Sākums Izpētīt Palīdzība
Pierakstīties
OWEALs
/
tinc
spogulis no https://tinc-vpn.org/git/tinc
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: 4712d8f92e
Atzari Tagi
tinc
/
src
/
protocol_key.c

protocol_key.c 8.7 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315 
  1. /*
    2. 

  2.     protocol_key.c -- handle the meta-protocol, key exchange
    3. 

  3.     Copyright (C) 1999-2005 Ivo Timmermans,
    4. 

  4.                   2000-2012 Guus Sliepen <guus@tinc-vpn.org>
    5. 

  5. 

  6.     This program is free software; you can redistribute it and/or modify
    7. 

  7.     it under the terms of the GNU General Public License as published by
    8. 

  8.     the Free Software Foundation; either version 2 of the License, or
    9. 

  9.     (at your option) any later version.
    10. 

  10. 

  11.     This program is distributed in the hope that it will be useful,
    12. 

  12.     but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14.     GNU General Public License for more details.
    15. 

  15. 

  16.     You should have received a copy of the GNU General Public License along
    17. 

  17.     with this program; if not, write to the Free Software Foundation, Inc.,
    18. 

  18.     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    19. 

  19. */
    20. 

  20. 

  21. #include "system.h"
    22. 

  22. 

  23. #include <openssl/evp.h>
    24. 

  24. #include <openssl/err.h>
    25. 

  25. #include <openssl/rand.h>
    26. 

  26. 

  27. #include "avl_tree.h"
    28. 

  28. #include "connection.h"
    29. 

  29. #include "logger.h"
    30. 

  30. #include "net.h"
    31. 

  31. #include "netutl.h"
    32. 

  32. #include "node.h"
    33. 

  33. #include "protocol.h"
    34. 

  34. #include "utils.h"
    35. 

  35. #include "xalloc.h"
    36. 

  36. 

  37. static bool mykeyused = false;
    38. 

  38. 

  39. void send_key_changed(void) {
    40. 

  40. 	avl_node_t *node;
    41. 

  41. 	connection_t *c;
    42. 

  42. 

  43. 	send_request(everyone, "%d %x %s", KEY_CHANGED, rand(), myself->name);
    44. 

  44. 

  45. 	/* Immediately send new keys to directly connected nodes to keep UDP mappings alive */
    46. 

  46. 

  47. 	for(node = connection_tree->head; node; node = node->next) {
    48. 

  48. 		c = node->data;
    49. 

  49. 		if(c->status.active && c->node && c->node->status.reachable)
    50. 

  50. 			send_ans_key(c->node);
    51. 

  51. 	}
    52. 

  52. }
    53. 

  53. 

  54. bool key_changed_h(connection_t *c) {
    55. 

  55. 	char name[MAX_STRING_SIZE];
    56. 

  56. 	node_t *n;
    57. 

  57. 

  58. 	if(sscanf(c->buffer, "%*d %*x " MAX_STRING, name) != 1) {
    59. 

  59. 		logger(LOG_ERR, "Got bad %s from %s (%s)", "KEY_CHANGED",
    60. 

  60. 			   c->name, c->hostname);
    61. 

  61. 		return false;
    62. 

  62. 	}
    63. 

  63. 

  64. 	if(!check_id(name)) {
    65. 

  65. 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "KEY_CHANGED", c->name, c->hostname, "invalid name");
    66. 

  66. 		return false;
    67. 

  67. 	}
    68. 

  68. 

  69. 	if(seen_request(c->buffer))
    70. 

  70. 		return true;
    71. 

  71. 

  72. 	n = lookup_node(name);
    73. 

  73. 

  74. 	if(!n) {
    75. 

  75. 		logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist",
    76. 

  76. 			   "KEY_CHANGED", c->name, c->hostname, name);
    77. 

  77. 		return true;
    78. 

  78. 	}
    79. 

  79. 

  80. 	n->status.validkey = false;
    81. 

  81. 	n->last_req_key = 0;
    82. 

  82. 

  83. 	/* Tell the others */
    84. 

  84. 

  85. 	if(!tunnelserver)
    86. 

  86. 		forward_request(c);
    87. 

  87. 

  88. 	return true;
    89. 

  89. }
    90. 

  90. 

  91. bool send_req_key(node_t *to) {
    92. 

  92. 	return send_request(to->nexthop->connection, "%d %s %s", REQ_KEY, myself->name, to->name);
    93. 

  93. }
    94. 

  94. 

  95. bool req_key_h(connection_t *c) {
    96. 

  96. 	char from_name[MAX_STRING_SIZE];
    97. 

  97. 	char to_name[MAX_STRING_SIZE];
    98. 

  98. 	node_t *from, *to;
    99. 

  99. 

  100. 	if(sscanf(c->buffer, "%*d " MAX_STRING " " MAX_STRING, from_name, to_name) != 2) {
    101. 

  101. 		logger(LOG_ERR, "Got bad %s from %s (%s)", "REQ_KEY", c->name,
    102. 

