along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: net.c,v 1.35.4.49 2000/10/28 21:52:22 guus Exp $
+ $Id: net.c,v 1.35.4.64 2000/11/04 15:32:05 zarq Exp $
*/
#include "config.h"
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
+#include <sys/ioctl.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
#ifdef HAVE_TUNTAP
#include LINUX_IF_TUN_H
#include <xalloc.h>
#include "conf.h"
-#include "encr.h"
+#include "connlist.h"
+#include "meta.h"
#include "net.h"
#include "netutl.h"
#include "protocol.h"
-#include "meta.h"
-#include "connlist.h"
#include "subnet.h"
#include "system.h"
config_t *upstreamcfg;
static int seconds_till_retry;
+int keylifetime = 0;
+int keyexpires = 0;
+
char *unknown = NULL;
+char *interface_name = NULL; /* Contains the name of the interface */
subnet_t mymac;
/*
- strip off the MAC adresses of an ethernet frame
+ Execute the given script.
+ This function doesn't really belong here.
*/
-void strip_mac_addresses(vpn_packet_t *p)
+int execute_script(const char* name)
{
-cp
- memmove(p->data, p->data + 12, p->len -= 12);
-cp
-}
+ char *scriptname;
+ pid_t pid;
+ char *s;
-/*
- reassemble MAC addresses
-*/
-void add_mac_addresses(vpn_packet_t *p)
-{
-cp
- memcpy(p->data + 12, p->data, p->len);
- p->len += 12;
- p->data[0] = p->data[6] = 0xfe;
- p->data[1] = p->data[7] = 0xfd;
- /* Really evil pointer stuff just below! */
- *((ip_t*)(&p->data[2])) = (ip_t)(htonl(myself->address));
- *((ip_t*)(&p->data[8])) = *((ip_t*)(&p->data[26]));
-cp
+ if((pid = fork()) < 0)
+ {
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "fork");
+ return -1;
+ }
+
+ if(pid)
+ {
+ return 0;
+ }
+
+ /* Child here */
+
+ asprintf(&scriptname, "%s/%s", confbase, name);
+ asprintf(&s, "IFNAME=%s", interface_name);
+ putenv(s);
+ free(s);
+
+ if(netname)
+ {
+ asprintf(&s, "NETNAME=%s", netname);
+ putenv(s);
+ free(s);
+ }
+ else
+ {
+ unsetenv("NETNAME");
+ }
+
+ if(chdir(confbase) < 0)
+ {
+ syslog(LOG_ERR, _("Couldn't chdir to `%s': %m"),
+ confbase);
+ }
+
+ execl(scriptname, NULL);
+ /* No return on success */
+
+ if(errno != ENOENT) /* Ignore if the file does not exist */
+ syslog(LOG_WARNING, _("Error executing `%s': %m"), scriptname);
+
+ /* No need to free things */
+ exit(0);
}
int xsend(conn_list_t *cl, vpn_packet_t *inpkt)
{
vpn_packet_t outpkt;
int outlen, outpad;
+ EVP_CIPHER_CTX ctx;
cp
outpkt.len = inpkt->len;
-/*
- EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL);
- EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
- EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad);
+
+ /* Encrypt the packet */
+
+ EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len);
+ EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+ EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
outlen += outpad + 2;
- Do encryption when everything else is fixed...
-*/
+/* Bypass
outlen = outpkt.len + 2;
memcpy(&outpkt, inpkt, outlen);
-
+*/
+
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
outlen, cl->name, cl->hostname);
{
vpn_packet_t outpkt;
int outlen, outpad;
+ EVP_CIPHER_CTX ctx;
cp
outpkt.len = inpkt->len;
-/*
- EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
- EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
- EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad);
+
+ /* Decrypt the packet */
+
+ EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len);
+ EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8);
+ EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
outlen += outpad;
- Do decryption is everything else is fixed...
