cvs2cl -U cvsusers --fsf
svn-clean: maintainer-clean
- svn status --no-ignore | grep '^\?' | sed 's/^\? \+//g' | xargs rm -rf
+ svn status --no-ignore | sed -n 's/^\? \+//p' | tr '\012' '\0' | xargs -r0 rm -rf
deb:
dpkg-buildpackage -rfakeroot
AC_PREREQ(2.59)
AC_INIT
AC_CONFIG_SRCDIR([src/tincd.c])
-AM_INIT_AUTOMAKE(tinc, 1.0-cvs)
+AM_INIT_AUTOMAKE(tinc, 1.0-gnutls)
AC_CONFIG_HEADERS([config.h])
AM_MAINTAINER_MODE
;;
esac
-tinc_OPENSSL
+dnl tinc_OPENSSL
+AM_PATH_LIBGNUTLS([1.0.4], [], [AC_MSG_ERROR([GNUTLS library not found.]); break;])
tinc_ZLIB
tinc_LZO
int getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res)
{
- struct addrinfo *prev = NULL;
+ struct addrinfo *ai, *prev = NULL;
struct hostent *hp;
struct in_addr in = {0};
int i;
return EAI_NODATA;
for (i = 0; hp->h_addr_list[i]; i++) {
- *res = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr);
+ *ai = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr);
if(prev)
prev->ai_next = *res;
+ else
+ *res = ai;
- prev = *res;
+ prev = ai;
}
return 0;
# Dutch messages for tinc
-# Copyright (C) 1999-2004 Ivo Timmermans, Guus Sliepen.
+# Copyright (C) 1999-2001 Ivo Timmermans, Guus Sliepen.
# Ivo Timmermans <ivo@o2w.nl>, 1999-2003.
# Guus Sliepen <guus@sliepen.eu.org>, 2000-2003.
msgid ""
msgstr ""
-"Project-Id-Version: tinc 1.0-svn\n"
+"Project-Id-Version: tinc 1.0-cvs\n"
"Report-Msgid-Bugs-To: tinc-devel@nl.linux.org\n"
-"POT-Creation-Date: 2004-03-15 19:28+0100\n"
-"PO-Revision-Date: 2004-03-15 19:28+0100\n"
+"POT-Creation-Date: 2004-03-15 23:20+0100\n"
+"PO-Revision-Date: 2003-10-11 16:21+0200\n"
"Last-Translator: Guus Sliepen <guus@sliepen.eu.org>\n"
"Language-Team: Dutch <vertaling@nl.linux.org>\n"
"MIME-Version: 1.0\n"
msgid "Cannot open config file %s: %s"
msgstr "Kan configuratie bestand %s niet openen: %s"
-#: src/conf.c:390
+#: src/conf.c:385
#, c-format
msgid "No value for variable `%s' on line %d while reading config file %s"
msgstr ""
"Geen waarde voor variabele `%s' op regel %d tijdens het lezen van "
"configuratie bestand %s"
-#: src/conf.c:421
+#: src/conf.c:416
#, c-format
msgid "Failed to read `%s': %s"
msgstr "Lezen van `%s' mislukte: %s"
-#: src/conf.c:443
+#: src/conf.c:438
#, c-format
msgid "Please enter a file to save %s to [%s]: "
msgstr "Geef een bestand om de %s naar de schrijven [%s]: "
-#: src/conf.c:450
+#: src/conf.c:445
#, c-format
msgid "Error while reading stdin: %s\n"
msgstr "Fout tijdens lezen van standaardinvoer: %s\n"
-#: src/conf.c:482
+#: src/conf.c:477
#, c-format
msgid "Error opening file `%s': %s\n"
msgstr "Fout bij het openen van het bestand `%s': %s\n"
msgid "BROADCAST"
msgstr "BROADCAST"
-#: src/connection.c:120
+#: src/connection.c:105
msgid "Connections:"
msgstr "Verbindingen:"
-#: src/connection.c:124
-#, c-format
-msgid " %s at %s options %lx socket %d status %04x"
+#: src/connection.c:109
+#, fuzzy, c-format
+msgid ""
+" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method "
+"%s status %04x"
msgstr " %s op %s opties %lx socket %d status %04x"
-#: src/connection.c:128
+#: src/connection.c:118
msgid "End of connections."
msgstr "Einde van verbindingen."
-#: src/meta.c:46
+#: src/meta.c:42
#, c-format
msgid "Sending %d bytes of metadata to %s (%s)"
msgstr "Verzenden van %d bytes metadata naar %s (%s)"
-#: src/meta.c:52
-#, c-format
-msgid "Error while encrypting metadata to %s (%s): %s"
-msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s"
-
-#: src/meta.c:65 src/meta.c:118
+#: src/meta.c:50 src/meta.c:114
#, c-format
msgid "Connection closed by %s (%s)"
msgstr "Verbinding beëindigd door %s (%s)"
-#: src/meta.c:70
+#: src/meta.c:55
#, c-format
msgid "Sending meta data to %s (%s) failed: %s"
msgstr "Fout tijdens verzenden metadata naar %s (%s): %s"
-#: src/meta.c:123
+#: src/meta.c:97
+msgid "Continuing handshake..."
+msgstr ""
+
+#: src/meta.c:100
+#, fuzzy, c-format
+msgid "Handshake with %s (%s) completed!"
+msgstr "Verbinding met %s (%s) geactiveerd"
+
+#: src/meta.c:106
+#, fuzzy, c-format
+msgid "Handshake with %s (%s) failed: %s"
+msgstr "Fout tijdens verzenden metadata naar %s (%s): %s"
+
+#: src/meta.c:119
#, c-format
msgid "Metadata socket read error for %s (%s): %s"
msgstr "Fout op metadata socket voor %s (%s) tijdens lezen: %s"
-#: src/meta.c:138
-#, c-format
-msgid "Error while decrypting metadata from %s (%s): %s"
-msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s"
-
-#: src/meta.c:191
+#: src/meta.c:172
#, c-format
msgid "Metadata read buffer overflow for %s (%s)"
msgstr "Metadata leesbuffer overloop voor %s (%s)"
msgid "Unable to reread configuration file, exitting."
msgstr "Kan configuratiebestand niet herlezen, beëindigen."
-#: src/net_packet.c:75
-#, c-format
+#: src/net_packet.c:70
+#, fuzzy, c-format
msgid "No response to MTU probes from %s (%s)"
-msgstr "Geen antwoord van %s (%s) op MTU probes"
+msgstr "%d pakketten van %s (%s) verloren"
-#: src/net_packet.c:82
+#: src/net_packet.c:77
#, c-format
msgid "Fixing MTU of %s (%s) to %d after %d probes"
-msgstr "MTU van %s (%s) vastgezet op %d na %d probes"
+msgstr ""
-#: src/net_packet.c:94
-#, c-format
+#: src/net_packet.c:89
+#, fuzzy, c-format
msgid "Sending MTU probe length %d to %s (%s)"
-msgstr "Verzending MTU probe lengte %d naar %s (%s)"
+msgstr "Verzending %s naar %s (%s)"
-#: src/net_packet.c:107
-#, c-format
+#: src/net_packet.c:102
+#, fuzzy, c-format
msgid "Got MTU probe length %d from %s (%s)"
-msgstr "Kreeg MTU probe met verkeerde lengte %d van %s (%s)"
+msgstr "Kreeg verkeerde %s van %s (%s)"
-#: src/net_packet.c:164
+#: src/net_packet.c:159
#, c-format
msgid "Received packet of %d bytes from %s (%s)"
msgstr "Ontvangst pakket van %d bytes van %s (%s)"
-#: src/net_packet.c:185 src/route.c:108
+#: src/net_packet.c:181 src/route.c:108
#, c-format
msgid "Got too short packet from %s (%s)"
msgstr "Kreeg te kort pakket van %s (%s)"
-#: src/net_packet.c:198
+#: src/net_packet.c:195
#, c-format
msgid "Got unauthenticated packet from %s (%s)"
msgstr "Kreeg niet-geauthenticeerd pakket van %s (%s)"
-#: src/net_packet.c:213
+#: src/net_packet.c:210
#, c-format
msgid "Error decrypting packet from %s (%s): %s"
msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"
-#: src/net_packet.c:229
-#, c-format
-msgid "Lost %d packets from %s (%s)"
+#: src/net_packet.c:235
+#, fuzzy, c-format
+msgid "Lost %u packets from %s (%s)"
msgstr "%d pakketten van %s (%s) verloren"
-#: src/net_packet.c:235
-#, c-format
-msgid "Got late or replayed packet from %s (%s), seqno %d, last received %d"
+#: src/net_packet.c:241
+#, fuzzy, c-format
+msgid "Got late or replayed packet from %s (%s), seqno %u, last received %u"
msgstr ""
"Kreeg laat of gedupliceerd pakket van %s (%s), seqno %d, laatste ontvangen %d"
-#: src/net_packet.c:255
+#: src/net_packet.c:263
#, c-format
msgid "Error while uncompressing packet from %s (%s)"
msgstr "Fout tijdens decomprimeren pakket van %s (%s)"
-#: src/net_packet.c:303
+#: src/net_packet.c:313
#, c-format
msgid "No valid key known yet for %s (%s), queueing packet"
msgstr ""
"Nog geen geldige sleutel bekend voor %s (%s), pakket wordt in wachtrij gezet"
-#: src/net_packet.c:332
+#: src/net_packet.c:342
#, c-format
msgid "Error while compressing packet to %s (%s)"
msgstr "Fout tijdens comprimeren pakket naar %s (%s)"
-#: src/net_packet.c:354
+#: src/net_packet.c:386
#, c-format
msgid "Error while encrypting packet to %s (%s): %s"
msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s"
-#: src/net_packet.c:386
+#: src/net_packet.c:400
+#, fuzzy, c-format
+msgid "Error while authenticating packet to %s (%s)"
+msgstr "Fout tijdens versleutelen pakket naar %s (%s): %s"
+
+#: src/net_packet.c:424
#, c-format
msgid "Setting outgoing packet priority to %d"
msgstr "Instellen prioriteit uitgaand pakket op %d"
-#: src/net_packet.c:388 src/net_setup.c:475 src/net_socket.c:72
-#: src/net_socket.c:123 src/net_socket.c:152 src/tincd.c:434 src/tincd.c:468
-#: src/process.c:198 src/process.c:231 src/process.c:417
-#: src/cygwin/device.c:150 src/cygwin/device.c:181 src/mingw/device.c:82
-#: src/mingw/device.c:91 src/mingw/device.c:96 src/mingw/device.c:252
-#: src/mingw/device.c:259 src/mingw/device.c:264 src/mingw/device.c:271
-#: src/mingw/device.c:280 src/mingw/device.c:287
+#: src/net_packet.c:426 src/net_setup.c:488 src/net_socket.c:84
+#: src/net_socket.c:135 src/net_socket.c:164 src/net_socket.c:437
+#: src/tincd.c:436 src/tincd.c:468 src/process.c:198 src/process.c:231
+#: src/process.c:417 src/cygwin/device.c:150 src/cygwin/device.c:181
+#: src/mingw/device.c:82 src/mingw/device.c:91 src/mingw/device.c:96
+#: src/mingw/device.c:252 src/mingw/device.c:259 src/mingw/device.c:264
+#: src/mingw/device.c:271 src/mingw/device.c:280 src/mingw/device.c:287
#, c-format
msgid "System call `%s' failed: %s"
msgstr "Systeemaanroep `%s' mislukte: %s"
-#: src/net_packet.c:399
+#: src/net_packet.c:437
#, c-format
msgid "Error sending packet to %s (%s): %s"
msgstr "Fout tijdens verzenden pakket naar %s (%s): %s"
-#: src/net_packet.c:422
+#: src/net_packet.c:460
#, c-format
msgid "Sending packet of %d bytes to %s (%s)"
msgstr "Verzending pakket van %d bytes naar %s (%s)"
-#: src/net_packet.c:426
+#: src/net_packet.c:464
#, c-format
msgid "Node %s (%s) is not reachable"
msgstr "Node %s (%s) is niet bereikbaar"
-#: src/net_packet.c:434
+#: src/net_packet.c:472
#, c-format
msgid "Sending packet to %s via %s (%s)"
msgstr "Verzending pakket naar %s via %s (%s)"
-#: src/net_packet.c:453
+#: src/net_packet.c:491
#, c-format
msgid "Broadcasting packet of %d bytes from %s (%s)"
msgstr "Verspreiding pakket van %d bytes van %s (%s)"
-#: src/net_packet.c:470
+#: src/net_packet.c:508
#, c-format
msgid "Flushing queue for %s (%s)"
msgstr "Legen van wachtrij voor %s (%s)"
-#: src/net_packet.c:492
+#: src/net_packet.c:530
#, c-format
msgid "Receiving packet failed: %s"
msgstr "Ontvangst pakket mislukt: %s"
-#: src/net_packet.c:502
+#: src/net_packet.c:540
#, c-format
msgid "Received UDP packet from unknown source %s"
msgstr "Ontvangst UDP pakket van onbekende oorsprong %s"
-#: src/net_setup.c:77 src/net_setup.c:94
+#: src/net_setup.c:76 src/net_setup.c:93
#, c-format
msgid "Error reading RSA public key file `%s': %s"
msgstr "Fout tijdens lezen RSA publieke sleutel bestand `%s': %s"
-#: src/net_setup.c:109
+#: src/net_setup.c:108
#, c-format
msgid "Reading RSA public key file `%s' failed: %s"
msgstr "Lezen RSA publieke sleutel bestand `%s' mislukt: %s"
-#: src/net_setup.c:145
+#: src/net_setup.c:144
#, c-format
msgid "No public key for %s specified!"