  102. 			   c->hostname);
    103. 

  103. 		return false;
    104. 

  104. 	}
    105. 

  105. 

  106. 	if(!check_id(from_name) || !check_id(to_name)) {
    107. 

  107. 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "REQ_KEY", c->name, c->hostname, "invalid name");
    108. 

  108. 		return false;
    109. 

  109. 	}
    110. 

  110. 

  111. 	from = lookup_node(from_name);
    112. 

  112. 

  113. 	if(!from) {
    114. 

  114. 		logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist in our connection list",
    115. 

  115. 			   "REQ_KEY", c->name, c->hostname, from_name);
    116. 

  116. 		return true;
    117. 

  117. 	}
    118. 

  118. 

  119. 	to = lookup_node(to_name);
    120. 

  120. 

  121. 	if(!to) {
    122. 

  122. 		logger(LOG_ERR, "Got %s from %s (%s) destination %s which does not exist in our connection list",
    123. 

  123. 			   "REQ_KEY", c->name, c->hostname, to_name);
    124. 

  124. 		return true;
    125. 

  125. 	}
    126. 

  126. 

  127. 	/* Check if this key request is for us */
    128. 

  128. 

  129. 	if(to == myself) {			/* Yes, send our own key back */
    130. 

  130. 		send_ans_key(from);
    131. 

  131. 	} else {
    132. 

  132. 		if(tunnelserver)
    133. 

  133. 			return true;
    134. 

  134. 

  135. 		if(!to->status.reachable) {
    136. 

  136. 			logger(LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable",
    137. 

  137. 				"REQ_KEY", c->name, c->hostname, to_name);
    138. 

  138. 			return true;
    139. 

  139. 		}
    140. 

  140. 

  141. 		send_request(to->nexthop->connection, "%s", c->buffer);
    142. 

  142. 	}
    143. 

  143. 

  144. 	return true;
    145. 

  145. }
    146. 

  146. 

  147. bool send_ans_key(node_t *to) {
    148. 

  148. 	// Set key parameters
    149. 

  149. 	to->incipher = myself->incipher;
    150. 

  150. 	to->inkeylength = myself->inkeylength;
    151. 

  151. 	to->indigest = myself->indigest;
    152. 

  152. 	to->inmaclength = myself->inmaclength;
    153. 

  153. 	to->incompression = myself->incompression;
    154. 

  154. 

  155. 	// Allocate memory for key
    156. 

  156. 	to->inkey = xrealloc(to->inkey, to->inkeylength);
    157. 

  157. 

  158. 	// Create a new key
    159. 

  159. 	RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
    160. 

  160. 	if(to->incipher)
    161. 

  161. 		EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
    162. 

  162. 

  163. 	// Reset sequence number and late packet window
    164. 

  164. 	mykeyused = true;
    165. 

  165. 	to->received_seqno = 0;
    166. 

  166. 	if(replaywin) memset(to->late, 0, replaywin);
    167. 

  167. 

  168. 	// Convert to hexadecimal and send
    169. 

  169. 	char key[2 * to->inkeylength + 1];
    170. 

  170. 	bin2hex(to->inkey, key, to->inkeylength);
    171. 

  171. 	key[to->inkeylength * 2] = '\0';
    172. 

  172. 

  173. 	return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
    174. 

  174. 			myself->name, to->name, key,
    175. 

  175. 			to->incipher ? to->incipher->nid : 0,
    176. 

  176. 			to->indigest ? to->indigest->type : 0, to->inmaclength,
    177. 

  177. 			to->incompression);
    178. 

  178. }
    179. 

  179. 

  180. bool ans_key_h(connection_t *c) {
    181. 

  181. 	char from_name[MAX_STRING_SIZE];
    182. 

  182. 	char to_name[MAX_STRING_SIZE];
    183. 

  183. 	char key[MAX_STRING_SIZE];
    184. 

  184. 	char address[MAX_STRING_SIZE] = "";
    185. 

  185. 	char port[MAX_STRING_SIZE] = "";
    186. 

  186. 	int cipher, digest, maclength, compression;
    187. 

  187. 	node_t *from, *to;
    188. 

  188. 

  189. 	if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d "MAX_STRING" "MAX_STRING,
    190. 

  190. 		from_name, to_name, key, &cipher, &digest, &maclength,
    191. 

  191. 		&compression, address, port) < 7) {
    192. 

  192. 		logger(LOG_ERR, "Got bad %s from %s (%s)", "ANS_KEY", c->name,
    193. 

  193. 			   c->hostname);
    194. 

  194. 		return false;
    195. 

  195. 	}
    196. 

  196. 

  197. 	if(!check_id(from_name) || !check_id(to_name)) {
    198. 

  198. 		logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ANS_KEY", c->name, c->hostname, "invalid name");
    199. 

  199. 		return false;
    200. 

  200. 	}
    201. 

  201. 

  202. 	from = lookup_node(from_name);
    203. 

  203. 

  204. 	if(!from) {
    205. 

