X-Git-Url: http://git.meshlink.io/?a=blobdiff_plain;f=src%2Fprotocol_key.c;h=6f4364f2a33189b4a9fc5625495a550932b982ed;hb=a42b1de9411a578f6af6fc0e9fe04b5781a0bd60;hp=fb53fe141927322e3ce2a706540e8ef7497d8315;hpb=0b8b23e0dd7219344543f135ca0aeba8a4a42d48;p=meshlink diff --git a/src/protocol_key.c b/src/protocol_key.c index fb53fe14..6f4364f2 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -1,7 +1,6 @@ /* protocol_key.c -- handle the meta-protocol, key exchange - Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2012 Guus Sliepen + Copyright (C) 2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -20,10 +19,9 @@ #include "system.h" -#include "cipher.h" #include "connection.h" -#include "crypto.h" #include "logger.h" +#include "meshlink_internal.h" #include "net.h" #include "netutl.h" #include "node.h" @@ -36,21 +34,13 @@ static bool mykeyused = false; void send_key_changed(void) { - send_request(everyone, "%d %x %s", KEY_CHANGED, rand(), myself->name); - - /* Immediately send new keys to directly connected nodes to keep UDP mappings alive */ - - for list_each(connection_t, c, connection_list) - if(c->status.active && c->node && c->node->status.reachable && !c->node->status.sptps) - send_ans_key(c->node); + send_request(mesh->everyone, "%d %x %s", KEY_CHANGED, rand(), mesh->self->name); /* Force key exchange for connections using SPTPS */ - if(experimental) { - for splay_each(node_t, n, node_tree) - if(n->status.reachable && n->status.validkey && n->status.sptps) - sptps_force_kex(&n->sptps); - } + for splay_each(node_t, n, mesh->nodes) + if(n->status.reachable && n->status.validkey) + sptps_force_kex(&n->sptps); } bool key_changed_h(connection_t *c, const char *request) { @@ -74,15 +64,9 @@ bool key_changed_h(connection_t *c, const char *request) { return true; } - if(!n->status.sptps) { - n->status.validkey = false; - n->last_req_key = 0; - } - /* Tell the others */ - if(!tunnelserver) - forward_request(c, request); + forward_request(c, request); return true; } @@ -92,27 +76,27 @@ static bool send_initial_sptps_data(void *handle, uint8_t type, const char *data to->sptps.send_data = send_sptps_data; char buf[len * 4 / 3 + 5]; b64encode(data, buf, len); - return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_KEY, buf); + return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, mesh->self->name, to->name, REQ_KEY, buf); } bool send_req_key(node_t *to) { - if(to->status.sptps) { - if(!node_read_ecdsa_public_key(to)) { - logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", to->name, to->hostname); - send_request(to->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, to->name, REQ_PUBKEY); - return true; - } - char label[25 + strlen(myself->name) + strlen(to->name)]; - snprintf(label, sizeof label, "tinc UDP key expansion %s %s", myself->name, to->name); - sptps_stop(&to->sptps); - to->status.validkey = false; - to->status.waitingforkey = true; - to->last_req_key = time(NULL); - to->incompression = myself->incompression; - return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); + if(!node_read_ecdsa_public_key(mesh, to)) { + logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", to->name, to->hostname); + send_request(to->nexthop->connection, "%d %s %s %d", REQ_KEY, mesh->self->name, to->name, REQ_PUBKEY); + return true; } - return send_request(to->nexthop->connection, "%d %s %s", REQ_KEY, myself->name, to->name); + if(to->sptps.label) + logger(DEBUG_ALWAYS, LOG_DEBUG, "send_req_key(%s) called while sptps->label != NULL!", to->name); + + char label[25 + strlen(mesh->self->name) + strlen(to->name)]; + snprintf(label, sizeof label, "tinc UDP key expansion %s %s", mesh->self->name, to->name); + sptps_stop(&to->sptps); + to->status.validkey = false; + to->status.waitingforkey = true; + to->last_req_key = mesh->loop.now.tv_sec; + to->incompression = mesh->self->incompression; + return sptps_start(&to->sptps, to, true, true, mesh->self->connection->ecdsa, to->ecdsa, label, sizeof label, send_initial_sptps_data, receive_sptps_record); } /* REQ_KEY is overloaded to allow arbitrary requests to be routed between two nodes. */ @@ -120,69 +104,70 @@ bool send_req_key(node_t *to) { static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, int reqno) { switch(reqno) { case REQ_PUBKEY: { - char *pubkey = ecdsa_get_base64_public_key(&myself->connection->ecdsa); - send_request(from->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, from->name, ANS_PUBKEY, pubkey); + char *pubkey = ecdsa_get_base64_public_key(mesh->self->connection->ecdsa); + send_request(from->nexthop->connection, "%d %s %s %d %s", REQ_KEY, mesh->self->name, from->name, ANS_PUBKEY, pubkey); free(pubkey); return true; } case ANS_PUBKEY: { - if(node_read_ecdsa_public_key(from)) { + if(node_read_ecdsa_public_key(mesh, from)) { logger(DEBUG_PROTOCOL, LOG_WARNING, "Got ANS_PUBKEY from %s (%s) even though we already have his pubkey", from->name, from->hostname); return true; } char pubkey[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, pubkey) != 1 || !ecdsa_set_base64_public_key(&from->ecdsa, pubkey)) { + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, pubkey) != 1 || !(from->ecdsa = ecdsa_set_base64_public_key(pubkey))) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "ANS_PUBKEY", from->name, from->hostname, "invalid pubkey"); return true; } logger(DEBUG_PROTOCOL, LOG_INFO, "Learned ECDSA public key from %s (%s)", from->name, from->hostname); - append_config_file(from->name, "ECDSAPublicKey", pubkey); + append_config_file(mesh, from->name, "ECDSAPublicKey", pubkey); return true; } case REQ_KEY: { - if(!node_read_ecdsa_public_key(from)) { + if(!node_read_ecdsa_public_key(mesh, from)) { logger(DEBUG_PROTOCOL, LOG_DEBUG, "No ECDSA key known for %s (%s)", from->name, from->hostname); - send_request(from->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, from->name, REQ_PUBKEY); + send_request(from->nexthop->connection, "%d %s %s %d", REQ_KEY, mesh->self->name, from->name, REQ_PUBKEY); return true; } - } - case REQ_SPTPS: { + if(from->sptps.label) + logger(DEBUG_ALWAYS, LOG_DEBUG, "Got REQ_KEY from %s while we already started a SPTPS session!", from->name); + char buf[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1) { - logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_KEY", from->name, from->hostname, "invalid SPTPS data"); + int len; + + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1 || !(len = b64decode(buf, buf, strlen(buf)))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_SPTPS_START", from->name, from->hostname, "invalid SPTPS data"); return true; } - int len = b64decode(buf, buf, strlen(buf)); - - char label[25 + strlen(from->name) + strlen(myself->name)]; - snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, myself->name); + char label[25 + strlen(from->name) + strlen(mesh->self->name)]; + snprintf(label, sizeof label, "tinc UDP key expansion %s %s", from->name, mesh->self->name); sptps_stop(&from->sptps); from->status.validkey = false; from->status.waitingforkey = true; - from->last_req_key = time(NULL); - sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); + from->last_req_key = mesh->loop.now.tv_sec; + sptps_start(&from->sptps, from, false, true, mesh->self->connection->ecdsa, from->ecdsa, label, sizeof label, send_sptps_data, receive_sptps_record); sptps_receive_data(&from->sptps, buf, len); return true; } - case REQ_PACKET: { + case REQ_SPTPS: { if(!from->status.validkey) { - logger(DEBUG_PROTOCOL, LOG_ERR, "Got REQ_PACKET from %s (%s) but we don't have a valid key yet", from->name, from->hostname); + logger(DEBUG_PROTOCOL, LOG_ERR, "Got REQ_SPTPS from %s (%s) but we don't have a valid key yet", from->name, from->hostname); return true; } char buf[MAX_STRING_SIZE]; - if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1) { - logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_KEY", from->name, from->hostname, "invalid SPTPS data"); + int len; + if(sscanf(request, "%*d %*s %*s %*d " MAX_STRING, buf) != 1 || !(len = b64decode(buf, buf, strlen(buf)))) { + logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_SPTPS", from->name, from->hostname, "invalid SPTPS data"); return true; } - int len = b64decode(buf, buf, strlen(buf)); sptps_receive_data(&from->sptps, buf, len); return true; } @@ -228,17 +213,14 @@ bool req_key_h(connection_t *c, const char *request) { /* Check if this key request is for us */ - if(to == myself) { /* Yes */ + if(to == mesh->self) { /* Yes */ /* Is this an extended REQ_KEY message? */ - if(experimental && reqno) + if(reqno) return req_key_ext_h(c, request, from, reqno); /* No, just send our key back */ send_ans_key(from); } else { - if(tunnelserver) - return