msgstr "Geen publieke sleutel bekend voor %s gespecificeerd!"
-#: src/net_setup.c:160
-msgid "PrivateKey used but no PublicKey found!"
-msgstr "PrivateKey gebruikt maar geen PublicKey gevonden!"
-
-#: src/net_setup.c:179
-#, c-format
-msgid "Error reading RSA private key file `%s': %s"
+#: src/net_setup.c:163
+#, fuzzy, c-format
+msgid "Error reading trust file '%s': %s"
msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
-#: src/net_setup.c:187
-#, c-format
-msgid "Could not stat RSA private key file `%s': %s'"
-msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s"
+#: src/net_setup.c:173
+#, fuzzy, c-format
+msgid "Error reading CRL file '%s': %s"
+msgstr "Fout bij het openen van het bestand `%s': %s\n"
-#: src/net_setup.c:194
-#, c-format
-msgid "Warning: insecure file permissions for RSA private key file `%s'!"
+#: src/net_setup.c:188
+msgid "JOEHOE"
msgstr ""
-"Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!"
-#: src/net_setup.c:201
-#, c-format
-msgid "Reading RSA private key file `%s' failed: %s"
-msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
+#: src/net_setup.c:194
+#, fuzzy, c-format
+msgid "Error reading credentials from %s and %s: %s"
+msgstr "Fout tijdens lezen van %s %s: %s"
-#: src/net_setup.c:231 src/net_setup.c:232
+#: src/net_setup.c:226 src/net_setup.c:227
msgid "MYSELF"
msgstr "MIJZELF"
-#: src/net_setup.c:238
+#: src/net_setup.c:233
msgid "Name for tinc daemon required!"
msgstr "Naam voor tinc daemon verplicht!"
-#: src/net_setup.c:243
+#: src/net_setup.c:238
msgid "Invalid name for myself!"
msgstr "Ongeldige naam voor mijzelf!"
-#: src/net_setup.c:252
+#: src/net_setup.c:250
msgid "Cannot open host configuration file for myself!"
msgstr "Kan host configuratie bestand voor mijzelf niet openen!"
-#: src/net_setup.c:305
+#: src/net_setup.c:300
msgid "Invalid routing mode!"
msgstr "Ongeldige routing modus!"
-#: src/net_setup.c:316
+#: src/net_setup.c:311
msgid "PriorityInheritance not supported on this platform"
msgstr "PriorityInheritance wordt niet ondersteund op dit platform"
-#: src/net_setup.c:324
+#: src/net_setup.c:319
msgid "Bogus maximum timeout!"
msgstr "Onzinnige maximum timeout!"
-#: src/net_setup.c:338
+#: src/net_setup.c:333
msgid "Invalid address family!"
msgstr "Ongeldige adresfamilie!"
-#: src/net_setup.c:356
+#: src/net_setup.c:350
msgid "Unrecognized cipher type!"
msgstr "Onbekend cipher type!"
-#: src/net_setup.c:381 src/protocol_auth.c:189
+#: src/net_setup.c:361
#, c-format
msgid "Error during initialisation of cipher for %s (%s): %s"
msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s"
-#: src/net_setup.c:398
+#: src/net_setup.c:375
+#, c-format
+msgid "Key %s len %d"
+msgstr ""
+
+#: src/net_setup.c:395
msgid "Unrecognized digest type!"
msgstr "Onbekend digest type!"
-#: src/net_setup.c:411
+#: src/net_setup.c:407
+#, fuzzy, c-format
+msgid "Error during initialisation of digest for %s (%s): %s"
+msgstr "Fout tijdens initialisatie van cipher voor %s (%s): %s"
+
+#: src/net_setup.c:428
msgid "MAC length exceeds size of digest!"
msgstr "MAC lengte is groter dan dat van digest!"
-#: src/net_setup.c:414
+#: src/net_setup.c:431
msgid "Bogus MAC length!"
msgstr "Onzinnige MAC lengte!"
-#: src/net_setup.c:428
+#: src/net_setup.c:443
msgid "Bogus compression level!"
msgstr "Onzinnig compressieniveau!"
-#: src/net_setup.c:497
+#: src/net_setup.c:510
#, c-format
msgid "Listening on %s"
msgstr "Luisterend op %s"
-#: src/net_setup.c:508
+#: src/net_setup.c:521
msgid "Ready"
msgstr "Gereed"
-#: src/net_setup.c:510
+#: src/net_setup.c:523
msgid "Unable to create any listening socket!"
msgstr "Kon geen enkele luistersocket aanmaken!"
-#: src/net_socket.c:62
+#: src/net_socket.c:74
#, c-format
msgid "Creating metasocket failed: %s"
msgstr "Aanmaak van metasocket mislukt: %s"
-#: src/net_socket.c:103 src/net_socket.c:195
+#: src/net_socket.c:115 src/net_socket.c:207
#, c-format
msgid "Can't bind to interface %s: %s"
msgstr "Kan niet aan interface %s binden: %s"
-#: src/net_socket.c:108
+#: src/net_socket.c:120
msgid "BindToInterface not supported on this platform"
msgstr "BindToInterface wordt niet ondersteund op dit platform"
-#: src/net_socket.c:115
+#: src/net_socket.c:127
#, c-format
msgid "Can't bind to %s/tcp: %s"
msgstr "Kan niet aan %s/tcp binden: %s"
-#: src/net_socket.c:142
+#: src/net_socket.c:154
#, c-format
msgid "Creating UDP socket failed: %s"
msgstr "Aanmaak UDP socket mislukte: %s"
-#: src/net_socket.c:206
+#: src/net_socket.c:218
#, c-format
msgid "Can't bind to %s/udp: %s"
msgstr "Kan niet aan %s/udp binden: %s"
-#: src/net_socket.c:233
+#: src/net_socket.c:245
#, c-format
msgid "Trying to re-establish outgoing connection in %d seconds"
msgstr "Poging tot herstellen van uitgaande verbinding over %d seconden"
-#: src/net_socket.c:241
+#: src/net_socket.c:255
#, c-format
msgid "Connected to %s (%s)"
msgstr "Verbonden met %s (%s)"
-#: src/net_socket.c:258
+#: src/net_socket.c:278
#, c-format
msgid "Could not set up a meta connection to %s"
msgstr "Kon geen metaverbinding aangaan met %s"
-#: src/net_socket.c:292
+#: src/net_socket.c:312
#, c-format
msgid "Trying to connect to %s (%s)"
msgstr "Poging tot verbinden met %s (%s)"
-#: src/net_socket.c:298
+#: src/net_socket.c:318
#, c-format
msgid "Creating socket for %s failed: %s"
msgstr "Aanmaken socket voor %s mislukt: %s"
-#: src/net_socket.c:322
+#: src/net_socket.c:342
#, c-format
msgid "fcntl for %s: %s"
msgstr "fcntl voor %s: %s"
-#: src/net_socket.c:338
+#: src/net_socket.c:358
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/net_socket.c:359
+#: src/net_socket.c:363
+#, fuzzy
+msgid "finishing connection"
+msgstr "Einde van verbindingen."
