From 5871d08a3a519dbc54261c8a18e649ec9cc8bd7f Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sat, 26 Apr 2014 23:22:12 +0200 Subject: Make on-verify support optional --- src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c | 2 + src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h | 3 + src/protocols/ec25519_fhmqvc/handshake.c | 92 +++++++++++++++------------ 3 files changed, 56 insertions(+), 41 deletions(-) (limited to 'src/protocols') diff --git a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c index 777e731..eca1cd1 100644 --- a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c +++ b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c @@ -205,7 +205,9 @@ const fastd_protocol_t fastd_protocol_ec25519_fhmqvc = { .handshake_init = fastd_protocol_ec25519_fhmqvc_handshake_init, .handshake_handle = fastd_protocol_ec25519_fhmqvc_handshake_handle, +#ifdef WITH_VERIFY .handle_verify_return = fastd_protocol_ec25519_fhmqvc_handle_verify_return, +#endif .handle_recv = protocol_handle_recv, .send = protocol_send, diff --git a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h index c301822..6dcc149 100644 --- a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h +++ b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h @@ -90,7 +90,10 @@ void fastd_protocol_ec25519_fhmqvc_free_peer_state(fastd_peer_t *peer); void fastd_protocol_ec25519_fhmqvc_handshake_init(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer); void fastd_protocol_ec25519_fhmqvc_handshake_handle(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer, const fastd_handshake_t *handshake, const fastd_method_info_t *method); + +#ifdef WITH_VERIFY void fastd_protocol_ec25519_fhmqvc_handle_verify_return(fastd_peer_t *peer, fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, const fastd_method_info_t *method, const void *protocol_data, bool ok); +#endif void fastd_protocol_ec25519_fhmqvc_send_empty(fastd_peer_t *peer, protocol_session_t *session); diff --git a/src/protocols/ec25519_fhmqvc/handshake.c b/src/protocols/ec25519_fhmqvc/handshake.c index 237732d..725a827 100644 --- a/src/protocols/ec25519_fhmqvc/handshake.c +++ b/src/protocols/ec25519_fhmqvc/handshake.c @@ -474,6 +474,26 @@ bool fastd_protocol_ec25519_fhmqvc_peer_check(fastd_peer_config_t *peer_conf) { return true; } +void fastd_protocol_ec25519_fhmqvc_handshake_init(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer) { + fastd_protocol_ec25519_fhmqvc_maintenance(); + + fastd_buffer_t buffer = fastd_handshake_new_init(3*(4+PUBLICKEYBYTES) /* sender key, receipient key, handshake key */); + + fastd_handshake_add(&buffer, RECORD_SENDER_KEY, PUBLICKEYBYTES, &conf.protocol_config->key.public); + + if (peer) + fastd_handshake_add(&buffer, RECORD_RECEIPIENT_KEY, PUBLICKEYBYTES, &peer->protocol_config->public_key); + else + pr_debug("sending handshake to unknown peer %I", remote_addr); + + fastd_handshake_add(&buffer, RECORD_SENDER_HANDSHAKE_KEY, PUBLICKEYBYTES, &ctx.protocol_state->handshake_key.key.public); + + if (!peer || !fastd_peer_is_established(peer)) + fastd_peer_exec_shell_command(&conf.on_connect, peer, (local_addr && local_addr->sa.sa_family) ? local_addr : sock->bound_addr, remote_addr); + + fastd_send_handshake(sock, local_addr, remote_addr, peer, buffer); +} + bool fastd_protocol_ec25519_fhmqvc_peer_check_temporary(fastd_peer_t *peer) { if (key_count(peer->protocol_config->public_key.u8)) { char buf[65]; @@ -485,12 +505,15 @@ bool fastd_protocol_ec25519_fhmqvc_peer_check_temporary(fastd_peer_t *peer) { return true; } -static inline bool allow_unknown(void) { - return fastd_shell_command_isset(&conf.on_verify); -} + +#ifdef WITH_VERIFY + +typedef struct verify_data { + aligned_int256_t peer_handshake_key; +} verify_data_t; static fastd_peer_t * add_temporary(fastd_socket_t *sock, const fastd_peer_address_t *addr, const unsigned char