true; - if(!to->status.reachable) { logger(DEBUG_PROTOCOL, LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable", "REQ_KEY", c->name, c->hostname, to_name); @@ -252,41 +234,15 @@ bool req_key_h(connection_t *c, const char *request) { } bool send_ans_key(node_t *to) { - if(to->status.sptps) - abort(); - - size_t keylen = cipher_keylength(&myself->incipher); - char key[keylen * 2 + 1]; - - cipher_open_by_nid(&to->incipher, cipher_get_nid(&myself->incipher)); - digest_open_by_nid(&to->indigest, digest_get_nid(&myself->indigest), digest_length(&myself->indigest)); - to->incompression = myself->incompression; - - randomize(key, keylen); - cipher_set_key(&to->incipher, key, false); - digest_set_key(&to->indigest, key, keylen); - - bin2hex(key, key, keylen); - - // Reset sequence number and late packet window - mykeyused = true; - to->received_seqno = 0; - if(replaywin) memset(to->late, 0, replaywin); - - return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, - myself->name, to->name, key, - cipher_get_nid(&to->incipher), - digest_get_nid(&to->indigest), - (int)digest_length(&to->indigest), - to->incompression); + abort(); } bool ans_key_h(connection_t *c, const char *request) { char from_name[MAX_STRING_SIZE]; char to_name[MAX_STRING_SIZE]; char key[MAX_STRING_SIZE]; - char address[MAX_STRING_SIZE] = ""; - char port[MAX_STRING_SIZE] = ""; + char address[MAX_STRING_SIZE] = ""; + char port[MAX_STRING_SIZE] = ""; int cipher, digest, maclength, compression, keylen; node_t *from, *to; @@ -321,10 +277,7 @@ bool ans_key_h(connection_t *c, const char *request) { /* Forward it if necessary */ - if(to != myself) { - if(tunnelserver) - return true; - + if(to != mesh->self) { if(!to->status.reachable) { logger(DEBUG_ALWAYS, LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable", "ANS_KEY", c->name, c->hostname, to_name); @@ -356,69 +309,22 @@ bool ans_key_h(connection_t *c, const char *request) { /* SPTPS or old-style key exchange? */ - if(from->status.sptps) { - char buf[strlen(key)]; - int len = b64decode(key, buf, strlen(key)); + char buf[strlen(key)]; + int len = b64decode(key, buf, strlen(key)); - if(!sptps_receive_data(&from->sptps, buf, len)) - logger(DEBUG_ALWAYS, LOG_ERR, "Error processing SPTPS data from %s (%s)", from->name, from->hostname); + if(!len || !sptps_receive_data(&from->sptps, buf, len)) + logger(DEBUG_ALWAYS, LOG_ERR, "Error processing SPTPS data from %s (%s)", from->name, from->hostname); - if(from->status.validkey) { - if(*address && *port) { - logger(DEBUG_PROTOCOL, LOG_DEBUG, "Using reflexive UDP address from %s: %s port %s", from->name, address, port); - sockaddr_t sa = str2sockaddr(address, port); - update_node_udp(from, &sa); - } - - if(from->options & OPTION_PMTU_DISCOVERY) - send_mtu_probe(from); + if(from->status.validkey) { + if(*address && *port) { + logger(DEBUG_PROTOCOL, LOG_DEBUG, "Using reflexive UDP address from %s: %s port %s", from->name, address, port); + sockaddr_t sa = str2sockaddr(address, port); + update_node_udp(from, &sa); } - return true; - } - - /* Check and lookup cipher and digest algorithms */ - - if(!cipher_open_by_nid(&from->outcipher, cipher)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name, from->hostname); - return false; - } - - if(!digest_open_by_nid(&from->outdigest, digest, maclength)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses unknown digest!", from->name, from->hostname); - return false; - } - - if(maclength != digest_length(&from->outdigest)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses bogus MAC length!", from->name, from->hostname); - return false; - } - - /* Process key */ - - keylen = hex2bin(key, key, sizeof key); - - if(keylen != cipher_keylength(&from->outcipher)) { - logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); - return true; + if(from->options & OPTION_PMTU_DISCOVERY && !(from->options & OPTION_TCPONLY)) + send_mtu_probe(from); } - /* Update our copy of the origin's packet key */ - - cipher_set_key(&from->outcipher, key, true); - digest_set_key(&from->outdigest, key, keylen); - - from->status.validkey = true; - from->sent_seqno = 0; - - if(*address && *port) { - logger(DEBUG_PROTOCOL, LOG_DEBUG, "Using reflexive UDP address from %s: %s port %s", from->name, address, port); - sockaddr_t sa = str2sockaddr(address, port); - update_node_udp(from, &sa); - } - - if(from->options & OPTION_PMTU_DISCOVERY) - send_mtu_probe(from); - return true; }