+
+#: src/net_socket.c:380
#, c-format
msgid "Already connected to %s"
msgstr "Reeds verbonden met %s"
-#: src/net_socket.c:378
+#: src/net_socket.c:395
#, c-format
msgid "No address specified for %s"
msgstr "Geen adres gespecificeerd voor %s"
-#: src/net_socket.c:408
+#: src/net_socket.c:426
#, c-format
msgid "Accepting a new connection failed: %s"
msgstr "Aanname van nieuwe verbinding is mislukt: %s"
-#: src/net_socket.c:426
+#: src/net_socket.c:453
#, c-format
msgid "Connection from %s"
msgstr "Verbinding van %s"
-#: src/net_socket.c:450
+#: src/net_socket.c:484
#, c-format
msgid "Invalid name for outgoing connection in %s line %d"
msgstr "Ongeldige naam voor uitgaande verbinding in %s regel %d"
msgid "Aging past requests: deleted %d, left %d"
msgstr "Veroudering vorige verzoeken: %d gewist, %d overgebleven"
-#: src/protocol_auth.c:58 src/protocol_auth.c:209 src/protocol_auth.c:338
-#: src/protocol_auth.c:405 src/protocol_auth.c:531 src/protocol_edge.c:73
-#: src/protocol_edge.c:188 src/protocol_key.c:62 src/protocol_key.c:105
-#: src/protocol_key.c:172 src/protocol_misc.c:54 src/protocol_misc.c:83
-#: src/protocol_misc.c:171 src/protocol_subnet.c:58 src/protocol_subnet.c:167
-#, c-format
-msgid "Got bad %s from %s (%s)"
-msgstr "Kreeg verkeerde %s van %s (%s)"
-
-#: src/protocol_auth.c:66 src/protocol_edge.c:81 src/protocol_edge.c:87
-#: src/protocol_edge.c:196 src/protocol_edge.c:202 src/protocol_subnet.c:66
-#: src/protocol_subnet.c:74 src/protocol_subnet.c:175
-#: src/protocol_subnet.c:196
-#, c-format
-msgid "Got bad %s from %s (%s): %s"
-msgstr "Kreeg verkeerde %s van %s (%s): %s"
-
-#: src/protocol_auth.c:75
-#, c-format
-msgid "Peer %s is %s instead of %s"
-msgstr "Ander %s is %s in plaats van %s"
-
-#: src/protocol_auth.c:85
+#: src/protocol_auth.c:53
#, c-format
-msgid "Peer %s (%s) uses incompatible version %d"
-msgstr "Ander %s (%s) gebruikt incompatibele versie %d"
-
-#: src/protocol_auth.c:101
-#, c-format
-msgid "Peer %s had unknown identity (%s)"
-msgstr "Ander %s heeft onbekende identiteit (%s)"
-
-#: src/protocol_auth.c:153
-#, c-format
-msgid "Generated random meta key (unencrypted): %s"
-msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s"
+msgid "No certificates from %s"
+msgstr ""
-#: src/protocol_auth.c:165 src/protocol_auth.c:238
-#, c-format
-msgid "Error during encryption of meta key for %s (%s)"
-msgstr "Fout tijdens versleutelen van meta key voor %s (%s)"
+#: src/protocol_auth.c:63
+#, fuzzy, c-format
+msgid "Error importing certificate from %s: %s"
+msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"
-#: src/protocol_auth.c:219 src/protocol_auth.c:348 src/protocol_auth.c:413
-#: src/protocol_auth.c:435
-#, c-format
-msgid "Possible intruder %s (%s): %s"
-msgstr "Mogelijke indringer %s (%s): %s"
+#: src/protocol_auth.c:70
+#, fuzzy, c-format
+msgid "No name in certificate from %s"
+msgstr "Fout tijdens ontsleutelen pakket van %s (%s): %s"
-#: src/protocol_auth.c:246
-#, c-format
-msgid "Received random meta key (unencrypted): %s"
-msgstr "Ontving willekeurige meta key (niet versleuteld): %s"
+#: src/protocol_auth.c:79
+#, fuzzy, c-format
+msgid "Invalid name from %s"
+msgstr "Ongeldige naam voor mijzelf!"
-#: src/protocol_auth.c:257
+#: src/protocol_auth.c:85
#, c-format
-msgid "%s (%s) uses unknown cipher!"
-msgstr "%s (%s) gebruikt onbekende cipher!"
+msgid "Peer %s is %s instead of %s"
+msgstr "Ander %s is %s in plaats van %s"
-#: src/protocol_auth.c:265
+#: src/protocol_auth.c:96
#, c-format
-msgid "Error during initialisation of cipher from %s (%s): %s"
-msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s"
+msgid "Certificate from %s (%s) invalid"
+msgstr ""
-#: src/protocol_auth.c:281 src/protocol_key.c:242
+#: src/protocol_auth.c:98
#, c-format
-msgid "Node %s (%s) uses unknown digest!"
-msgstr "Node %s (%s) gebruikt onbekende digest!"
+msgid "Certificate from %s (%s) revoked"
+msgstr ""
-#: src/protocol_auth.c:286
+#: src/protocol_auth.c:100
#, c-format
-msgid "%s (%s) uses bogus MAC length!"
-msgstr "%s (%s) gebruikt onzinnige MAC lengte!"
+msgid "Certificate from %s (%s) has no known signer"
+msgstr ""
-#: src/protocol_auth.c:381
+#: src/protocol_auth.c:102
#, c-format
-msgid "Error during calculation of response for %s (%s): %s"
-msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s"
-
-#: src/protocol_auth.c:414
-msgid "wrong challenge reply length"
-msgstr "verkeerde lengte antwoord op uitdaging"
+msgid "Certificate from %s (%s) has no CA as signer"
+msgstr ""
-#: src/protocol_auth.c:427
+#: src/protocol_auth.c:109
#, c-format
-msgid "Error during calculation of response from %s (%s): %s"
-msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s"
-
-#: src/protocol_auth.c:436
-msgid "wrong challenge reply"
-msgstr "verkeerd antwoord op uitdaging"
+msgid "Peer %s had unknown identity (%s)"
+msgstr "Ander %s heeft onbekende identiteit (%s)"
-#: src/protocol_auth.c:441
+#: src/protocol_auth.c:188 src/protocol_edge.c:73 src/protocol_edge.c:188
+#: src/protocol_key.c:62 src/protocol_key.c:105 src/protocol_key.c:176
+#: src/protocol_misc.c:54 src/protocol_misc.c:83 src/protocol_misc.c:171
+#: src/protocol_subnet.c:58 src/protocol_subnet.c:167
#, c-format
-msgid "Expected challenge reply: %s"
-msgstr "Verwachtte antwoord op uitdaging: %s"
+msgid "Got bad %s from %s (%s)"
+msgstr "Kreeg verkeerde %s van %s (%s)"
-#: src/protocol_auth.c:547
+#: src/protocol_auth.c:204
#, c-format
msgid "Established a second connection with %s (%s), closing old connection"
msgstr "Tweede verbinding met %s (%s) gemaakt, oude verbinding wordt gesloten"
-#: src/protocol_auth.c:570
+#: src/protocol_auth.c:227
#, c-format
msgid "Connection with %s (%s) activated"
msgstr "Verbinding met %s (%s) geactiveerd"
+#: src/protocol_edge.c:81 src/protocol_edge.c:87 src/protocol_edge.c:196
+#: src/protocol_edge.c:202 src/protocol_subnet.c:66 src/protocol_subnet.c:74
+#: src/protocol_subnet.c:175 src/protocol_subnet.c:196
+#, c-format
+msgid "Got bad %s from %s (%s): %s"
+msgstr "Kreeg verkeerde %s van %s (%s): %s"
+
#: src/protocol_edge.c:82 src/protocol_edge.c:88 src/protocol_edge.c:197
#: src/protocol_edge.c:203 src/protocol_subnet.c:67 src/protocol_subnet.c:176
msgid "invalid name"
msgid "Got %s from %s (%s) origin %s which does not exist"
msgstr "Kreeg %s van %s (%s) herkomst %s welke niet bestaat"
-#: src/protocol_key.c:113 src/protocol_key.c:180
+#: src/protocol_key.c:113 src/protocol_key.c:184
#, c-format
msgid ""
"Got %s from %s (%s) origin %s which does not exist in our connection list"
msgstr ""
"Kreeg %s van %s (%s) herkomst %s welke niet voorkomt in de verbindingslijst"
-#: src/protocol_key.c:121 src/protocol_key.c:188
+#: src/protocol_key.c:121 src/protocol_key.c:192
#, c-format
msgid ""
"Got %s from %s (%s) destination %s which does not exist in our connection "
msgstr ""
"Kreeg %s van %s (%s) doel %s welke niet voorkomt in de verbindingslijst"
-#: src/protocol_key.c:222
+#: src/protocol_key.c:211
#, c-format
msgid "Node %s (%s) uses unknown cipher!"
msgstr "Node %s (%s) gebruikt onbekende cipher!"
-#: src/protocol_key.c:228
+#: src/protocol_key.c:227
#, c-format
-msgid "Node %s (%s) uses wrong keylength!"
-msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!"
+msgid "Node %s (%s) uses unknown digest!"
+msgstr "Node %s (%s) gebruikt onbekende digest!"
-#: src/protocol_key.c:248
+#: src/protocol_key.c:235
#, c-format
msgid "Node %s (%s) uses bogus MAC length!"
msgstr "Node %s (%s) gebruikt onzinnige MAC lengte!"
-#: src/protocol_key.c:257
+#: src/protocol_key.c:244
#, c-format
msgid "Node %s (%s) uses bogus compression level!"
msgstr "Node %s (%s) gebruikt onzinnig compressieniveau!"
-#: src/protocol_key.c:265
+#: src/protocol_key.c:260
+#, fuzzy, c-format
+msgid "Node %s (%s) uses wrong keylength %d instead of %d!"
+msgstr "Node %s (%s) gebruikt verkeerde lengte sleutel!"
+
+#: src/protocol_key.c:277 src/protocol_key.c:288
#, c-format
msgid "Error during initialisation of key from %s (%s): %s"
msgstr "Fout tijdens initialisatie van sleutel van %s (%s): %s"
msgid "End of subnet list."
msgstr "Einde van subnet lijst."
-#: src/tincd.c:108
+#: src/tincd.c:105
#, c-format
msgid "Try `%s --help' for more information.\n"
msgstr "Probeer `%s --help' voor meer informatie.\n"
-#: src/tincd.c:111
+#: src/tincd.c:108
#, c-format
msgid ""
"Usage: %s [option]...\n"
"Gebruik: %s [optie]...\n"
"\n"
-#: src/tincd.c:112
+#: src/tincd.c:109
#, c-format
msgid ""
" -c, --config=DIR Read configuration options from DIR.\n"
" --version Geef versie informatie en beëindig.\n"
"\n"
-#: src/tincd.c:123
+#: src/tincd.c:120
#, c-format
msgid "Report bugs to tinc@nl.linux.org.\n"
msgstr ""
"Meld fouten in het programma aan tinc@nl.linux.org;\n"
"Meld fouten in de vertaling aan vertaling@nl.linux.org.\n"
-#: src/tincd.c:179
+#: src/tincd.c:176
#, c-format
msgid ""
"Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, "
"Ongeldig argument `%s'; SIGNAAL moet een getal zijn of één van HUP, TERM, "
"KILL, USR1, USR2, WINCH, INT of ALRM.\n"
-#: src/tincd.c:201
+#: src/tincd.c:198
#, c-format
msgid ""
"Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n"
"Ongeldig argument `%s'; BITS moet een nummer zijn gelijk aan of groter dan "
"512.\n"
-#: src/tincd.c:294
+#: src/tincd.c:286
+#, c-format
+msgid "Use certtool!\n"
+msgstr ""
+
+#: src/tincd.c:295
#, c-format
msgid "Generating %d bits keys:\n"
msgstr "Bezig met genereren van een %d bits sleutel:\n"
-#: src/tincd.c:298
+#: src/tincd.c:299
#, c-format
msgid "Error during key generation!\n"
msgstr "Fout tijdens genereren sleutel!\n"
-#: src/tincd.c:301
+#: src/tincd.c:302
#, c-format
msgid "Done.\n"
msgstr "Klaar.\n"
-#: src/tincd.c:304
+#: src/tincd.c:305
msgid "private RSA key"
msgstr "geheime RSA sleutel"
-#: src/tincd.c:315 src/tincd.c:334
+#: src/tincd.c:316 src/tincd.c:335
#, c-format
msgid ""
"Appending key to existing contents.\n"
"Sleutel wordt toegevoegd aan bestaande inhoud.\n"
"Let er op dat er slechts één sleutel in het bestand is.\n"
-#: src/tincd.c:328
+#: src/tincd.c:329
msgid "public RSA key"
msgstr "openbare RSA sleutel"
-#: src/tincd.c:387
+#: src/tincd.c:389
msgid "Both netname and configuration directory given, using the latter..."
msgstr ""
"Zowel netnaam als configuratiemap zijn gegeven, laatste wordt gebruikt..."
