X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fprotocol.c;h=d8b8867376d13c91c933c814091b036e89aec927;hb=refs%2Fheads%2F1.1;hp=de7f8b8760cb0bb96c40888b892d67c12f106b7e;hpb=228e7a5c8f0e517dcede50f886965a44fca39853;p=tinc diff --git a/src/protocol.c b/src/protocol.c index de7f8b87..bf165a7d 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -1,7 +1,7 @@ /* protocol.c -- handle the meta-protocol, basic functions - Copyright (C) 1999-2005 Ivo Timmermans , - 2000-2005 Guus Sliepen + Copyright (C) 1999-2005 Ivo Timmermans, + 2000-2022 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -13,17 +13,16 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - - $Id$ + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "system.h" #include "conf.h" #include "connection.h" +#include "crypto.h" #include "logger.h" #include "meta.h" #include "protocol.h" @@ -31,223 +30,216 @@ #include "xalloc.h" bool tunnelserver = false; +bool strictsubnets = false; +bool experimental = true; -/* Jumptable for the request handlers */ - -static bool (*request_handlers[])(connection_t *) = { - id_h, metakey_h, challenge_h, chal_reply_h, ack_h, - status_h, error_h, termreq_h, - ping_h, pong_h, - add_subnet_h, del_subnet_h, - add_edge_h, del_edge_h, - key_changed_h, req_key_h, ans_key_h, tcppacket_h, -}; - -/* Request names */ +static inline bool is_valid_request(request_t req) { + return req > ALL && req < LAST; +} -static char (*request_name[]) = { - "ID", "METAKEY", "CHALLENGE", "CHAL_REPLY", "ACK", - "STATUS", "ERROR", "TERMREQ", - "PING", "PONG", - "ADD_SUBNET", "DEL_SUBNET", - "ADD_EDGE", "DEL_EDGE", "KEY_CHANGED", "REQ_KEY", "ANS_KEY", "PACKET", -}; +/* Request handlers */ +const request_entry_t *get_request_entry(request_t req) { + if(!is_valid_request(req)) { + logger(DEBUG_ALWAYS, LOG_ERR, "Invalid request %d", req); + return NULL; + } -static avl_tree_t *past_request_tree; + // Prevent user from accessing the table directly to always have bound checks + static const request_entry_t request_entries[] = { + [ID] = {id_h, "ID"}, + [METAKEY] = {metakey_h, "METAKEY"}, + [CHALLENGE] = {challenge_h, "CHALLENGE"}, + [CHAL_REPLY] = {chal_reply_h, "CHAL_REPLY"}, + [ACK] = {ack_h, "ACK"}, + [STATUS] = {NULL, "STATUS"}, + [ERROR] = {NULL, "ERROR"}, + [TERMREQ] = {termreq_h, "TERMREQ"}, + [PING] = {ping_h, "PING"}, + [PONG] = {pong_h, "PONG"}, + [ADD_SUBNET] = {add_subnet_h, "ADD_SUBNET"}, + [DEL_SUBNET] = {del_subnet_h, "DEL_SUBNET"}, + [ADD_EDGE] = {add_edge_h, "ADD_EDGE"}, + [DEL_EDGE] = {del_edge_h, "DEL_EDGE"}, + [KEY_CHANGED] = {key_changed_h, "KEY_CHANGED"}, + [REQ_KEY] = {req_key_h, "REQ_KEY"}, + [ANS_KEY] = {ans_key_h, "ANS_KEY"}, + [PACKET] = {tcppacket_h, "PACKET"}, + [CONTROL] = {control_h, "CONTROL"}, + /* Not "real" requests yet */ + [REQ_PUBKEY] = {NULL, "REQ_PUBKEY"}, + [ANS_PUBKEY] = {NULL, "ANS_PUBKEY"}, + [SPTPS_PACKET] = {sptps_tcppacket_h, "SPTPS_PACKET"}, + [UDP_INFO] = {udp_info_h, "UDP_INFO"}, + [MTU_INFO] = {mtu_info_h, "MTU_INFO"}, + }; + return &request_entries[req]; +} -bool check_id(const char *id) -{ - for(; *id; id++) - if(!isalnum(*id) && *id != '_') - return false; +static int past_request_compare(const past_request_t *a, const past_request_t *b) { + return strcmp(a->request, b->request); +} - return true; +static void free_past_request(past_request_t *r) { + if(r) { + free((char *)r->request); + free(r); + } } +static splay_tree_t past_request_tree = { + .compare = (splay_compare_t) past_request_compare, + .delete = (splay_action_t) free_past_request, +}; + /* Generic request routines - takes care of logging and error detection as well */ -bool send_request(connection_t *c, const char *format, ...) -{ +bool send_request(connection_t *c, const char *format, ...) { va_list args; - char buffer[MAXBUFSIZE]; - int len, request; + char request[MAXBUFSIZE]; + int len; - cp(); - - /* Use vsnprintf instead of vasprintf: faster, no memory + /* Use vsnprintf instead of vxasprintf: faster, no memory fragmentation, cleanup is automatic, and there is a limit on the input buffer anyway */ va_start(args, format); - len = vsnprintf(buffer, MAXBUFSIZE, format, args); + len = vsnprintf(request, sizeof(request), format, args); + request[sizeof(request) - 1] = 0; va_end(args); - if(len < 0 || len > MAXBUFSIZE - 1) { - logger(LOG_ERR, _("Output buffer overflow while sending request to %s (%s)"), - c->name, c->hostname); + if(len < 0 || (size_t)len > sizeof(request) - 1) { + logger(DEBUG_ALWAYS, LOG_ERR, "Output buffer overflow while sending request to %s (%s)", + c->name, c->hostname); return false; } - ifdebug(PROTOCOL) { - sscanf(buffer, "%d", &request); - ifdebug(META) - logger(LOG_DEBUG, _("Sending %s to %s (%s): %s"), - request_name[request], c->name, c->hostname, buffer); - else - logger(LOG_DEBUG, _("Sending %s to %s (%s)"), request_name[request], - c->name, c->hostname); - } + int id = atoi(request); + logger(DEBUG_META, LOG_DEBUG, "Sending %s to %s (%s): %s", get_request_entry(id)->name, c->name, c->hostname, request); - buffer[len++] = '\n'; + request[len++] = '\n'; - if(c == broadcast) { - broadcast_meta(NULL, buffer, len); + if(c == everyone) { + broadcast_meta(NULL, request, len); return true; - } else - return send_meta(c, buffer, len); -} - -void forward_request(connection_t *from) -{ - int request; - - cp(); - - ifdebug(PROTOCOL) { - sscanf(from->buffer, "%d", &request); - ifdebug(META) - logger(LOG_DEBUG, _("Forwarding %s from %s (%s): %s"), - request_name[request], from->name, from->hostname, - from->buffer); - else - logger(LOG_DEBUG, _("Forwarding %s from %s (%s)"), - request_name[request], from->name, from->hostname); + } else { + if(id) { + return send_meta(c, request, len); + } else { + send_meta_raw(c, request, len); + return true; + } } +} - from->buffer[from->reqlen - 1] = '\n'; +void forward_request(connection_t *from, const char *request) { + logger(DEBUG_META, LOG_DEBUG, "Forwarding %s from %s (%s): %s", get_request_entry(atoi(request))->name, from->name, from->hostname, request); - broadcast_meta(from, from->buffer, from->reqlen); + // Create a temporary newline-terminated copy of the request + size_t len = strlen(request); + const size_t tmplen = len + 1; + char *tmp = alloca(tmplen); + memcpy(tmp, request, len); + tmp[len] = '\n'; + broadcast_meta(from, tmp, tmplen); } -bool receive_request(connection_t *c) -{ - int request; +bool receive_request(connection_t *c, const char *request) { + if(c->outgoing && proxytype == PROXY_HTTP && c->allow_request == ID) { + if(!request[0] || request[0] == '\r') { + return true; + } - cp(); + if(!strncasecmp(request, "HTTP/1.1 ", 9)) { + if(!strncmp(request + 9, "200", 3)) { + logger(DEBUG_CONNECTIONS, LOG_DEBUG, "Proxy request granted"); + return true; + } else { + logger(DEBUG_ALWAYS, LOG_DEBUG, "Proxy request rejected: %s", request + 9); + return false; + } + } + } - if(sscanf(c->buffer, "%d", &request) == 1) { - if((request < 0) || (request >= LAST) || !request_handlers[request]) { - ifdebug(META) - logger(LOG_DEBUG, _("Unknown request from %s (%s): %s"), - c->name, c->hostname, c->buffer); - else - logger(LOG_ERR, _("Unknown request from %s (%s)"), - c->name, c->hostname); + int reqno = atoi(request); + if(reqno || *request == '0') { + if(!is_valid_request(reqno) || !get_request_entry(reqno)->handler) { + logger(DEBUG_META, LOG_DEBUG, "Unknown request from %s (%s): %s", c->name, c->hostname, request); return