key[PUBLICKEYBYTES]) { - if (!allow_unknown()) { + if (!fastd_allow_verify()) { pr_debug("ignoring handshake from %I (unknown key)", addr); return NULL; } @@ -517,31 +540,6 @@ static fastd_peer_t * add_temporary(fastd_socket_t *sock, const fastd_peer_addre return peer; } - -void fastd_protocol_ec25519_fhmqvc_handshake_init(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer) { - fastd_protocol_ec25519_fhmqvc_maintenance(); - - fastd_buffer_t buffer = fastd_handshake_new_init(3*(4+PUBLICKEYBYTES) /* sender key, receipient key, handshake key */); - - fastd_handshake_add(&buffer, RECORD_SENDER_KEY, PUBLICKEYBYTES, &conf.protocol_config->key.public); - - if (peer) - fastd_handshake_add(&buffer, RECORD_RECEIPIENT_KEY, PUBLICKEYBYTES, &peer->protocol_config->public_key); - else - pr_debug("sending handshake to unknown peer %I", remote_addr); - - fastd_handshake_add(&buffer, RECORD_SENDER_HANDSHAKE_KEY, PUBLICKEYBYTES, &ctx.protocol_state->handshake_key.key.public); - - if (!peer || !fastd_peer_is_established(peer)) - fastd_peer_exec_shell_command(&conf.on_connect, peer, (local_addr && local_addr->sa.sa_family) ? local_addr : sock->bound_addr, remote_addr); - - fastd_send_handshake(sock, local_addr, remote_addr, peer, buffer); -} - -typedef struct verify_data { - aligned_int256_t peer_handshake_key; -} verify_data_t; - static bool handle_temporary(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer, const fastd_handshake_t *handshake, const fastd_method_info_t *method) { if (handshake->type != 1 || !fastd_timed_out(&peer->verify_timeout)) @@ -566,6 +564,28 @@ static bool handle_temporary(fastd_socket_t *sock, const fastd_peer_address_t *l return true; } +void fastd_protocol_ec25519_fhmqvc_handle_verify_return(fastd_peer_t *peer, fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, + const fastd_method_info_t *method, const void *protocol_data, bool ok) { + if (!ok) + return; + + const verify_data_t *data = protocol_data; + + peer->last_handshake_response_timeout = fastd_in_seconds(conf.min_handshake_interval); + peer->last_handshake_response_address = *remote_addr; + respond_handshake(sock, local_addr, remote_addr, peer, &data->peer_handshake_key, method); +} + +#else + +static inline fastd_peer_t * add_temporary(fastd_socket_t *sock UNUSED, const fastd_peer_address_t *addr, const unsigned char key[PUBLICKEYBYTES] UNUSED) { + pr_debug("ignoring handshake from %I (unknown key)", addr); + return NULL; +} + +#endif /* WITH_VERIFY */ + + void fastd_protocol_ec25519_fhmqvc_handshake_handle(fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, fastd_peer_t *peer, const fastd_handshake_t *handshake, const fastd_method_info_t *method) { fastd_protocol_ec25519_fhmqvc_maintenance(); @@ -616,10 +636,12 @@ void fastd_protocol_ec25519_fhmqvc_handshake_handle(fastd_socket_t *sock, const } } +#ifdef WITH_VERIFY if (fastd_peer_is_temporary(peer)) { if (!handle_temporary(sock, local_addr, remote_addr, peer, handshake, method)) return; } +#endif aligned_int256_t peer_handshake_key; memcpy(&peer_handshake_key, handshake->records[RECORD_SENDER_HANDSHAKE_KEY].data, PUBLICKEYBYTES); @@ -687,15 +709,3 @@ void fastd_protocol_ec25519_fhmqvc_handshake_handle(fastd_socket_t *sock, const pr_debug("received handshake reply with unknown type %u from %P[%I]", handshake->type, peer, remote_addr); } } - -void fastd_protocol_ec25519_fhmqvc_handle_verify_return(fastd_peer_t *peer, fastd_socket_t *sock, const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, - const fastd_method_info_t *method, const void *protocol_data, bool ok) { - if (!ok) - return; - - const verify_data_t *data = protocol_data; - - peer->last_handshake_response_timeout = fastd_in_seconds(conf.min_handshake_interval); - peer->last_handshake_response_address = *remote_addr; - respond_handshake(sock, local_addr, remote_addr, peer, &data->peer_handshake_key, method); -} -- cgit v1.2.3