-#: src/tincd.c:408
+#: src/tincd.c:410
#, c-format
msgid "%s version %s (built %s %s, protocol %d)\n"
msgstr "%s versie %s (gemaakt %s %s, protocol %d)\n"
-#: src/tincd.c:410
+#: src/tincd.c:412
#, c-format
msgid ""
"Copyright (C) 1998-2003 Ivo Timmermans, Guus Sliepen and others.\n"
"en je bent welkom om het te distribueren onder bepaalde voorwaarden;\n"
"zie het bestand COPYING voor details.\n"
-#: src/tincd.c:438
+#: src/tincd.c:440
msgid "mlockall() not supported on this platform!"
msgstr "mlockall() wordt niet ondersteund op dit platform!"
msgstr "Een tincd draait al met pid %ld.\n"
#: src/process.c:261
-#, c-format
+#, fuzzy, c-format
msgid "Could write pid file %s: %s\n"
-msgstr "Kon pid bestand %s niet openen: %s\n"
+msgstr "Kon `%s' niet openen: %s"
#: src/process.c:283
#, c-format
msgstr "Kon niet ontkoppelen van terminal: %s"
#: src/process.c:341
-#, c-format
+#, fuzzy, c-format
msgid "Could not write pid file %s: %s\n"
-msgstr "Kon pid bestand %s niet schrijven: %s\n"
+msgstr "Kon `%s' niet openen: %s"
#: src/process.c:352
#, c-format
#: src/route.c:165
#, c-format
msgid "Subnet %s expired"
-msgstr "Subnet %s is verlopen"
+msgstr ""
#: src/route.c:200 src/route.c:353 src/route.c:495
-#, c-format
+#, fuzzy, c-format
msgid "Packet looping back to %s (%s)!"
-msgstr "Pakket komt terug naar %s (%s)!"
+msgstr "Pakket komt terug naar ons!"
#: src/route.c:299
#, c-format
msgid "Length of packet (%d) doesn't match length in IPv4 header (%d)"
msgstr ""
-"Lengte van pakket (%d) komt niet overeen met lengte in IPv4 header (%d)"
#: src/route.c:303
-#, c-format
+#, fuzzy, c-format
msgid "Fragmenting packet of %d bytes to %s (%s)"
-msgstr "Fragmentatie pakket van %d bytes naar %s (%s)"
+msgstr "Verzending pakket van %d bytes naar %s (%s)"
#: src/route.c:341
-#, c-format
+#, fuzzy, c-format
msgid ""
"Cannot route packet from %s (%s): unknown IPv4 destination address %d.%d.%d.%"
"d"
-msgstr ""
-"Kan pakket van %s (%s) niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d"
+msgstr "Kan pakket niet routeren: onbekend IPv4 doeladres %d.%d.%d.%d"
#: src/route.c:366 src/route.c:505
#, c-format
msgid "Packet for %s (%s) length %d larger than MTU %d"
-msgstr "Packet voor %s (%s) lengte %d groter dan MTU %d"
+msgstr ""
#: src/route.c:479
-#, c-format
+#, fuzzy, c-format
msgid ""
"Cannot route packet from %s (%s): unknown IPv6 destination address %hx:%hx:%"
"hx:%hx:%hx:%hx:%hx:%hx"
msgstr ""
-"Kan pakket van %s (%s) niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%"
-"hx:%hx:%hx:%hx:%hx"
+"Kan pakket niet routeren: onbekend IPv6 doeladres %hx:%hx:%hx:%hx:%hx:%hx:%"
+"hx:%hx"
#: src/route.c:537
#, c-format
msgid "Got neighbor solicitation request from %s (%s) while in router mode!"
msgstr ""
-"Kreeg neighbor solicitation request van %s (%s) terwijl we in router mode "
-"werken!"
#: src/route.c:556
msgid ""
"hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx"
#: src/route.c:671
-#, c-format
+#, fuzzy, c-format
msgid "Got ARP request from %s (%s) while in router mode!"
-msgstr "Kreeg ARP request van %s (%s) terwijl we in router mode werken!"
+msgstr "Kreeg %s van %s (%s) voor %s welke niet voorkomt in de node boom"
#: src/route.c:688
msgid "Cannot route packet: received unknown type ARP request"
msgstr "Kan pakket niet routeren: ARP verzoek voor onbekend adres %d.%d.%d.%d"
#: src/route.c:753
-#, c-format
+#, fuzzy, c-format
msgid "Cannot route packet from %s (%s): unknown type %hx"
-msgstr "Kan pakket van %s (%s) niet routeren: onbekend type %hx"
+msgstr "Kan pakket niet routeren: onbekend type %hx"
#: src/node.c:183
msgid "Nodes:"
msgstr "Nodes:"
#: src/node.c:187
-#, c-format
+#, fuzzy, c-format
msgid ""
-" %s at %s cipher %d digest %d maclength %d compression %d options %lx status "
+" %s at %s cipher %s digest %s maclength %d compression %d options %lx status "
"%04x nexthop %s via %s pmtu %d (min %d max %d)"
msgstr ""
" %s op %s cipher %d digest %d maclengte %d compressie %d opties %lx status %"
-"04x nexthop %s via %s pmtu %d (min %d max %d)"
+"04x nexthop %s via %s"
#: src/node.c:194
msgid "End of nodes."
msgid "Could not bind to %s: %s"
msgstr "Kon niet aan interface `%s' binden: %s"
+#, fuzzy
+#~ msgid "%s is %s"
+#~ msgstr "%s is een %s"
+
+#~ msgid "Error while encrypting metadata to %s (%s): %s"
+#~ msgstr "Fout tijdens versleutelen van metadata naar %s (%s): %s"
+
+#~ msgid "Error while decrypting metadata from %s (%s): %s"
+#~ msgstr "Fout tijdens ontsleutelen van metadata van %s (%s): %s"
+
+#~ msgid "Could not stat RSA private key file `%s': %s'"
+#~ msgstr "Kon gegevens RSA privé sleutel bestand `%s' niet opvragen: %s"
+
+#~ msgid "Warning: insecure file permissions for RSA private key file `%s'!"
+#~ msgstr ""
+#~ "Waarschuwing: onveilige permissies voor RSA privé sleutel bestand `%s'!"
+
+#~ msgid "Reading RSA private key file `%s' failed: %s"
+#~ msgstr "Fout tijdens lezen RSA privé sleutel bestand `%s': %s"
+
+#~ msgid "Peer %s (%s) uses incompatible version %d"
+#~ msgstr "Ander %s (%s) gebruikt incompatibele versie %d"
+
+#~ msgid "Generated random meta key (unencrypted): %s"
+#~ msgstr "Willekeurige meta sleutel aangemaakt (niet versleuteld): %s"
+
+#~ msgid "Error during encryption of meta key for %s (%s)"
+#~ msgstr "Fout tijdens versleutelen van meta key voor %s (%s)"
+
+#~ msgid "Possible intruder %s (%s): %s"
+#~ msgstr "Mogelijke indringer %s (%s): %s"
+
+#~ msgid "Received random meta key (unencrypted): %s"
+#~ msgstr "Ontving willekeurige meta key (niet versleuteld): %s"
+
+#~ msgid "%s (%s) uses unknown cipher!"
+#~ msgstr "%s (%s) gebruikt onbekende cipher!"
+
+#~ msgid "Error during initialisation of cipher from %s (%s): %s"
+#~ msgstr "Fout tijdens initalisatie van cipher van %s (%s): %s"
+
+#~ msgid "%s (%s) uses bogus MAC length!"
+#~ msgstr "%s (%s) gebruikt onzinnige MAC lengte!"
+
+#~ msgid "Error during calculation of response for %s (%s): %s"
+#~ msgstr "Fout tijdens berekenen van antwoord voor %s (%s): %s"
+
+#~ msgid "wrong challenge reply length"
+#~ msgstr "verkeerde lengte antwoord op uitdaging"
+
+#~ msgid "Error during calculation of response from %s (%s): %s"
+#~ msgstr "Fout tijdens narekenen van antwoord van %s (%s): %s"
+
+#~ msgid "wrong challenge reply"
+#~ msgstr "verkeerd antwoord op uitdaging"
+
+#~ msgid "Expected challenge reply: %s"
+#~ msgstr "Verwachtte antwoord op uitdaging: %s"
+
#~ msgid "Restarting in %d seconds!"
#~ msgstr "Herstart in %d seconden!"
LIBS = @LIBS@ @LIBINTL@
tincd_LDADD = \
- $(top_builddir)/lib/libvpn.a
+ $(top_builddir)/lib/libvpn.a -lgnutls
localedir = $(datadir)/locale
int err = -2; /* Parse error */
FILE *fp;
char *buffer, *line;
- char *variable, *value, *eol;
+ char *variable, *value;
int lineno = 0;
int len;
bool ignore = false;
variable = value = line;
- eol = line + strlen(line);
- while(strchr("\t ", *--eol))
- *eol = '\0';
-
len = strcspn(value, "\t =");
value += len;
value += strspn(value, "\t ");
}
variable[len] = '\0';
-
if(!*value) {
logger(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"),
variable, lineno, fname);
{
cp();
- if(c->hostname)
- free(c->hostname);
-
- if(c->inkey)
- free(c->inkey);
-
- if(c->outkey)
- free(c->outkey);
-
- if(c->mychallenge)
- free(c->mychallenge);
-
- if(c->hischallenge)
- free(c->hischallenge);
-
free(c);
}
for(node = connection_tree->head; node; node = node->next) {
c = node->data;
- logger(LOG_DEBUG, _(" %s at %s options %lx socket %d status %04x"),
- c->name, c->hostname, c->options, c->socket, *(uint32_t *)&c->status);
+ logger(LOG_DEBUG, _(" %s at %s options %lx socket %d cipher %s digest %s compression %s kx method %s status %04x"),
+ c->name, c->hostname, c->options, c->socket,
+ c->session ? gnutls_cipher_get_name(gnutls_cipher_get(c->session)) : "-",
+ c->session ? gnutls_mac_get_name(gnutls_mac_get(c->session)) : "-",
+ c->session ? gnutls_compression_get_name(gnutls_compression_get(c->session)) : "-",
+ c->session ? gnutls_kx_get_name(gnutls_kx_get(c->session)) : "-",
+ *(uint32_t *)&c->status);
}
logger(LOG_DEBUG, _("End of connections."));
#ifndef __TINC_CONNECTION_H__
#define __TINC_CONNECTION_H__
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
#include "avl_tree.h"
#include "node.h"
typedef struct connection_t {
- char *name; /* name he claims to have */
+ char *name; /* name he claims to have */
- union sockaddr_t address; /* his real (internet) ip */
- char *hostname; /* the hostname of its real ip */
+ union sockaddr_t address; /* his real (internet) ip */
+ char *hostname; /* the hostname of its real ip */
int protocol_version; /* used protocol */
- int socket; /* socket used for this connection */
- long int options; /* options for this connection */
+ int socket; /* socket used for this connection */
+ long int options; /* options for this connection */
struct connection_status_t status; /* status info */
int estimated_weight; /* estimation for the weight of the edge for this connection */
struct timeval start; /* time this connection was started, used for above estimation */
struct node_t *node; /* node associated with the other end */
struct edge_t *edge; /* edge associated with this connection */
- RSA *rsa_key; /* his public/private key */
- const EVP_CIPHER *incipher; /* Cipher he will use to send data to us */
- const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */
- EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */
- EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */
- char *inkey; /* His symmetric meta key + iv */
- char *outkey; /* Our symmetric meta key + iv */
- int inkeylength; /* Length of his key + iv */
- int outkeylength; /* Length of our key + iv */
- const EVP_MD *indigest;
- const EVP_MD *outdigest;
- int inmaclength;
- int outmaclength;
- int incompression;
- int outcompression;
- char *mychallenge; /* challenge we received from him */
- char *hischallenge; /* challenge we sent to him */
+ gnutls_session session;
+ gnutls_certificate_credentials credentials;
char buffer[MAXBUFSIZE]; /* metadata input buffer */
- int buflen; /* bytes read into buffer */
- int reqlen; /* length of incoming request */
- int tcplen; /* length of incoming TCPpacket */
- int allow_request; /* defined if there's only one request possible */
+ int buflen; /* bytes read into buffer */
+ int reqlen; /* length of incoming request */
+ int tcplen; /* length of incoming TCPpacket */
+ int allow_request; /* defined if there's only one request possible */
time_t last_ping_time; /* last time we saw some activity from the other end */
#include "system.h"
-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
#include "avl_tree.h"
#include "connection.h"
bool send_meta(connection_t *c, const char *buffer, int length)
{
- const char *bufp;
- int outlen;
- char outbuf[MAXBUFSIZE];
int result;
cp();
ifdebug(META) logger(LOG_DEBUG, _("Sending %d bytes of metadata to %s (%s)"), length,
c->name, c->hostname);
- if(c->status.encryptout) {
- result = EVP_EncryptUpdate(c->outctx, outbuf, &outlen, buffer, length);
- if(!result || outlen != length) {
- logger(LOG_ERR, _("Error while encrypting metadata to %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
- bufp = outbuf;
- length = outlen;
- } else
- bufp = buffer;
-
while(length) {
- result = send(c->socket, bufp, length, 0);
+ result = gnutls_record_send(c->session, buffer, length);
+
if(result <= 0) {
- if(!errno || errno == EPIPE) {
+ if(!result) {
ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
c->name, c->hostname);
- } else if(errno == EINTR)
+ } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
continue;
else
logger(LOG_ERR, _("Sending meta data to %s (%s) failed: %s"), c->name,
- c->hostname, strerror(errno));
+ c->hostname, gnutls_strerror(result));
return false;
}
- bufp += result;
+ buffer += result;
length -= result;
}
bool receive_meta(connection_t *c)
{
int oldlen, i, result;
- int lenin, lenout, reqlen;
- bool decrypted = false;
- char inbuf[MAXBUFSIZE];
+ int reqlen;
cp();
/* Strategy:
- Read as much as possible from the TCP socket in one go.
