Fix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf...

Instead of a single, global decryption context, each node has its own context.
However, in send_ans_key(), the global context was initialised. This commit
fixes that and removes the global context completely.

Also only set status.validkey after all checks have been evaluated.

diff --git a/src/net.h b/src/net.h
index ef21179..0f70a4b 100644 (file)
--- a/src/net.h
+++ b/src/net.h
@@ -116,7 +116,6 @@ extern bool do_prune;
 extern bool do_purge;
 extern char *myport;
 extern time_t now;
-extern EVP_CIPHER_CTX packet_ctx;
 
 /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
 #include "connection.h"

diff --git a/src/net_packet.c b/src/net_packet.c
index a5fede1..0126d41 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -54,7 +54,6 @@
 
 int keylifetime = 0;
 int keyexpires = 0;
-EVP_CIPHER_CTX packet_ctx;
 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
 
 static void send_udppacket(node_t *, vpn_packet_t *);

diff --git a/src/net_setup.c b/src/net_setup.c
index f41f952..94e25b6 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -588,8 +588,6 @@ void close_network_connections(void)
 
        if(myport) free(myport);
 
-       EVP_CIPHER_CTX_cleanup(&packet_ctx);
-
        for(i = 0; i < 4; i++)
                free(envp[i]);
 

diff --git a/src/protocol_key.c b/src/protocol_key.c
index 5baa5f4..d9719ca 100644 (file)
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -127,9 +127,6 @@ bool req_key_h(connection_t *c)
        /* Check if this key request is for us */
 
        if(to == myself) {                      /* Yes, send our own key back */
-               mykeyused = true;
-               from->received_seqno = 0;
-               memset(from->late, 0, sizeof(from->late));
                send_ans_key(from);
        } else {
                if(tunnelserver)
@@ -153,18 +150,26 @@ bool send_ans_key(node_t *to)
 
        cp();
 
-       if(!to->inkey) {
-               to->incipher = myself->incipher;
-               to->inkeylength = myself->inkeylength;
-               to->indigest = myself->indigest;
-               to->incompression = myself->incompression;
-               to->inkey = xmalloc(to->inkeylength);
+       // Set key parameters
+       to->incipher = myself->incipher;
+       to->inkeylength = myself->inkeylength;
+       to->indigest = myself->indigest;
+       to->incompression = myself->incompression;
 
-               RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
-               if(to->incipher)
-                       EVP_DecryptInit_ex(&packet_ctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
-       }
+       // Allocate memory for key
+       to->inkey = xrealloc(to->inkey, to->inkeylength);
+
+       // Create a new key
+       RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
+       if(to->incipher)
+               EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
+
+       // Reset sequence number and late packet window
+       mykeyused = true;
+       to->received_seqno = 0;
+       memset(to->late, 0, sizeof(to->late));
 
+       // Convert to hexadecimal and send
        key = alloca(2 * to->inkeylength + 1);
        bin2hex(to->inkey, key, to->inkeylength);
        key[to->outkeylength * 2] = '\0';
@@ -226,19 +231,13 @@ bool ans_key_h(connection_t *c)
        }
 
        /* Update our copy of the origin's packet key */
-
-       if(from->outkey)
-               free(from->outkey);
+       from->outkey = xrealloc(from->outkey, strlen(key) / 2);
 
        from->outkey = xstrdup(key);
        from->outkeylength = strlen(key) / 2;
-       hex2bin(from->outkey, from->outkey, from->outkeylength);
-       from->outkey[from->outkeylength] = '\0';
+       hex2bin(key, from->outkey, from->outkeylength);
 
-       from->status.validkey = true;
        from->status.waitingforkey = false;
-       from->sent_seqno = 0;
-
        /* Check and lookup cipher and digest algorithms */
 
        if(cipher) {
@@ -293,6 +292,9 @@ bool ans_key_h(connection_t *c)
                        return false;
                }
 
+       from->status.validkey = true;
+       from->sent_seqno = 0;
+
        if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes)
                send_mtu_probe(from);