… | |
… | |
43 | |
43 | |
44 | // openssl 0.9.8 compatibility |
44 | // openssl 0.9.8 compatibility |
45 | #if OPENSSL_VERSION_NUMBER < 0x10100000 |
45 | #if OPENSSL_VERSION_NUMBER < 0x10100000 |
46 | #define require101(exp) exp |
46 | #define require101(exp) exp |
47 | #else |
47 | #else |
48 | #define require101(exp) equire (exp) |
48 | #define require101(exp) require (exp) |
49 | #endif |
49 | #endif |
50 | |
50 | |
51 | #include "conf.h" |
51 | #include "conf.h" |
52 | #include "slog.h" |
52 | #include "slog.h" |
53 | #include "device.h" |
53 | #include "device.h" |
… | |
… | |
56 | #include "hkdf.h" |
56 | #include "hkdf.h" |
57 | |
57 | |
58 | #include "netcompat.h" |
58 | #include "netcompat.h" |
59 | |
59 | |
60 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
60 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
61 | #define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D |
|
|
62 | |
61 | |
63 | #define ULTRA_FAST 1 |
62 | #define ULTRA_FAST 1 |
64 | #define HLOG 15 |
63 | #define HLOG 15 |
65 | #include "lzf/lzf.h" |
64 | #include "lzf/lzf.h" |
66 | #include "lzf/lzf_c.c" |
65 | #include "lzf/lzf_c.c" |
… | |
… | |
390 | bool |
389 | bool |
391 | hmac_packet::hmac_chk (crypto_ctx *ctx) |
390 | hmac_packet::hmac_chk (crypto_ctx *ctx) |
392 | { |
391 | { |
393 | unsigned char hmac_digest[EVP_MAX_MD_SIZE]; |
392 | unsigned char hmac_digest[EVP_MAX_MD_SIZE]; |
394 | hmac_gen (ctx, hmac_digest); |
393 | hmac_gen (ctx, hmac_digest); |
395 | return !memcmp (hmac, hmac_digest, HMACLENGTH); |
394 | return slow_memeq (hmac, hmac_digest, HMACLENGTH); |
396 | } |
395 | } |
397 | |
396 | |
398 | void |
397 | void |
399 | vpn_packet::set_hdr (ptype type_, unsigned int dst) |
398 | vpn_packet::set_hdr (ptype type_, unsigned int dst) |
400 | { |
399 | { |
… | |
… | |
1118 | slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), |
1117 | slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), |
1119 | conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); |
1118 | conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); |
1120 | } |
1119 | } |
1121 | else |
1120 | else |
1122 | { |
1121 | { |
1123 | bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth); |
1122 | bool chg = !have_rcv_auth || !slow_memeq (&rcv_auth, &auth, sizeof auth); |
1124 | |
1123 | |
1125 | rcv_auth = auth; |
1124 | rcv_auth = auth; |
1126 | have_rcv_auth = true; |
1125 | have_rcv_auth = true; |
1127 | |
1126 | |
1128 | send_auth_response (rsi); |
1127 | send_auth_response (rsi); |
… | |
… | |
1151 | slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename); |
1150 | slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename); |
1152 | |
1151 | |
1153 | auth_mac local_mac; |
1152 | auth_mac local_mac; |
1154 | auth_hash (snd_auth, p->response.ecdh, local_mac); |
1153 | auth_hash (snd_auth, p->response.ecdh, local_mac); |
1155 | |
1154 | |
1156 | if (memcmp (&p->response.mac, local_mac, sizeof local_mac)) |
1155 | if (!slow_memeq (&p->response.mac, local_mac, sizeof local_mac)) |
1157 | { |
1156 | { |
1158 | slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."), |
1157 | slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."), |
1159 | conf->nodename, (const char *)rsi); |
1158 | conf->nodename, (const char *)rsi); |
1160 | } |
1159 | } |
1161 | else if (!have_snd_auth) |
1160 | else if (!have_snd_auth) |