- - Decrypt it.
- Check if a full request is in the input buffer.
- If yes, process request and remove it from the buffer,
then check again.
- If not, keep stuff in buffer and exit.
*/
- lenin = recv(c->socket, c->buffer + c->buflen, MAXBUFSIZE - c->buflen, 0);
+ if(c->allow_request == ID) {
+ logger(LOG_DEBUG, _("Continuing handshake..."));
+ result = gnutls_handshake(c->session);
+ if(!result) {
+ logger(LOG_DEBUG, _("Handshake with %s (%s) completed!"), c->name, c->hostname);
+ c->allow_request = ACK;
+ return send_ack(c);
+ }
+ if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
+ return true;
+ logger(LOG_DEBUG, _("Handshake with %s (%s) failed: %s"), c->name, c->hostname, gnutls_strerror(result));
+ return false;
+ }
+
+ result = gnutls_record_recv(c->session, c->buffer + c->buflen, MAXBUFSIZE - c->buflen);
- if(lenin <= 0) {
- if(!lenin || !errno) {
+ if(result <= 0) {
+ if(!result) {
ifdebug(CONNECTIONS) logger(LOG_NOTICE, _("Connection closed by %s (%s)"),
c->name, c->hostname);
- } else if(errno == EINTR)
+ } else if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
return true;
else
logger(LOG_ERR, _("Metadata socket read error for %s (%s): %s"),
- c->name, c->hostname, strerror(errno));
+ c->name, c->hostname, gnutls_strerror(result));
return false;
}
oldlen = c->buflen;
- c->buflen += lenin;
-
- while(lenin > 0) {
- /* Decrypt */
-
- if(c->status.decryptin && !decrypted) {
- result = EVP_DecryptUpdate(c->inctx, inbuf, &lenout, c->buffer + oldlen, lenin);
- if(!result || lenout != lenin) {
- logger(LOG_ERR, _("Error while decrypting metadata from %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
- memcpy(c->buffer + oldlen, inbuf, lenin);
- decrypted = true;
- }
+ c->buflen += result;
+ while(c->buflen > 0) {
/* Are we receiving a TCPpacket? */
if(c->tcplen) {
receive_tcppacket(c, c->buffer, c->tcplen);
c->buflen -= c->tcplen;
- lenin -= c->tcplen - oldlen;
memmove(c->buffer, c->buffer + c->tcplen, c->buflen);
oldlen = 0;
c->tcplen = 0;
return false;
c->buflen -= reqlen;
- lenin -= reqlen - oldlen;
memmove(c->buffer, c->buffer + reqlen, c->buflen);
oldlen = 0;
continue;
#include "system.h"
-#include <openssl/rand.h>
+#include <gcrypt.h>
#include "utils.h"
#include "avl_tree.h"
if(keyexpires < now) {
ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key"));
- RAND_pseudo_bytes(myself->key, myself->keylength);
+ gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM);
if(myself->cipher)
- EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);
+ gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen);
send_key_changed(broadcast, myself);
keyexpires = now + keylifetime;
}
#ifndef __TINC_NET_H__
#define __TINC_NET_H__
-#include <openssl/evp.h>
+#include <gcrypt.h>
#include "ipv6.h"
#define MTU 1514 /* 1500 bytes payload + 14 bytes ethernet header */
#endif
-#define MAXSIZE (MTU + 4 + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
+#define MAXSIZE (MTU + 4 + 64 + 64 + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
#define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128) /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
#define MAXSOCKETS 128 /* Overkill... */
extern bool do_purge;
extern char *myport;
extern time_t now;
-extern EVP_CIPHER_CTX packet_ctx;
+extern gcry_cipher_hd_t packet_ctx;
+extern gcry_md_hd_t digest_ctx;
/* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
#include "connection.h"
#include "system.h"
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
+#include <gcrypt.h>
#include <zlib.h>
#include <lzo1x.h>
int keylifetime = 0;
int keyexpires = 0;
-EVP_CIPHER_CTX packet_ctx;
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
static void send_udppacket(node_t *, vpn_packet_t *);
len = 64;
memset(packet.data, 0, 14);
- RAND_pseudo_bytes(packet.data + 14, len - 14);
+ gcry_randomize(packet.data + 14, len - 14, GCRY_WEAK_RANDOM);
packet.len = len;
ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
vpn_packet_t *outpkt = pkt[0];
- int outlen, outpad;
- char hmac[EVP_MAX_MD_SIZE];
+ char *hmac = NULL;
+ int result;
int i;
+ static char iv[32] = {0};
cp();
if(myself->digest && myself->maclength) {
inpkt->len -= myself->maclength;
- HMAC(myself->digest, myself->key, myself->keylength,
- (char *) &inpkt->seqno, inpkt->len, hmac, NULL);
-
- if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
+ gcry_md_reset(myself->digest_ctx);
+ gcry_md_write(myself->digest_ctx, (char *)&inpkt->seqno, inpkt->len);
+ hmac = gcry_md_read(myself->digest_ctx, 0);
+
+ if(!hmac || memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
n->name, n->hostname);
return;
/* Decrypt the packet */
if(myself->cipher) {
- outpkt = pkt[nextpkt++];
+ gcry_cipher_reset(myself->cipher_ctx);
+ //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno);
+ //gcry_cipher_setiv(myself->cipher_ctx, iv, myself->cipherblklen);
+ result = gcry_cipher_decrypt(myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0);
- if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+ if(result) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ n->name, n->hostname, gpg_strerror(result));
+ logger(LOG_DEBUG, "%p %p %d", myself->cipher_ctx, (char *)&inpkt->seqno, inpkt->len);
return;
}
+ }
+
+ /* Remove padding */
+
+ if(myself->cipherblklen > 1) {
+ int padlen;
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
+ padlen = ((uint8_t *)&inpkt->seqno)[inpkt->len - 1];
+
+ if(padlen && padlen <= myself->cipherblklen)
+ inpkt->len -= padlen;
}
/* Check the sequence number */
if(inpkt->seqno != n->received_seqno + 1) {
if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
- logger(LOG_WARNING, _("Lost %d packets from %s (%s)"),
+ logger(LOG_WARNING, _("Lost %u packets from %s (%s)"),
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, sizeof(n->late));
} else if (inpkt->seqno <= n->received_seqno) {
if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
- logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
+ logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %u, last received %u"),
n->name, n->hostname, inpkt->seqno, n->received_seqno);
} else
for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
}
}
- n->received_seqno = inpkt->seqno;
- n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+ if(inpkt->seqno > n->received_seqno) {
+ n->received_seqno = inpkt->seqno;
+ n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+ }
if(n->received_seqno > MAX_SEQNO)
keyexpires = 0;
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen;
- int outlen, outpad;
+ int result;
vpn_packet_t *copy;
static int priority = 0;
int origpriority;
int sock;
+ char *hmac = NULL;
+ static char iv[32] = {0};
cp();
/* Encrypt the packet */
if(n->cipher) {
- outpkt = pkt[nextpkt++];
+ /* Add padding */
+
+ if(n->cipherblklen > 1) {
+ int padlen, i;
+ uint8_t *p;
+
+ padlen = n->cipherblklen - inpkt->len % n->cipherblklen;
+ p = (char *)&inpkt->seqno + inpkt->len;
+
+ if(padlen == n->cipherblklen) {
+ if(p[-1] != 0 && p[-1] <= n->cipherblklen) {
+ inpkt->len += n->cipherblklen;
+ for(i = 0; i < n->cipherblklen; i++)
+ *p++ = i + 1;
+ }
+ } else {
+ inpkt->len += padlen;
+ for(i = 0; i < padlen; i++)
+ *p++ = i + 1;
+ }
+ }
+
+ gcry_cipher_reset(n->cipher_ctx);
+ //memcpy(iv, &inpkt->seqno, sizeof inpkt->seqno);
+ //gcry_cipher_setiv(n->cipher_ctx, iv, n->cipherblklen);
+ result = gcry_cipher_encrypt(n->cipher_ctx, (char *)&inpkt->seqno, inpkt->len, NULL, 0);
- if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) {
+ if(result) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ n->name, n->hostname, gpg_strerror(result));
goto end;
}
-
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
}
/* Add the message authentication code */
if(n->digest && n->maclength) {
- HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno,
- inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen);
+ gcry_md_reset(n->digest_ctx);
+ gcry_md_write(n->digest_ctx, (char *)&inpkt->seqno, inpkt->len);
+ hmac = gcry_md_read(n->digest_ctx, 0);
+
+ if(!hmac) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while authenticating packet to %s (%s)"),
+ n->name, n->hostname);
+ goto end;
+ }
+
+ memcpy((char *)&inpkt->seqno + inpkt->len, hmac, n->maclength);
inpkt->len += n->maclength;
}
#include "system.h"
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gcrypt.h>
#include "avl_tree.h"
#include "conf.h"
char *myport;
+#if 0
bool read_rsa_public_key(connection_t *c)
{
FILE *fp;
return false;
}
+#endif
-bool read_rsa_private_key(void)
+bool setup_credentials(void)
{
- FILE *fp;
- char *fname, *key, *pubkey;
- struct stat s;
+ char *trust = NULL, *crl = NULL;
+ char *key = NULL, *cert = NULL;
+ int result;
cp();
- if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
- if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) {
- logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
+ gnutls_certificate_allocate_credentials(&myself->connection->credentials);