false; - } else { - ifdebug(PROTOCOL) { - ifdebug(META) - logger(LOG_DEBUG, _("Got %s from %s (%s): %s"), - request_name[request], c->name, c->hostname, - c->buffer); - else - logger(LOG_DEBUG, _("Got %s from %s (%s)"), - request_name[request], c->name, c->hostname); - } } - if((c->allow_request != ALL) && (c->allow_request != request)) { - logger(LOG_ERR, _("Unauthorized request from %s (%s)"), c->name, - c->hostname); + const request_entry_t *entry = get_request_entry(reqno); + logger(DEBUG_META, LOG_DEBUG, "Got %s from %s (%s): %s", entry->name, c->name, c->hostname, request); + + if((c->allow_request != ALL) && (c->allow_request != reqno)) { + logger(DEBUG_ALWAYS, LOG_ERR, "Unauthorized request from %s (%s)", c->name, c->hostname); return false; } - if(!request_handlers[request](c)) { + if(!entry->handler(c, request)) { /* Something went wrong. Probably scriptkiddies. Terminate. */ - logger(LOG_ERR, _("Error while processing %s from %s (%s)"), - request_name[request], c->name, c->hostname); + if(reqno != TERMREQ) { + logger(DEBUG_ALWAYS, LOG_ERR, "Error while processing %s from %s (%s)", entry->name, c->name, c->hostname); + } + return false; } } else { - logger(LOG_ERR, _("Bogus data received from %s (%s)"), - c->name, c->hostname); + logger(DEBUG_ALWAYS, LOG_ERR, "Bogus data received from %s (%s)", c->name, c->hostname); return false; } return true; } -static int past_request_compare(const past_request_t *a, const past_request_t *b) -{ - return strcmp(a->request, b->request); -} - -static void free_past_request(past_request_t *r) -{ - cp(); - - if(r->request) - free(r->request); +static timeout_t past_request_timeout; - free(r); -} - -void init_requests(void) -{ - cp(); +static void age_past_requests(void *data) { + (void)data; + int left = 0, deleted = 0; - past_request_tree = avl_alloc_tree((avl_compare_t) past_request_compare, (avl_action_t) free_past_request); -} + for splay_each(past_request_t, p, &past_request_tree) { + if(p->firstseen + pinginterval <= now.tv_sec) { + splay_delete_node(&past_request_tree, node), deleted++; + } else { + left++; + } + } -void exit_requests(void) -{ - cp(); + if(left || deleted) { + logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Aging past requests: deleted %d, left %d", deleted, left); + } - avl_delete_tree(past_request_tree); + if(left) + timeout_set(&past_request_timeout, &(struct timeval) { + 10, jitter() + }); } -bool seen_request(char *request) -{ +bool seen_request(const char *request) { past_request_t *new, p = {0}; - cp(); - p.request = request; - if(avl_search(past_request_tree, &p)) { - ifdebug(SCARY_THINGS) logger(LOG_DEBUG, _("Already seen request")); + if(splay_search(&past_request_tree, &p)) { + logger(DEBUG_SCARY_THINGS, LOG_DEBUG, "Already seen request"); return true; } else { new = xmalloc(sizeof(*new)); new->request = xstrdup(request); - new->firstseen = now; - avl_insert(past_request_tree, new); + new->firstseen = now.tv_sec; + splay_insert(&past_request_tree, new); + timeout_add(&past_request_timeout, age_past_requests, NULL, &(struct timeval) { + 10, jitter() + }); return false; } } -void age_past_requests(void) -{ - avl_node_t *node, *next; - past_request_t *p; - int left = 0, deleted = 0; - - cp(); - - for(node = past_request_tree->head; node; node = next) { - next = node->next; - p = node->data; - - if(p->firstseen + pinginterval < now) - avl_delete_node(past_request_tree, node), deleted++; - else - left++; - } +void exit_requests(void) { + splay_empty_tree(&past_request_tree); - if(left || deleted) - ifdebug(SCARY_THINGS) logger(LOG_DEBUG, _("Aging past requests: deleted %d, left %d"), - deleted, left); + timeout_del(&past_request_timeout); }