-*/
+/* Bypass
outlen = outpkt.len+2;
memcpy(&outpkt, inpkt, outlen);
+*/
+ if(debug_lvl >= DEBUG_TRAFFIC)
+ syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"),
+ outpkt.len, outlen);
+
/* Fix mac address */
memcpy(outpkt.data, mymac.net.mac.address.x, 6);
if(!cl->status.validkey)
{
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
cl->name, cl->hostname);
if(!cl->status.active)
{
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
cl->name, cl->hostname);
int nfd;
const char *tapfname;
config_t const *cfg;
- char *envvar;
struct ifreq ifr;
cp
/* Add name of network interface to environment (for scripts) */
ioctl(tap_fd, SIOCGIFNAME, (void *) &ifr);
- asprintf(&envvar, "IFNAME=%s", ifr.ifr_name);
- putenv(envvar);
- free(envvar);
+ interface_name = xmalloc(strlen(ifr.ifr_name));
+ strcpy(interface_name, ifr.ifr_name);
cp
return 0;
if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
{
- syslog(LOG_ERR, _("setsockopt: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "setsockopt");
return -1;
}
if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one)))
{
- syslog(LOG_ERR, _("setsockopt: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "setsockopt");
return -1;
}
flags = fcntl(nfd, F_GETFL);
if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
{
- syslog(LOG_ERR, _("fcntl: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "fcntl");
return -1;
}
if(listen(nfd, 3))
{
- syslog(LOG_ERR, _("listen: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "listen");
return -1;
}
cp
if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
{
- syslog(LOG_ERR, _("setsockopt: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "setsockopt");
return -1;
}
flags = fcntl(nfd, F_GETFL);
if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
{
- syslog(LOG_ERR, _("fcntl: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "fcntl");
return -1;
}
{
conn_list_t *ncn;
struct hostent *h;
- config_t *cfg;
+ config_t const *cfg;
cp
if(check_id(name))
{
{
config_t const *cfg;
subnet_t *net;
- int i;
cp
myself = new_conn_list();
/* Read in all the subnets specified in the host configuration file */
- for(cfg = myself->config; cfg = get_config_val(cfg, subnet); cfg = cfg->next)
+ for(cfg = myself->config; (cfg = get_config_val(cfg, subnet)); cfg = cfg->next)
{
net = new_subnet();
net->type = SUBNET_IPV4;
net->net.ipv4.address = cfg->data.ip->address;
net->net.ipv4.mask = cfg->data.ip->mask;
+ /* Teach newbies what subnets are... */
+
+ if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address)
+ {
+ syslog(LOG_ERR, _("Network address and subnet mask do not match!"));
+ return -1;
+ }
+
subnet_add(myself, net);
}
return -1;
}
+ /* Generate packet encryption key */
+
+ myself->cipher_pkttype = EVP_bf_cfb();
+
+ myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len;
+
+ myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength);
+ RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
+
+ if(!(cfg = get_config_val(config, keyexpire)))
+ keylifetime = 3600;
+ else
+ keylifetime = cfg->data.val;
+
+ keyexpires = time(NULL) + keylifetime;
+
+ /* Activate ourselves */
+
myself->status.active = 1;
syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
int setup_network_connections(void)
{
config_t const *cfg;
- char *scriptname;
cp
if((cfg = get_config_val(config, pingtimeout)) == NULL)
timeout = 5;
return -1;
/* Run tinc-up script to further initialize the tap interface */
-
- asprintf(&scriptname, "%s/tinc-up", confbase);
-
- if(!fork())
- {
-
- execl(scriptname, NULL);
-
- if(errno != ENOENT)
- syslog(LOG_WARNING, _("Error while executing %s: %m"), scriptname);
-
- exit(0);
- }
-
- free(scriptname);
-
+ execute_script("tinc-up");
+
if(!(cfg = get_config_val(config, connectto)))
/* No upstream IP given, we're listen only. */
return 0;
void close_network_connections(void)
{
conn_list_t *p;
- char *scriptname;
cp
for(p = conn_list; p != NULL; p = p->next)
{
- if(p->status.dataopen)
- {
- shutdown(p->socket, 0); /* No more receptions */
- close(p->socket);
- }
- if(p->status.meta)
- {
- send_termreq(p);
- shutdown(p->meta_socket, 0); /* No more receptions */
- close(p->meta_socket);
- }
+ p->status.active = 0;
+ terminate_connection(p);
}
if(myself)
{
close(myself->meta_socket);
close(myself->socket);
+ free_conn_list(myself);
+ myself = NULL;
}
- /* Execute tinc-down script right before shutting down the interface */
-
- asprintf(&scriptname, "%s/tinc-down", confbase);
-
- if(!fork())
- {
- execl(scriptname, NULL);
-
- if(errno != ENOENT)
- syslog(LOG_WARNING, _("Error while executing %s: %m"), scriptname);
+ close(tap_fd);
- exit(0);
- }
-
- free(scriptname);
+ /* Execute tinc-down script right after shutting down the interface */
+ execute_script("tinc-down");
- close(tap_fd);
destroy_conn_list();
syslog(LOG_NOTICE, _("Terminating"));
if(getpeername(sfd, &ci, &len) < 0)
{
- syslog(LOG_ERR, _("Error: getpeername: %m"));
+ syslog(LOG_ERR, _("System call `%s' failed: %m"),
+ "getpeername");
return NULL;
}
int handle_incoming_vpn_data()
{
vpn_packet_t pkt;
- int lenin;
int x, l = sizeof(x);
struct sockaddr from;
+ int lenin;
socklen_t fromlen = sizeof(from);
cp
if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
return -1;
}
- if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0)
+ if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0)
{
syslog(LOG_ERR, _("Receiving packet failed: %m"));
return -1;
}
-/*
+
if(debug_lvl >= DEBUG_TRAFFIC)
{
- syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len,
- from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]);
+ syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin);
}
-*/
+
cp
return xrecv(&pkt);
}
void terminate_connection(conn_list_t *cl)
{
conn_list_t *p;
-
+ subnet_t *s;
cp
if(cl->status.remove)
return;
+ cl->status.remove = 1;
+
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Closing connection with %s (%s)"),
cl->name, cl->hostname);
if(cl->status.meta)
close(cl->meta_socket);
- cl->status.remove = 1;
-
- /* If this cl isn't active, don't send any DEL_HOSTs. */
-
-/* FIXME: reprogram this.