+
+ if(get_config_string(lookup_config(config_tree, "TrustFile"), &trust)) {
+ result = gnutls_certificate_set_x509_trust_file(myself->connection->credentials, trust, GNUTLS_X509_FMT_PEM);
+ if(result < 0) {
+ logger(LOG_ERR, _("Error reading trust file '%s': %s"), trust, gnutls_strerror(result));
+ free(trust);
return false;
}
- myself->connection->rsa_key = RSA_new();
-// RSA_blinding_on(myself->connection->rsa_key, NULL);
- BN_hex2bn(&myself->connection->rsa_key->d, key);
- BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
- free(key);
- free(pubkey);
- return true;
+ free(trust);
}
- if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
- asprintf(&fname, "%s/rsa_key.priv", confbase);
-
- fp = fopen(fname, "r");
-
- if(!fp) {
- logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
- fname, strerror(errno));
- free(fname);
- return false;
+ if(get_config_string(lookup_config(config_tree, "CRLFile"), &crl)) {
+ result = gnutls_certificate_set_x509_crl_file(myself->connection->credentials, crl, GNUTLS_X509_FMT_PEM);
+ if(result) {
+ logger(LOG_ERR, _("Error reading CRL file '%s': %s"), crl, gnutls_strerror(result));
+ free(crl);
+ return false;
+ }
+ free(crl);
}
-#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
- if(fstat(fileno(fp), &s)) {
- logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
- fname, strerror(errno));
- free(fname);
- return false;
- }
+ if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &key))
+ asprintf(&key, "%s/rsa_key.priv", confbase);
- if(s.st_mode & ~0100700)
- logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
-#endif
+ if(!get_config_string(lookup_config(config_tree, "CertificateFile"), &cert))
+ asprintf(&cert, "%s/hosts/%s", confbase, myself->name);
- myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
- fclose(fp);
+
+ gnutls_certificate_set_x509_trust_file(myself->connection->credentials, cert, GNUTLS_X509_FMT_PEM);
+ logger(LOG_DEBUG, _("JOEHOE"));
+ gnutls_certificate_set_verify_flags(myself->connection->credentials, GNUTLS_VERIFY_DISABLE_CA_SIGN);
+
+ result = gnutls_certificate_set_x509_key_file(myself->connection->credentials, cert, key, GNUTLS_X509_FMT_PEM);
- if(!myself->connection->rsa_key) {
- logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
- fname, strerror(errno));
- free(fname);
+ if(result) {
+ logger(LOG_ERR, _("Error reading credentials from %s and %s: %s"), cert, key, gnutls_strerror(result));
+ free(key);
+ free(cert);
return false;
}
- free(fname);
+ free(key);
+ free(cert);
+
return true;
}
char *envp[5];
struct addrinfo *ai, *aip, hint = {0};
bool choice;
- int i, err;
+ int i, err, result;
cp();
myself->name = name;
myself->connection->name = xstrdup(name);
+ if(!setup_credentials())
+ return false;
+
if(!read_connection_config(myself->connection)) {
logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
return false;
}
- if(!read_rsa_private_key())
- return false;
-
- if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
+ if(!get_config_string (lookup_config(myself->connection->config_tree, "Port"), &myport))
asprintf(&myport, "655");
/* Read in all the subnets specified in the host configuration file */
/* Generate packet encryption key */
- if(get_config_string
- (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {
+ if(get_config_string (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {
if(!strcasecmp(cipher, "none")) {
- myself->cipher = NULL;
+ myself->cipher = GCRY_CIPHER_NONE;
} else {
- myself->cipher = EVP_get_cipherbyname(cipher);
+ myself->cipher = gcry_cipher_map_name(cipher);
if(!myself->cipher) {
logger(LOG_ERR, _("Unrecognized cipher type!"));
}
}
} else
- myself->cipher = EVP_bf_cbc();
+ myself->cipher = GCRY_CIPHER_AES;
- if(myself->cipher)
- myself->keylength = myself->cipher->key_len + myself->cipher->iv_len;
- else
- myself->keylength = 1;
+ if(myself->cipher) {
+ result = gcry_cipher_open(&myself->cipher_ctx, myself->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE);
+
+ if(result) {
+ logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
+ myself->name, myself->hostname, gcry_strerror(result));
+ return false;
+ }
+
+ }
- myself->connection->outcipher = EVP_bf_ofb();
+ if(myself->cipher) {
+ myself->cipherkeylen = gcry_cipher_get_algo_keylen(myself->cipher);
+ myself->cipherblklen = gcry_cipher_get_algo_blklen(myself->cipher);
+ } else {
+ myself->cipherkeylen = 1;
+ }
- myself->key = xmalloc(myself->keylength);
- RAND_pseudo_bytes(myself->key, myself->keylength);
+ logger(LOG_DEBUG, _("Key %s len %d"), gcry_cipher_algo_name(myself->cipher), myself->cipherkeylen);
+ myself->cipherkey = xmalloc(myself->cipherkeylen);
+ gcry_randomize(myself->cipherkey, myself->cipherkeylen, GCRY_STRONG_RANDOM);
+ if(myself->cipher)
+ gcry_cipher_setkey(myself->cipher_ctx, myself->cipherkey, myself->cipherkeylen);
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
keyexpires = now + keylifetime;
- if(myself->cipher) {
- EVP_CIPHER_CTX_init(&packet_ctx);
- if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) {
- logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
- myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- }
-
/* Check if we want to use message authentication codes... */
- if(get_config_string
- (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {
+ if(get_config_string (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {
if(!strcasecmp(digest, "none")) {
- myself->digest = NULL;
+ myself->digest = GCRY_MD_NONE;
} else {
- myself->digest = EVP_get_digestbyname(digest);
+ myself->digest = gcry_md_map_name(digest);
if(!myself->digest) {
logger(LOG_ERR, _("Unrecognized digest type!"));
}
}
} else
- myself->digest = EVP_sha1();
+ myself->digest = GCRY_MD_SHA1;
+
+
+ if(myself->digest) {
+ result = gcry_md_open(&myself->digest_ctx, myself->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC);
+
+ if(result) {
+ logger(LOG_ERR, _("Error during initialisation of digest for %s (%s): %s"),
+ myself->name, myself->hostname, gcry_strerror(result));
+ return false;
+ }
+
+ }
- myself->connection->outdigest = EVP_sha1();
+ if(myself->digest) {
+ myself->digestlen = gcry_md_get_algo_dlen(myself->digest);
+ } else {
+ myself->digestlen = 1;
+ }
- if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"),
- &myself->maclength)) {
+ myself->digestkey = xmalloc(myself->digestlen);
+ gcry_randomize(myself->digestkey, myself->digestlen, GCRY_STRONG_RANDOM);
+ if(myself->digest)
+ gcry_md_setkey(myself->digest_ctx, myself->digestkey, myself->digestlen);
+
+ if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->maclength)) {
if(myself->digest) {
- if(myself->maclength > myself->digest->md_size) {
+ if(myself->maclength > myself->digestlen) {
logger(LOG_ERR, _("MAC length exceeds size of digest!"));
return false;
} else if(myself->maclength < 0) {
} else
myself->maclength = 4;
- myself->connection->outmaclength = 0;
-
/* Compression */
if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"),
} else
myself->compression = 0;
- myself->connection->outcompression = 0;
-
/* Done */
myself->nexthop = myself;
#include "system.h"
+#include <gnutls/gnutls.h>
+
#include "avl_tree.h"
#include "conf.h"
#include "connection.h"
listen_socket_t listen_socket[MAXSOCKETS];
int listen_sockets;
+int certselfunc(gnutls_session session, const gnutls_datum *client_cert, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) {
+ logger(LOG_DEBUG, "Client certificate select function called with %d certs, %d requests\n", ncerts, nreqs);
+ return 0;
+}
+
+int scertselfunc(gnutls_session session, const gnutls_datum *server_cert, int ncerts) {
+ logger(LOG_DEBUG, "Server certificate select function called with %d certs\n", ncerts);
+ return 0;
+}
+
/* Setup sockets */
int setup_listen_socket(const sockaddr_t *sa)
void finish_connecting(connection_t *c)
{
+ int result;
+
cp();
ifdebug(CONNECTIONS) logger(LOG_INFO, _("Connected to %s (%s)"), c->name, c->hostname);
c->last_ping_time = now;
- send_id(c);
+ gnutls_init(&c->session, GNUTLS_SERVER);
+ gnutls_set_default_priority(c->session);
+ gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials);
+ gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST);
+// gnutls_certificate_client_set_select_function(c->session, certselfunc);
+// gnutls_certificate_server_set_select_function(c->session, scertselfunc);
+ gnutls_transport_set_ptr(c->session, c->socket);
}
void do_outgoing_connection(connection_t *c)
goto begin;
}
+ logger(LOG_DEBUG, _("finishing connection"));
finish_connecting(c);
return;
c = new_connection();
c->name = xstrdup(outgoing->name);
- c->outcipher = myself->connection->outcipher;
- c->outdigest = myself->connection->outdigest;
- c->outmaclength = myself->connection->outmaclength;
- c->outcompression = myself->connection->outcompression;
init_configuration(&c->config_tree);
read_connection_config(c);
connection_t *c;
sockaddr_t sa;
int fd, len = sizeof(sa);
+ int result;
cp();