  205. 		logger(LOG_ERR, "Got %s from %s (%s) origin %s which does not exist in our connection list",
    206. 

  206. 			   "ANS_KEY", c->name, c->hostname, from_name);
    207. 

  207. 		return true;
    208. 

  208. 	}
    209. 

  209. 

  210. 	to = lookup_node(to_name);
    211. 

  211. 

  212. 	if(!to) {
    213. 

  213. 		logger(LOG_ERR, "Got %s from %s (%s) destination %s which does not exist in our connection list",
    214. 

  214. 			   "ANS_KEY", c->name, c->hostname, to_name);
    215. 

  215. 		return true;
    216. 

  216. 	}
    217. 

  217. 

  218. 	/* Forward it if necessary */
    219. 

  219. 

  220. 	if(to != myself) {
    221. 

  221. 		if(tunnelserver)
    222. 

  222. 			return true;
    223. 

  223. 

  224. 		if(!to->status.reachable) {
    225. 

  225. 			logger(LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable",
    226. 

  226. 				"ANS_KEY", c->name, c->hostname, to_name);
    227. 

  227. 			return true;
    228. 

  228. 		}
    229. 

  229. 

  230. 		if(!*address && from->address.sa.sa_family != AF_UNSPEC) {
    231. 

  231. 			char *address, *port;
    232. 

  232. 			ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name);
    233. 

  233. 			sockaddr2str(&from->address, &address, &port);
    234. 

  234. 			send_request(to->nexthop->connection, "%s %s %s", c->buffer, address, port);
    235. 

  235. 			free(address);
    236. 

  236. 			free(port);
    237. 

  237. 			return true;
    238. 

  238. 		}
    239. 

  239. 

  240. 		return send_request(to->nexthop->connection, "%s", c->buffer);
    241. 

  241. 	}
    242. 

  242. 

  243. 	/* Update our copy of the origin's packet key */
    244. 

  244. 	from->outkey = xrealloc(from->outkey, strlen(key) / 2);
    245. 

  245. 	from->outkeylength = strlen(key) / 2;
    246. 

  246. 	hex2bin(key, from->outkey, from->outkeylength);
    247. 

  247. 

  248. 	/* Check and lookup cipher and digest algorithms */
    249. 

  249. 

  250. 	if(cipher) {
    251. 

  251. 		from->outcipher = EVP_get_cipherbynid(cipher);
    252. 

  252. 

  253. 		if(!from->outcipher) {
    254. 

  254. 			logger(LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name,
    255. 

  255. 				   from->hostname);
    256. 

  256. 			return true;
    257. 

  257. 		}
    258. 

  258. 

  259. 		if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
    260. 

  260. 			logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
    261. 

  261. 				   from->hostname);
    262. 

  262. 			return true;
    263. 

  263. 		}
    264. 

  264. 	} else {
    265. 

  265. 		from->outcipher = NULL;
    266. 

  266. 	}
    267. 

  267. 

  268. 	from->outmaclength = maclength;
    269. 

  269. 

  270. 	if(digest) {
    271. 

  271. 		from->outdigest = EVP_get_digestbynid(digest);
    272. 

  272. 

  273. 		if(!from->outdigest) {
    274. 

  274. 			logger(LOG_ERR, "Node %s (%s) uses unknown digest!", from->name,
    275. 

  275. 				   from->hostname);
    276. 

  276. 			return true;
    277. 

  277. 		}
    278. 

  278. 

  279. 		if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
    280. 

  280. 			logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
    281. 

  281. 				   from->name, from->hostname);
    282. 

  282. 			return true;
    283. 

  283. 		}
    284. 

  284. 	} else {
    285. 

  285. 		from->outdigest = NULL;
    286. 

  286. 	}
    287. 

  287. 

  288. 	if(compression < 0 || compression > 11) {
    289. 

  289. 		logger(LOG_ERR, "Node %s (%s) uses bogus compression level!", from->name, from->hostname);
    290. 

  290. 		return true;
    291. 

  291. 	}
    292. 

  292. 	
    293. 

  293. 	from->outcompression = compression;
    294. 

  294. 

  295. 	if(from->outcipher)
    296. 

  296. 		if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
    297. 

  297. 			logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
    298. 

  298. 					from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
    299. 

  299. 			return true;
    300. 

  300. 		}
    301. 

  301. 

  302. 	from->status.validkey = true;
    303. 

  303. 	from->sent_seqno = 0;
    304. 

  304. 

  305. 	if(*address && *port) {
    306. 

  306. 		ifdebug(PROTOCOL) logger(LOG_DEBUG, "Using reflexive UDP address from %s: %s port %s", from->name, address, port);
    307. 

  307. 		sockaddr_t sa = str2sockaddr(address, port);
    308. 

  308. 		update_node_udp(from, &sa);
    309. 

  309. 	}
    310. 

  310. 

  311. 	if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuevent)
    312. 

  312. 		send_mtu_probe(from);
    313. 

  313. 

  314. 	return true;
    315. 

  315. }
    316.