- if(cl->status.active)
- notify_others(cl,NULL,send_del_host);
-*/
-
cp
/* Find all connections that were lost because they were behind cl
(the connection that was dropped). */
+
if(cl->status.meta)
for(p = conn_list; p != NULL; p = p->next)
- {
- if((p->nexthop == cl) && (p != cl))
- {
- if(cl->status.active && p->status.active)
-/* FIXME: reprogram this
- notify_others(p,cl,send_del_host);
-*/;
- if(cl->socket)
- close(cl->socket);
- p->status.active = 0;
- p->status.remove = 1;
- }
- }
+ if((p->nexthop == cl) && (p != cl))
+ terminate_connection(p); /* Sounds like recursion, but p does not have a meta connection :) */
+
+ /* Inform others of termination if it was still active */
+
+ if(cl->status.active)
+ for(p = conn_list; p != NULL; p = p->next)
+ if(p->status.meta && p->status.active && p!=cl)
+ send_del_host(p, cl);
+
+ /* Remove the associated subnets */
+
+ for(s = cl->subnets; s; s = s->next)
+ subnet_del(s);
+
+ /* Check if this was our outgoing connection */
- cl->status.active = 0;
-
- if(cl->status.outgoing)
+ if(cl->status.outgoing && cl->status.active)
{
signal(SIGALRM, sigalrm_handler);
seconds_till_retry = 5;
alarm(seconds_till_retry);
syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds"));
}
+
+ /* Inactivate */
+
+ cl->status.active = 0;
cp
}
now = time(NULL);
for(p = conn_list; p != NULL; p = p->next)
{
- if(p->status.remove)
- continue;
if(p->status.active && p->status.meta)
{
if(p->last_ping_time + timeout < now)
return 0;
}
- ncn->status.meta = 1;
- ncn->next = conn_list;
- conn_list = ncn;
+ conn_list_add(ncn);
cp
return 0;
}
void handle_tap_input(void)
{
vpn_packet_t vp;
- subnet_t *subnet;
- ipv4_t dest;
int lenin;
cp
if(taptype == TAP_TYPE_TUNTAP)
struct timeval tv;
int r;
time_t last_ping_check;
+ int t;
cp
last_ping_check = time(NULL);
if(sighup)
{
+ syslog(LOG_INFO, _("Rereading configuration file and restarting in 5 seconds"));
sighup = 0;
-/* FIXME: reprogram this.
- if(debug_lvl > 1)
- syslog(LOG_INFO, _("Rereading configuration file"));
close_network_connections();
- clear_config();
- if(read_config_file(&config, configfilename))
+ clear_config(&config);
+
+ if(read_server_config())
{
syslog(LOG_ERR, _("Unable to reread configuration file, exiting"));
exit(0);
}
+
sleep(5);
- setup_network_connections();
-*/
+
+ if(setup_network_connections())
+ return;
+
continue;
}
- if(last_ping_check + timeout < time(NULL))
- /* Let's check if everybody is still alive */
+ t = time(NULL);
+
+ /* Let's check if everybody is still alive */
+
+ if(last_ping_check + timeout < t)
{
check_dead_connections();
last_ping_check = time(NULL);
+
+ /* Should we regenerate our key? */
+
+ if(keyexpires < t)
+ {
+ if(debug_lvl >= DEBUG_STATUS)
+ syslog(LOG_INFO, _("Regenerating symmetric key"));
+
+ RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
+ send_key_changed(myself, NULL);
+ keyexpires = time(NULL) + keylifetime;
+ }
}
if(r > 0)
projects / tinc / blobdiff