return false;
}
+#ifdef O_NONBLOCK
+ {
+ int flags = fcntl(fd, F_GETFL);
+
+ if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+ closesocket(fd);
+ logger(LOG_ERR, _("System call `%s' failed: %s"), "fcntl",
+ strerror(errno));
+ return -1;
+ }
+ }
+#endif
+
sockaddrunmap(&sa);
c = new_connection();
- c->outcipher = myself->connection->outcipher;
- c->outdigest = myself->connection->outdigest;
- c->outmaclength = myself->connection->outmaclength;
- c->outcompression = myself->connection->outcompression;
c->address = sa;
c->hostname = sockaddr2hostname(&sa);
connection_add(c);
c->allow_request = ID;
- send_id(c);
+ gnutls_init(&c->session, GNUTLS_CLIENT);
+ gnutls_set_default_priority(c->session);
+ gnutls_credentials_set(c->session, GNUTLS_CRD_CERTIFICATE, myself->connection->credentials);
+ gnutls_certificate_server_set_request(c->session, GNUTLS_CERT_REQUEST);
+// gnutls_certificate_client_set_select_function(c->session, certselfunc);
+// gnutls_certificate_server_set_select_function(c->session, scertselfunc);
+ gnutls_transport_set_ptr(c->session, c->socket);
+ gnutls_handshake(c->session);
return true;
}
n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree();
n->queue = list_alloc((list_action_t) free);
- EVP_CIPHER_CTX_init(&n->packet_ctx);
n->mtu = MTU;
n->maxmtu = MTU;
if(n->hostname)
free(n->hostname);
- if(n->key)
- free(n->key);
+ if(n->cipherkey)
+ free(n->cipherkey);
+
+ if(n->digestkey)
+ free(n->digestkey);
if(n->subnet_tree)
free_subnet_tree(n->subnet_tree);
sockaddrfree(&n->address);
- EVP_CIPHER_CTX_cleanup(&n->packet_ctx);
-
if(n->mtuevent)
event_del(n->mtuevent);
for(node = node_tree->head; node; node = node->next) {
n = node->data;
- logger(LOG_DEBUG, _(" %s at %s cipher %d digest %d maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"),
- n->name, n->hostname, n->cipher ? n->cipher->nid : 0,
- n->digest ? n->digest->type : 0, n->maclength, n->compression,
+ logger(LOG_DEBUG, _(" %s at %s cipher %s digest %s maclength %d compression %d options %lx status %04x nexthop %s via %s pmtu %d (min %d max %d)"),
+ n->name, n->hostname, gcry_cipher_algo_name(n->cipher),
+ gcry_md_algo_name(n->digest), n->maclength, n->compression,
n->options, *(uint32_t *)&n->status, n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
}
#ifndef __TINC_NODE_H__
#define __TINC_NODE_H__
+#include <gcrypt.h>
+
#include "avl_tree.h"
#include "connection.h"
#include "event.h"
node_status_t status;
- const EVP_CIPHER *cipher; /* Cipher type for UDP packets */
- char *key; /* Cipher key and iv */
- int keylength; /* Cipher key and iv length */
- EVP_CIPHER_CTX packet_ctx; /* Cipher context */
+ int cipher; /* Cipher type for UDP packets */
+ char *cipherkey; /* Cipher key */
+ int cipherkeylen; /* Cipher key length */
+ int cipherblklen;
+ gcry_cipher_hd_t cipher_ctx; /* Cipher context */
- const EVP_MD *digest; /* Digest type for MAC */
+ int digest; /* Digest type for MAC */
+ char *digestkey;
+ int digestlen;
int maclength; /* Length of MAC */
+ gcry_md_hd_t digest_ctx;
int compression; /* Compressionlevel, 0 = no compression */
/* Jumptable for the request handlers */
static bool (*request_handlers[])(connection_t *) = {
- id_h, metakey_h, challenge_h, chal_reply_h, ack_h,
+ NULL, NULL, NULL, NULL, ack_h,
status_h, error_h, termreq_h,
ping_h, pong_h,
add_subnet_h, del_subnet_h,
/* Requests */
-extern bool send_id(struct connection_t *);
-extern bool send_metakey(struct connection_t *);
-extern bool send_challenge(struct connection_t *);
-extern bool send_chal_reply(struct connection_t *);
extern bool send_ack(struct connection_t *);
extern bool send_status(struct connection_t *, int, const char *);
extern bool send_error(struct connection_t *, int,const char *);
extern bool send_del_edge(struct connection_t *, const struct edge_t *);
extern bool send_key_changed(struct connection_t *, const struct node_t *);
extern bool send_req_key(struct connection_t *, const struct node_t *, const struct node_t *);
-extern bool send_ans_key(struct connection_t *, const struct node_t *, const struct node_t *);
+extern bool send_ans_key(struct connection_t *, const struct node_t *);
extern bool send_tcppacket(struct connection_t *, struct vpn_packet_t *);
/* Request handlers */
-extern bool id_h(struct connection_t *);
-extern bool metakey_h(struct connection_t *);
-extern bool challenge_h(struct connection_t *);
-extern bool chal_reply_h(struct connection_t *);
extern bool ack_h(struct connection_t *);
extern bool status_h(struct connection_t *);
extern bool error_h(struct connection_t *);
#include "system.h"
-#include <openssl/sha.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include "avl_tree.h"
#include "conf.h"
#include "utils.h"
#include "xalloc.h"
-bool send_id(connection_t *c)
+bool send_ack(connection_t *c)
{
- cp();
+ char buf[MAX_STRING_SIZE];
+ size_t len;
+ gnutls_x509_crt cert;
+ const gnutls_datum *cert_list;
+ int cert_list_size = 0, result;
+ char *p, *name;
- return send_request(c, "%d %s %d", ID, myself->connection->name,
- myself->connection->protocol_version);
-}
+ cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size);
-bool id_h(connection_t *c)
-{
- char name[MAX_STRING_SIZE];
+ if (!cert_list || !cert_list_size) {
+ logger(LOG_ERR, _("No certificates from %s"), c->hostname);
+ return false;
+ }
- cp();
+ len = sizeof buf;
+ gnutls_x509_crt_init(&cert);
+ result = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)
+ ?: gnutls_x509_crt_get_dn(cert, buf, &len);
- if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) {
- logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ID", c->name,
- c->hostname);
+ if(result) {
+ logger(LOG_ERR, _("Error importing certificate from %s: %s"), c->hostname, gnutls_strerror(errno));
+ gnutls_x509_crt_deinit(cert);
return false;
}
- /* Check if identity is a valid name */
+ name = strstr(buf, "CN=");
+ if(!name) {
+ logger(LOG_ERR, _("No name in certificate from %s"), c->hostname);
+ gnutls_x509_crt_deinit(cert);
+ return false;
+ }
+ name += 3;
+ for(p = name; *p && *p != ','; p++);
+ *p = '\0';
if(!check_id(name)) {
- logger(LOG_ERR, _("Got bad %s from %s (%s): %s"), "ID", c->name,
- c->hostname, "invalid name");
+ logger(LOG_ERR, _("Invalid name from %s"), c->hostname);
return false;
}
- /* If we set c->name in advance, make sure we are connected to the right host */
-
if(c->name) {
if(strcmp(c->name, name)) {
- logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name,
- c->name);
+ logger(LOG_ERR, _("Peer %s is %s instead of %s"), c->hostname, name, c->hostname);
return false;
}
- } else
+ } else {
c->name = xstrdup(name);
-
- /* Check if version matches */
-
- if(c->protocol_version != myself->connection->protocol_version) {
- logger(LOG_ERR, _("Peer %s (%s) uses incompatible version %d"),
- c->name, c->hostname, c->protocol_version);
- return false;
}
-
- if(bypass_security) {
- if(!c->config_tree)
- init_configuration(&c->config_tree);
- c->allow_request = ACK;
- return send_ack(c);
+
+ result = gnutls_certificate_verify_peers(c->session);
+
+ if(result) {
+ if(result & GNUTLS_CERT_INVALID)
+ logger(LOG_ERR, _("Certificate from %s (%s) invalid"), c->name, c->hostname);
+ if(result & GNUTLS_CERT_REVOKED)
+ logger(LOG_ERR, _("Certificate from %s (%s) revoked"), c->name, c->hostname);
+ if(result & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ logger(LOG_ERR, _("Certificate from %s (%s) has no known signer"), c->name, c->hostname);
+ if(result & GNUTLS_CERT_SIGNER_NOT_CA)
+ logger(LOG_ERR, _("Certificate from %s (%s) has no CA as signer"), c->name, c->hostname);
}
-
+
if(!c->config_tree) {
init_configuration(&c->config_tree);
}
}
- if(!read_rsa_public_key(c)) {
- return false;
- }
-
- c->allow_request = METAKEY;
-
- return send_metakey(c);
-}
-
-bool send_metakey(connection_t *c)
-{
- char buffer[MAX_STRING_SIZE];
- int len;
- bool x;
-
- cp();
-
- len = RSA_size(c->rsa_key);
-
- /* Allocate buffers for the meta key */
-
- if(!c->outkey)
- c->outkey = xmalloc(len);
-
- if(!c->outctx)
- c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
- cp();
- /* Copy random data to the buffer */
-
- RAND_pseudo_bytes(c->outkey, len);
-
- /* The message we send must be smaller than the modulus of the RSA key.
- By definition, for a key of k bits, the following formula holds:
-
- 2^(k-1) <= modulus < 2^(k)
-
- Where ^ means "to the power of", not "xor".
- This means that to be sure, we must choose our message < 2^(k-1).
- This can be done by setting the most significant bit to zero.
- */
-
- c->outkey[0] &= 0x7F;
-
- ifdebug(SCARY_THINGS) {
- bin2hex(c->outkey, buffer, len);
- buffer[len * 2] = '\0';
- logger(LOG_DEBUG, _("Generated random meta key (unencrypted): %s"),
- buffer);
- }
-
- /* Encrypt the random data
-
- We do not use one of the PKCS padding schemes here.
- This is allowed, because we encrypt a totally random string
- with a length equal to that of the modulus of the RSA key.
