From e012e752f4f1a2b06dfab4640bbbea8f084999ff Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sun, 24 May 2009 19:31:31 +0200 Subject: [PATCH] Fix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf6f2ab17228a9820cea66. Instead of a single, global decryption context, each node has its own context. However, in send_ans_key(), the global context was initialised. This commit fixes that and removes the global context completely. Also only set status.validkey after all checks have been evaluated. --- src/net.h | 1 - src/net_packet.c | 1 - src/net_setup.c | 2 -- src/protocol_key.c | 44 +++++++++++++++++++++++--------------------- 4 files changed, 23 insertions(+), 25 deletions(-) diff --git a/src/net.h b/src/net.h index ef21179..0f70a4b 100644 --- a/src/net.h +++ b/src/net.h @@ -116,7 +116,6 @@ extern bool do_prune; extern bool do_purge; extern char *myport; extern time_t now; -extern EVP_CIPHER_CTX packet_ctx; /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */ #include "connection.h" diff --git a/src/net_packet.c b/src/net_packet.c index a5fede1..0126d41 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -54,7 +54,6 @@ int keylifetime = 0; int keyexpires = 0; -EVP_CIPHER_CTX packet_ctx; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; static void send_udppacket(node_t *, vpn_packet_t *); diff --git a/src/net_setup.c b/src/net_setup.c index f41f952..94e25b6 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -588,8 +588,6 @@ void close_network_connections(void) if(myport) free(myport); - EVP_CIPHER_CTX_cleanup(&packet_ctx); - for(i = 0; i < 4; i++) free(envp[i]); diff --git a/src/protocol_key.c b/src/protocol_key.c index 5baa5f4..d9719ca 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -127,9 +127,6 @@ bool req_key_h(connection_t *c) /* Check if this key request is for us */ if(to == myself) { /* Yes, send our own key back */ - mykeyused = true; - from->received_seqno = 0; - memset(from->late, 0, sizeof(from->late)); send_ans_key(from); } else { if(tunnelserver) @@ -153,18 +150,26 @@ bool send_ans_key(node_t *to) cp(); - if(!to->inkey) { - to->incipher = myself->incipher; - to->inkeylength = myself->inkeylength; - to->indigest = myself->indigest; - to->incompression = myself->incompression; - to->inkey = xmalloc(to->inkeylength); + // Set key parameters + to->incipher = myself->incipher; + to->inkeylength = myself->inkeylength; + to->indigest = myself->indigest; + to->incompression = myself->incompression; - RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength); - if(to->incipher) - EVP_DecryptInit_ex(&packet_ctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); - } + // Allocate memory for key + to->inkey = xrealloc(to->inkey, to->inkeylength); + + // Create a new key + RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength); + if(to->incipher) + EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); + + // Reset sequence number and late packet window + mykeyused = true; + to->received_seqno = 0; + memset(to->late, 0, sizeof(to->late)); + // Convert to hexadecimal and send key = alloca(2 * to->inkeylength + 1); bin2hex(to->inkey, key, to->inkeylength); key[to->outkeylength * 2] = '\0'; @@ -226,19 +231,13 @@ bool ans_key_h(connection_t *c) } /* Update our copy of the origin's packet key */ - - if(from->outkey) - free(from->outkey); + from->outkey = xrealloc(from->outkey, strlen(key) / 2); from->outkey = xstrdup(key); from->outkeylength = strlen(key) / 2; - hex2bin(from->outkey, from->outkey, from->outkeylength); - from->outkey[from->outkeylength] = '\0'; + hex2bin(key, from->outkey, from->outkeylength); - from->status.validkey = true; from->status.waitingforkey = false; - from->sent_seqno = 0; - /* Check and lookup cipher and digest algorithms */ if(cipher) { @@ -293,6 +292,9 @@ bool ans_key_h(connection_t *c) return false; } + from->status.validkey = true; + from->sent_seqno = 0; + if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes) send_mtu_probe(from); -- 2.25.1