
"%s (%s) could not flush for %ld seconds (%d bytes remaining)",
c->name, c->hostname, (long)now - c->last_flushed_time, c->outbuflen);
c->name, c->hostname, (long)(now - c->last_flushed_time), c->outbuflen);
c->status.timeout = true;
terminate_connection(c, true);
}

22
src/net_packet.c
View file

@ -1,7 +1,7 @@
/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
len = 64;
memset(packet.data, 0, 14);
RAND_pseudo_bytes(packet.data + 14, len - 14);
RAND_bytes(packet.data + 14, len - 14);
packet.len = len;
if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1;
@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(n->incipher) {
outpkt = pkt[nextpkt++];
if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
|| !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
|| !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|| !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
@ -336,16 +336,16 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(inpkt->seqno != n->received_seqno + 1) {
if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
if(n->farfuture++ < replaywin >> 2) {
logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
return;
}
logger(LOG_WARNING, "Lost %d packets from %s (%s)",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Lost %d packets from %s (%s)",
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin);
} else if (inpkt->seqno <= n->received_seqno) {
if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, inpkt->seqno, n->received_seqno);
return;
}
@ -479,10 +479,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
if(n->outcipher) {
outpkt = pkt[nextpkt++];
if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
|| !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
|| !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|| !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;

48
src/net_setup.c
View file

@ -1,7 +1,7 @@
/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
@ -48,11 +48,22 @@
char *myport;
devops_t devops;
#ifndef HAVE_RSA_SET0_KEY
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
BN_free(r->n); r->n = n;
BN_free(r->e); r->e = e;
BN_free(r->d); r->d = d;
return 1;
}
#endif
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *pubname;
char *hcfname;
char *key;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
if(!c->rsa_key) {
c->rsa_key = RSA_new();
@ -62,12 +73,19 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
if(BN_hex2bn(&n, key) != strlen(key)) {
free(key);
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false;
}
BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key);
BN_hex2bn(&e, "FFFF");
if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
return false;
}
return true;
}
@ -158,27 +176,39 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) {
FILE *fp;
char *fname, *key, *pubkey;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL);
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
if(BN_hex2bn(&d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!");
if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
free(pubkey);
BN_free(d);
logger(LOG_ERR, "Invalid PublicKey for myself!");
return false;
}
free(pubkey);
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
BN_hex2bn(&e, "FFFF");
if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
BN_free(d);
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
return false;
}
return true;
}
@ -623,7 +653,7 @@ static bool setup_myself(void) {
myself->incipher = EVP_bf_cbc();
if(myself->incipher)
myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else
myself->inkeylength = 1;
@ -657,7 +687,7 @@ static bool setup_myself(void) {
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) {
if(myself->inmaclength > myself->indigest->md_size) {
if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!");
return false;
} else if(myself->inmaclength < 0) {

21
src/netutl.c
View file

@ -1,7 +1,7 @@
/*
netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -231,6 +231,25 @@ void sockaddrunmap(sockaddr_t *sa) {
}
}
void sockaddr_setport(sockaddr_t *sa, const char *port) {
uint16_t portnum = htons(atoi(port));
if(!portnum)
return;
switch(sa->sa.sa_family) {
case AF_INET:
sa->in.sin_port = portnum;
break;
case AF_INET6:
sa->in6.sin6_port = portnum;
break;
case AF_UNKNOWN:
free(sa->unknown.port);
sa->unknown.port = xstrdup(port);
default:
return;
}
}
/* Subnet mask handling */
int maskcmp(const void *va, const void *vb, int masklen) {

3
src/netutl.h
View file

@ -1,7 +1,7 @@
/*
netutl.h -- header file for netutl.c
Copyright (C) 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -34,6 +34,7 @@ extern int sockaddrcmp_noport(const sockaddr_t *, const sockaddr_t *);
extern void sockaddrunmap(sockaddr_t *);
extern void sockaddrfree(sockaddr_t *);
extern void sockaddrcpy(sockaddr_t *, const sockaddr_t *);
extern void sockaddr_setport(sockaddr_t *, const char *);
extern int maskcmp(const void *, const void *, int);
extern void maskcpy(void *, const void *, int, int);
extern void mask(void *, int, int);