- */
-
- if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) {
- logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
- c->name, c->hostname);
- return false;
- }
-
- /* Convert the encrypted random data to a hexadecimal formatted string */
-
- bin2hex(buffer, buffer, len);
- buffer[len * 2] = '\0';
-
- /* Send the meta key */
-
- x = send_request(c, "%d %d %d %d %d %s", METAKEY,
- c->outcipher ? c->outcipher->nid : 0,
- c->outdigest ? c->outdigest->type : 0, c->outmaclength,
- c->outcompression, buffer);
-
- /* Further outgoing requests are encrypted with the key we just generated */
-
- if(c->outcipher) {
- if(!EVP_EncryptInit(c->outctx, c->outcipher,
- c->outkey + len - c->outcipher->key_len,
- c->outkey + len - c->outcipher->key_len -
- c->outcipher->iv_len)) {
- logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- c->status.encryptout = true;
- }
-
- return x;
-}
-
-bool metakey_h(connection_t *c)
-{
- char buffer[MAX_STRING_SIZE];
- int cipher, digest, maclength, compression;
- int len;
-
- cp();
-
- if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) {
- logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name,
- c->hostname);
- return false;
- }
-
- len = RSA_size(myself->connection->rsa_key);
-
- /* Check if the length of the meta key is all right */
-
- if(strlen(buffer) != len * 2) {
- logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength");
- return false;
- }
-
- /* Allocate buffers for the meta key */
-
- if(!c->inkey)
- c->inkey = xmalloc(len);
-
- if(!c->inctx)
- c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
-
- /* Convert the challenge from hexadecimal back to binary */
-
- hex2bin(buffer, buffer, len);
-
- /* Decrypt the meta key */
-
- if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
- logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
- c->name, c->hostname);
- return false;
- }
-
- ifdebug(SCARY_THINGS) {
- bin2hex(c->inkey, buffer, len);
- buffer[len * 2] = '\0';
- logger(LOG_DEBUG, _("Received random meta key (unencrypted): %s"), buffer);
- }
-
- /* All incoming requests will now be encrypted. */
-
- /* Check and lookup cipher and digest algorithms */
-
- if(cipher) {
- c->incipher = EVP_get_cipherbynid(cipher);
-
- if(!c->incipher) {
- logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname);
- return false;
- }
-
- if(!EVP_DecryptInit(c->inctx, c->incipher,
- c->inkey + len - c->incipher->key_len,
- c->inkey + len - c->incipher->key_len -
- c->incipher->iv_len)) {
- logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- c->status.decryptin = true;
- } else {
- c->incipher = NULL;
- }
-
- c->inmaclength = maclength;
-
- if(digest) {
- c->indigest = EVP_get_digestbynid(digest);
-
- if(!c->indigest) {
- logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname);
- return false;
- }
-
- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
- logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname);
- return false;
- }
- } else {
- c->indigest = NULL;
- }
-
- c->incompression = compression;
-
- c->allow_request = CHALLENGE;
-
- return send_challenge(c);
-}
-
-bool send_challenge(connection_t *c)
-{
- char buffer[MAX_STRING_SIZE];
- int len;
-
- cp();
-
- /* CHECKME: what is most reasonable value for len? */
-
- len = RSA_size(c->rsa_key);
-
- /* Allocate buffers for the challenge */
-
- if(!c->hischallenge)
- c->hischallenge = xmalloc(len);
-
- /* Copy random data to the buffer */
-
- RAND_pseudo_bytes(c->hischallenge, len);
-
- /* Convert to hex */
-
- bin2hex(c->hischallenge, buffer, len);
- buffer[len * 2] = '\0';
-
- /* Send the challenge */
-
- return send_request(c, "%d %s", CHALLENGE, buffer);
-}
-
-bool challenge_h(connection_t *c)
-{
- char buffer[MAX_STRING_SIZE];
- int len;
-
- cp();
-
- if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) {
- logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name,
- c->hostname);
- return false;
- }
-
- len = RSA_size(myself->connection->rsa_key);
-
- /* Check if the length of the challenge is all right */
-
- if(strlen(buffer) != len * 2) {
- logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
- c->hostname, "wrong challenge length");
- return false;
- }
-
- /* Allocate buffers for the challenge */
-
- if(!c->mychallenge)
- c->mychallenge = xmalloc(len);
-
- /* Convert the challenge from hexadecimal back to binary */
-
- hex2bin(buffer, c->mychallenge, len);
-
- c->allow_request = CHAL_REPLY;
-
- /* Rest is done by send_chal_reply() */
-
- return send_chal_reply(c);
-}
-
-bool send_chal_reply(connection_t *c)
-{
- char hash[EVP_MAX_MD_SIZE * 2 + 1];
- EVP_MD_CTX ctx;
-
- cp();
-
- /* Calculate the hash from the challenge we received */
-
- if(!EVP_DigestInit(&ctx, c->indigest)
- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
- || !EVP_DigestFinal(&ctx, hash, NULL)) {
- logger(LOG_ERR, _("Error during calculation of response for %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- /* Convert the hash to a hexadecimal formatted string */
-
- bin2hex(hash, hash, c->indigest->md_size);
- hash[c->indigest->md_size * 2] = '\0';
-
- /* Send the reply */
-
- return send_request(c, "%d %s", CHAL_REPLY, hash);
-}
-
-bool chal_reply_h(connection_t *c)
-{
- char hishash[MAX_STRING_SIZE];
- char myhash[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
-
- cp();
-
- if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
- logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHAL_REPLY", c->name,
- c->hostname);
- return false;
- }
-
- /* Check if the length of the hash is all right */
-
- if(strlen(hishash) != c->outdigest->md_size * 2) {
- logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
- c->hostname, _("wrong challenge reply length"));
- return false;
- }
-
- /* Convert the hash to binary format */
-
- hex2bin(hishash, hishash, c->outdigest->md_size);
-
- /* Calculate the hash from the challenge we sent */
-
- if(!EVP_DigestInit(&ctx, c->outdigest)
- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
- || !EVP_DigestFinal(&ctx, myhash, NULL)) {
- logger(LOG_ERR, _("Error during calculation of response from %s (%s): %s"),
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- /* Verify the incoming hash with the calculated hash */
-
- if(memcmp(hishash, myhash, c->outdigest->md_size)) {
- logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
- c->hostname, _("wrong challenge reply"));
-
- ifdebug(SCARY_THINGS) {
- bin2hex(myhash, hishash, SHA_DIGEST_LENGTH);
- hishash[SHA_DIGEST_LENGTH * 2] = '\0';
- logger(LOG_DEBUG, _("Expected challenge reply: %s"), hishash);
- }
-
- return false;
- }
-
- /* Identity has now been positively verified.
- Send an acknowledgement with the rest of the information needed.
- */
-
- c->allow_request = ACK;
-
- return send_ack(c);
-}
-
-bool send_ack(connection_t *c)
-{
/* ACK message contains rest of the information the other end needs
to create node_t and edge_t structures. */
mykeyused = true;
from->received_seqno = 0;
memset(from->late, 0, sizeof(from->late));
- send_ans_key(c, myself, from);
+ send_ans_key(c, from);
} else {
if(tunnelserver)
return false;
return true;
}
-bool send_ans_key(connection_t *c, const node_t *from, const node_t *to)
+bool send_ans_key(connection_t *c, const node_t *to)
{
- char key[MAX_STRING_SIZE];
+ char cipherkey[myself->cipherkeylen * 2 + 1];
+ char digestkey[myself->digestlen * 2 + 1];
cp();
- bin2hex(from->key, key, from->keylength);
- key[from->keylength * 2] = '\0';
+ bin2hex(myself->cipherkey, cipherkey, myself->cipherkeylen);
+ cipherkey[myself->cipherkeylen * 2] = '\0';
- return send_request(c, "%d %s %s %s %d %d %d %d", ANS_KEY,
- from->name, to->name, key,
- from->cipher ? from->cipher->nid : 0,
- from->digest ? from->digest->type : 0, from->maclength,
- from->compression);
+ bin2hex(myself->digestkey, digestkey, myself->digestlen);
+ digestkey[myself->digestlen * 2] = '\0';
+
+ return send_request(c, "%d %s %s %s %s %d %d %d %d", ANS_KEY,
+ myself->name, to->name, cipherkey, digestkey,
+ myself->cipher,
+ myself->digest, myself->maclength,
+ myself->compression);
}
bool ans_key_h(connection_t *c)
{
char from_name[MAX_STRING_SIZE];
char to_name[MAX_STRING_SIZE];
- char key[MAX_STRING_SIZE];
+ char cipherkey[MAX_STRING_SIZE];
+ char digestkey[MAX_STRING_SIZE];
int cipher, digest, maclength, compression;
node_t *from, *to;
cp();
- if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d",
- from_name, to_name, key, &cipher, &digest, &maclength,
- &compression) != 7) {
+ if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d",
+ from_name, to_name, cipherkey, digestkey, &cipher, &digest, &maclength, &compression) != 8) {
logger(LOG_ERR, _("Got bad %s from %s (%s)"), "ANS_KEY", c->name,
c->hostname);
return false;
return send_request(to->nexthop->connection, "%s", c->buffer);
}
- /* Update our copy of the origin's packet key */
-
- if(from->key)
- free(from->key);
-
- from->key = xstrdup(key);
- from->keylength = strlen(key) / 2;
- hex2bin(from->key, from->key, from->keylength);
- from->key[from->keylength] = '\0';
-
- from->status.validkey = true;
- from->status.waitingforkey = false;
- from->sent_seqno = 0;
-
/* Check and lookup cipher and digest algorithms */
if(cipher) {
- from->cipher = EVP_get_cipherbynid(cipher);
-
- if(!from->cipher) {
+ from->cipher = cipher;
+ if(!*gcry_cipher_algo_name(from->cipher)) {
logger(LOG_ERR, _("Node %s (%s) uses unknown cipher!"), from->name,
from->hostname);
return false;
}
- if(from->keylength != from->cipher->key_len + from->cipher->iv_len) {
- logger(LOG_ERR, _("Node %s (%s) uses wrong keylength!"), from->name,
- from->hostname);
- return false;
- }
+ from->cipherblklen = gcry_cipher_get_algo_blklen(from->cipher);
} else {
- from->cipher = NULL;
+ from->cipher = GCRY_CIPHER_NONE;
}
from->maclength = maclength;
if(digest) {
- from->digest = EVP_get_digestbynid(digest);
+ from->digest = digest;
- if(!from->digest) {
+ if(!*gcry_md_algo_name(from->digest)) {
logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), from->name,
from->hostname);
return false;
}
- if(from->maclength > from->digest->md_size || from->maclength < 0) {
+ from->digestlen = gcry_md_get_algo_dlen(from->digest);
+
+ if(from->maclength > from->digestlen || from->maclength < 0) {
logger(LOG_ERR, _("Node %s (%s) uses bogus MAC length!"),
from->name, from->hostname);
return false;
}
} else {
- from->digest = NULL;
+ from->digest = GCRY_MD_NONE;
}
if(compression < 0 || compression > 11) {
from->compression = compression;
- if(from->cipher)
- if(!EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len)) {
+ /* Update our copy of the origin's packet key */
+
+ if(from->cipherkey)
+ free(from->cipherkey);
+
+ from->cipherkeylen = strlen(cipherkey) / 2;
+ from->cipherkey = xmalloc(from->cipherkeylen);
+ hex2bin(cipherkey, from->cipherkey, from->cipherkeylen);
+
+ if(from->cipherkeylen != gcry_cipher_get_algo_keylen(from->cipher)) {
+ logger(LOG_ERR, _("Node %s (%s) uses wrong keylength %d instead of %d!"), from->name,
+ from->hostname, from->cipherkeylen, gcry_cipher_get_algo_keylen(from->cipher) );
+ return false;
+ }
+
+ if(from->digestkey)
+ free(from->digestkey);
+
+ from->digestlen = strlen(digestkey) / 2;
+ from->digestkey = xmalloc(from->digestlen);
+ hex2bin(digestkey, from->digestkey, from->digestlen);
+
+ if(from->cipher) {
+ int result;
+ result = gcry_cipher_open(&from->cipher_ctx, from->cipher, GCRY_CIPHER_MODE_CBC, GCRY_CIPHER_SECURE);
+ gcry_cipher_setkey(from->cipher_ctx, from->cipherkey, from->cipherkeylen);
+ if(result) {
+ logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"),
+ from->name, from->hostname, gcry_strerror(result));
+ return false;
+ }
+ }
+
+ if(from->digest) {
+ int result;
+ result = gcry_md_open(&from->digest_ctx, from->digest, GCRY_MD_FLAG_SECURE | GCRY_MD_FLAG_HMAC);
+ gcry_md_setkey(from->digest_ctx, from->digestkey, from->digestlen);
+ if(result) {
logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"),
- from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
+ from->name, from->hostname, gcry_strerror(result));
return false;
}
+ }
+
+ from->status.validkey = true;
+ from->status.waitingforkey = false;
+ from->sent_seqno = 0;
if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes)
send_mtu_probe(from);
#include <sys/mman.h>
#endif
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-#include <openssl/evp.h>
+#include <gnutls/gnutls.h>
#include <lzo1x.h>
*/
static bool keygen(int bits)
{
+ fprintf(stderr, _("Use certtool!\n"));
+ return false;
+
+#if 0
RSA *rsa_key;
FILE *f;
char *name = NULL;
free(filename);
return true;
+#endif
}
/*
{
logger(LOG_ERR, _("mlockall() not supported on this platform!"));
#endif
- return -1;
+ return 1;
}
g_argv = argv;
/* Slllluuuuuuurrrrp! */
- RAND_load_file("/dev/urandom", 1024);
-
- OpenSSL_add_all_algorithms();
+ gnutls_global_init();
if(generate_keys) {
read_server_config();
projects / tinc / commitdiff