diff options
| author | Adam Ierymenko <adam.ierymenko@gmail.com> | 2013-07-17 17:35:19 -0400 |
|---|---|---|
| committer | Adam Ierymenko <adam.ierymenko@gmail.com> | 2013-07-17 17:35:19 -0400 |
| commit | 1fce55fab10260ae942cc46c6fee15d71a1403c2 (patch) | |
| tree | dc74d725ab40bbd123b34581b9d8d7ccb69dda78 | |
| parent | 2e85cf18c19ce86363de636ff30827fe232aa80b (diff) | |
| download | infinitytier-1fce55fab10260ae942cc46c6fee15d71a1403c2.tar.gz infinitytier-1fce55fab10260ae942cc46c6fee15d71a1403c2.zip | |
Add an echoed 32-bit token field to command packets.
| -rw-r--r-- | node/NodeConfig.cpp | 17 | ||||
| -rw-r--r-- | node/NodeConfig.hpp | 16 |
2 files changed, 25 insertions, 8 deletions
diff --git a/node/NodeConfig.cpp b/node/NodeConfig.cpp index f05fb97e..0daa9ebe 100644 --- a/node/NodeConfig.cpp +++ b/node/NodeConfig.cpp @@ -156,30 +156,30 @@ void NodeConfig::_CBcontrolPacketHandler(UdpSocket *sock,void *arg,const InetAdd try { // Minimum length - if (len < 24) + if (len < 28) return; - if (len >= sizeof(buf)) // only up to len - 24 bytes are used on receive/decrypt + if (len >= sizeof(buf)) // only up to len - 28 bytes are used on receive/decrypt return; // Compare first 16 bytes of HMAC, which is after IV in packet memcpy(hmacKey,nc->_keys + 32,32); *((uint64_t *)hmacKey) ^= *((const uint64_t *)data); // include IV in HMAC - HMAC::sha256(hmacKey,32,((const unsigned char *)data) + 24,len - 24,hmac); + HMAC::sha256(hmacKey,32,((const unsigned char *)data) + 28,len - 28,hmac); if (memcmp(hmac,((const unsigned char *)data) + 8,16)) return; // Decrypt payload if we passed HMAC Salsa20 s20(nc->_keys,256,data); // first 64 bits of data are IV - s20.decrypt(((const unsigned char *)data) + 24,buf,len - 24); + s20.decrypt(((const unsigned char *)data) + 28,buf,len - 28); // Null-terminate string for execute() - buf[len - 24] = (char)0; + buf[len - 28] = (char)0; // Execute command std::vector<std::string> r(nc->execute(buf)); // Result packet contains a series of null-terminated results - unsigned int resultLen = 24; + unsigned int resultLen = 28; for(std::vector<std::string>::iterator i(r.begin());i!=r.end();++i) { if ((resultLen + i->length() + 1) >= sizeof(buf)) return; // result too long @@ -193,9 +193,12 @@ void NodeConfig::_CBcontrolPacketHandler(UdpSocket *sock,void *arg,const InetAdd // Generate result packet HMAC memcpy(hmacKey,nc->_keys + 32,32); *((uint64_t *)hmacKey) ^= *((const uint64_t *)buf); // include IV in HMAC - HMAC::sha256(hmacKey,32,((const unsigned char *)buf) + 24,resultLen - 24,hmac); + HMAC::sha256(hmacKey,32,((const unsigned char *)buf) + 28,resultLen - 28,hmac); memcpy(buf + 8,hmac,16); + // Copy arbitrary tag from original packet + memcpy(buf + 24,((const unsigned char *)data) + 24,4); + // Send encrypted result back to requester sock->send(remoteAddr,buf,resultLen,-1); } catch ( ... ) { diff --git a/node/NodeConfig.hpp b/node/NodeConfig.hpp index bb24d815..66c99448 100644 --- a/node/NodeConfig.hpp +++ b/node/NodeConfig.hpp @@ -33,6 +33,7 @@ #include <string> #include <vector> #include <stdexcept> + #include <stdint.h> #include "SharedPtr.hpp" #include "Network.hpp" @@ -45,7 +46,20 @@ namespace ZeroTier { class RuntimeEnvironment; /** - * Node configuration holder and fetcher + * Node configuration endpoint + * + * Packet format for local UDP configuration packets: + * [8] random initialization vector + * [16] first 16 bytes of HMAC-SHA-256 of payload + * [4] arbitrary tag, echoed in response + * [...] payload + * + * For requests, the payload consists of a single ASCII command. For + * responses, the payload consists of one or more response lines delimited + * by NULL (0) characters. The tag field is replicated in the result + * packet. + * + * TODO: further document use of keys, encryption... */ class NodeConfig { |