16
src/node.c
View file

@ -1,6 +1,6 @@
/*
node.c -- node tree management
Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -57,8 +57,10 @@ node_t *new_node(void) {
if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree();
EVP_CIPHER_CTX_init(&n->inctx);
EVP_CIPHER_CTX_init(&n->outctx);
n->inctx = EVP_CIPHER_CTX_new();
n->outctx = EVP_CIPHER_CTX_new();
if(!n->inctx || !n->outctx)
abort();
n->mtu = MTU;
n->maxmtu = MTU;
@ -80,8 +82,8 @@ void free_node(node_t *n) {
sockaddrfree(&n->address);
EVP_CIPHER_CTX_cleanup(&n->inctx);
EVP_CIPHER_CTX_cleanup(&n->outctx);
EVP_CIPHER_CTX_free(n->outctx);
EVP_CIPHER_CTX_free(n->inctx);
if(n->mtuevent)
event_del(n->mtuevent);
@ -172,8 +174,8 @@ void dump_nodes(void) {
for(node = node_tree->head; node; node = node->next) {
n = node->data;
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0,
n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression,
n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
}

6
src/node.h
View file

@ -1,6 +1,6 @@
/*
node.h -- header for node.c
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -50,12 +50,12 @@ typedef struct node_t {
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
char *inkey; /* Cipher key and iv */
int inkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX inctx; /* Cipher context */
EVP_CIPHER_CTX *inctx; /* Cipher context */
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
char *outkey; /* Cipher key and iv */
int outkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX outctx; /* Cipher context */
EVP_CIPHER_CTX *outctx; /* Cipher context */
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
int inmaclength; /* Length of MAC */

7
src/protocol.c
View file

@ -1,7 +1,7 @@
/*
protocol.c -- handle the meta-protocol, basic functions
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -75,10 +75,11 @@ bool send_request(connection_t *c, const char *format, ...) {
input buffer anyway */
va_start(args, format);
len = vsnprintf(buffer, MAXBUFSIZE, format, args);
len = vsnprintf(buffer, sizeof buffer, format, args);
buffer[sizeof buffer - 1] = 0;
va_end(args);
if(len < 0 || len > MAXBUFSIZE - 1) {
if(len < 0 || len > sizeof buffer - 1) {
logger(LOG_ERR, "Output buffer overflow while sending request to %s (%s)",
c->name, c->hostname);
return false;

80
src/protocol_auth.c
View file

@ -1,7 +1,7 @@
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -125,8 +125,11 @@ bool send_metakey(connection_t *c) {
c->outkey = xrealloc(c->outkey, len);
if(!c->outctx)
c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
if(!c->outctx) {
c->outctx = EVP_CIPHER_CTX_new();
if(!c->outctx)
abort();
}
/* Copy random data to the buffer */
@ -177,17 +180,17 @@ bool send_metakey(connection_t *c) {
/* Send the meta key */
x = send_request(c, "%d %d %d %d %d %s", METAKEY,
c->outcipher ? c->outcipher->nid : 0,
c->outdigest ? c->outdigest->type : 0, c->outmaclength,
c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
c->outcompression, buffer);
/* Further outgoing requests are encrypted with the key we just generated */
if(c->outcipher) {
if(!EVP_EncryptInit(c->outctx, c->outcipher,
(unsigned char *)c->outkey + len - c->outcipher->key_len,
(unsigned char *)c->outkey + len - c->outcipher->key_len -
c->outcipher->iv_len)) {
(unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
(unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
EVP_CIPHER_iv_length(c->outcipher))) {
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@ -223,8 +226,11 @@ bool metakey_h(connection_t *c) {
c->inkey = xrealloc(c->inkey, len);
if(!c->inctx)
c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
if(!c->inctx) {
c->inctx = EVP_CIPHER_CTX_new();
if(!c->inctx)
abort();
}
/* Convert the challenge from hexadecimal back to binary */
@ -260,9 +266,9 @@ bool metakey_h(connection_t *c) {
}
if(!EVP_DecryptInit(c->inctx, c->incipher,
(unsigned char *)c->inkey + len - c->incipher->key_len,
(unsigned char *)c->inkey + len - c->incipher->key_len -
c->incipher->iv_len)) {
(unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
(unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
EVP_CIPHER_iv_length(c->incipher))) {
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@ -283,7 +289,7 @@ bool metakey_h(connection_t *c) {
return false;
}
if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
return false;
}
@ -367,22 +373,29 @@ bool challenge_h(connection_t *c) {
bool send_chal_reply(connection_t *c) {
char hash[EVP_MAX_MD_SIZE * 2 + 1];
EVP_MD_CTX ctx;
EVP_MD_CTX *ctx;
/* Calculate the hash from the challenge we received */
if(!EVP_DigestInit(&ctx, c->indigest)
|| !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|| !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
ctx = EVP_MD_CTX_create();
if(!ctx)
abort();
if(!EVP_DigestInit(ctx, c->indigest)
|| !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
EVP_MD_CTX_destroy(ctx);
/* Convert the hash to a hexadecimal formatted string */
bin2hex(hash, hash, c->indigest->md_size);
hash[c->indigest->md_size * 2] = '\0';
bin2hex(hash, hash, EVP_MD_size(c->indigest));
hash[EVP_MD_size(c->indigest) * 2] = '\0';
/* Send the reply */
@ -392,7 +405,7 @@ bool send_chal_reply(connection_t *c) {
bool chal_reply_h(connection_t *c) {
char hishash[MAX_STRING_SIZE];
char myhash[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
EVP_MD_CTX *ctx;
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
@ -402,7 +415,7 @@ bool chal_reply_h(connection_t *c) {
/* Check if the length of the hash is all right */
if(strlen(hishash) != c->outdigest->md_size * 2) {
if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply length");
return false;
@ -410,24 +423,31 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */
if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false;
}
/* Calculate the hash from the challenge we sent */
if(!EVP_DigestInit(&ctx, c->outdigest)
|| !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
|| !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
ctx = EVP_MD_CTX_create();
if(!ctx)
abort();
if(!EVP_DigestInit(ctx, c->outdigest)
|| !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
EVP_MD_CTX_destroy(ctx);
/* Verify the incoming hash with the calculated hash */
if(memcmp(hishash, myhash, c->outdigest->md_size)) {
if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply");
@ -516,7 +536,6 @@ static void send_everything(connection_t *c) {
bool ack_h(connection_t *c) {
char hisport[MAX_STRING_SIZE];
char *hisaddress;
int weight, mtu;
uint32_t options;
node_t *n;
@ -585,9 +604,8 @@ bool ack_h(connection_t *c) {
c->edge = new_edge();
c->edge->from = myself;
c->edge->to = n;
sockaddr2str(&c->address, &hisaddress, NULL);
c->edge->address = str2sockaddr(hisaddress, hisport);
free(hisaddress);
sockaddrcpy(&c->edge->address, &c->address);
sockaddr_setport(&c->edge->address, hisport);
c->edge->weight = (weight + c->estimated_weight) / 2;
c->edge->connection = c;
c->edge->options = c->options;

12
src/protocol_key.c
View file

@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
}
if(to->incipher)
EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window
mykeyused = true;
@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key,
to->incipher ? to->incipher->nid : 0,
to->indigest ? to->indigest->type : 0, to->inmaclength,
to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression);
}
@ -268,7 +268,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname);
return true;
@ -288,7 +288,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname);
return true;
@ -305,7 +305,7 @@ bool ans_key_h(connection_t *c) {
from->outcompression = compression;
if(from->outcipher)
if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true;

39
src/tincd.c
View file

@ -336,7 +336,7 @@ static bool parse_options(int argc, char **argv) {
/* This function prettyprints the key generation process */
static void indicator(int a, int b, void *p) {
static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) {
case 0:
fprintf(stderr, ".");
@ -368,21 +368,50 @@ static void indicator(int a, int b, void *p) {
default:
fprintf(stderr, "?");
}
return 1;
}
#ifndef HAVE_BN_GENCB_NEW
BN_GENCB *BN_GENCB_new(void) {
return xmalloc_and_zero(sizeof(BN_GENCB));
}
void BN_GENCB_free(BN_GENCB *cb) {
free(cb);
}
#endif
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
BIGNUM *e = NULL;
RSA *rsa_key;
FILE *f;
char *pubname, *privname;
BN_GENCB *cb;
int result;
fprintf(stderr, "Generating %d bits keys:\n", bits);
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
if(!rsa_key) {
cb = BN_GENCB_new();
if(!cb)
abort();
BN_GENCB_set(cb, indicator, NULL);
rsa_key = RSA_new();
BN_hex2bn(&e, "10001");
if(!rsa_key || !e)
abort();
result = RSA_generate_key_ex(rsa_key, bits, e, cb);
BN_free(e);
BN_GENCB_free(cb);
if(!result) {
fprintf(stderr, "Error during key generation!\n");
return false;
} else
@ -702,7 +731,11 @@ end:
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
#ifdef HAVE_ERR_REMOVE_STATE
// OpenSSL claims this function was deprecated in 1.0.0,
// but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
ERR_remove_state(0);
#endif
ERR_free_strings();
exit_configuration(&config_tree);

1
src/xmalloc.c
View file

@ -155,6 +155,7 @@ int xvasprintf(char **strp, const char *fmt, va_list ap) {
int result = vsnprintf(buf, sizeof buf, fmt, ap);
if(result < 0)
exit(xalloc_exit_failure);
buf[sizeof buf - 1] = 0;
*strp = xstrdup(buf);
#else
int result = vasprintf(strp, fmt, ap);