/*
net.c -- most of the network code
- Copyright (C) 1998,1999,2000 Ivo Timmermans <itimmermans@bigfoot.com>,
- 2000 Guus Sliepen <guus@sliepen.warande.net>
+ Copyright (C) 1998-2001 Ivo Timmermans <itimmermans@bigfoot.com>,
+ 2000,2001 Guus Sliepen <guus@sliepen.warande.net>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: net.c,v 1.35.4.86 2000/11/30 23:18:19 zarq Exp $
+ $Id: net.c,v 1.35.4.110 2001/05/28 08:56:57 guus Exp $
*/
#include "config.h"
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
+#ifdef HAVE_LINUX
+ #include <netinet/ip.h>
+ #include <netinet/tcp.h>
+#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <utils.h>
#include <xalloc.h>
+#include <avl_tree.h>
+#include <list.h>
#include "conf.h"
#include "connection.h"
-#include "list.h"
#include "meta.h"
#include "net.h"
#include "netutl.h"
#include "process.h"
#include "protocol.h"
#include "subnet.h"
+#include "process.h"
+#include "route.h"
#include "system.h"
char *unknown = NULL;
-subnet_t mymac;
-
-int xsend(connection_t *cl, vpn_packet_t *inpkt)
+void send_udppacket(connection_t *cl, vpn_packet_t *inpkt)
{
vpn_packet_t outpkt;
int outlen, outpad;
EVP_CIPHER_CTX ctx;
struct sockaddr_in to;
socklen_t tolen = sizeof(to);
+ vpn_packet_t *copy;
cp
- outpkt.len = inpkt->len;
-
- /* Encrypt the packet */
-
- EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len);
- EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
- EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
- outlen += outpad + 2;
+ if(!cl->status.validkey)
+ {
+ if(debug_lvl >= DEBUG_TRAFFIC)
+ syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
+ cl->name, cl->hostname);
-/* Bypass
- outlen = outpkt.len + 2;
- memcpy(&outpkt, inpkt, outlen);
-*/
+ /* Since packet is on the stack of handle_tap_input(),
+ we have to make a copy of it first. */
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
- outlen, cl->name, cl->hostname);
+ copy = xmalloc(sizeof(vpn_packet_t));
+ memcpy(copy, inpkt, sizeof(vpn_packet_t));
+
+ list_insert_tail(cl->queue, copy);
+
+ if(!cl->status.waitingforkey)
+ send_req_key(myself, cl);
+ return;
+ }
+
+ /* Encrypt the packet. */
+
+ RAND_bytes(inpkt->salt, sizeof(inpkt->salt));
+
+ EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len);
+ EVP_EncryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len + sizeof(inpkt->salt));
+ EVP_EncryptFinal(&ctx, outpkt.salt + outlen, &outpad);
+ outlen += outpad;
total_socket_out += outlen;
to.sin_addr.s_addr = htonl(cl->address);
to.sin_port = htons(cl->port);
- if((sendto(myself->socket, (char *) &(outpkt.len), outlen, 0, (const struct sockaddr *)&to, tolen)) < 0)
+ if((sendto(myself->socket, (char *) outpkt.salt, outlen, 0, (const struct sockaddr *)&to, tolen)) < 0)
{
syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"),
cl->name, cl->hostname);
- return -1;
+ return;
}
cp
- return 0;
}
-int xrecv(connection_t *cl, vpn_packet_t *inpkt)
+void receive_packet(connection_t *cl, vpn_packet_t *packet)
{
- vpn_packet_t outpkt;
- int outlen, outpad;
- EVP_CIPHER_CTX ctx;
cp
- outpkt.len = inpkt->len;
-
- /* Decrypt the packet */
-
- EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len);
- EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8);
- EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
- outlen += outpad;
-
-/* Bypass
- outlen = outpkt.len+2;
- memcpy(&outpkt, inpkt, outlen);
-*/
-
if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"),
- outpkt.len, outlen);
-
- /* Fix mac address */
+ syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, cl->name, cl->hostname);
- memcpy(outpkt.data, mymac.net.mac.address.x, 6);
-
- if(taptype == TAP_TYPE_TUNTAP)
- {
- if(write(tap_fd, outpkt.data, outpkt.len) < 0)
- syslog(LOG_ERR, _("Can't write to tun/tap device: %m"));
- else
- total_tap_out += outpkt.len;
- }
- else /* ethertap */
- {
- if(write(tap_fd, outpkt.data - 2, outpkt.len + 2) < 0)
- syslog(LOG_ERR, _("Can't write to ethertap device: %m"));
- else
- total_tap_out += outpkt.len + 2;
- }
+ route_incoming(cl, packet);
cp
- return 0;
}
-/*
- add the given packet of size s to the
- queue q, be it the send or receive queue
-*/
-void add_queue(packet_queue_t **q, void *packet, size_t s)
+void receive_udppacket(connection_t *cl, vpn_packet_t *inpkt)
{
- queue_element_t *e;
+ vpn_packet_t outpkt;
+ int outlen, outpad;
+ EVP_CIPHER_CTX ctx;
cp
- e = xmalloc(sizeof(*e));
- e->packet = xmalloc(s);
- memcpy(e->packet, packet, s);
-
- if(!*q)
- {
- *q = xmalloc(sizeof(**q));
- (*q)->head = (*q)->tail = NULL;
- }
-
- e->next = NULL; /* We insert at the tail */
+ /* Decrypt the packet */
- if((*q)->tail) /* Do we have a tail? */
- {
- (*q)->tail->next = e;
- e->prev = (*q)->tail;
- }
- else /* No tail -> no head too */
- {
- (*q)->head = e;
- e->prev = NULL;
- }
+ EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len);
+ EVP_DecryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len);
+ EVP_DecryptFinal(&ctx, outpkt.salt + outlen, &outpad);
+ outlen += outpad;
+ outpkt.len = outlen - sizeof(outpkt.salt);
- (*q)->tail = e;
+ receive_packet(cl, &outpkt);
cp
}
-/* Remove a queue element */
-void del_queue(packet_queue_t **q, queue_element_t *e)
+void receive_tcppacket(connection_t *cl, char *buffer, int len)
{
+ vpn_packet_t outpkt;
cp
- free(e->packet);
+ outpkt.len = len;
+ memcpy(outpkt.data, buffer, len);
- if(e->next) /* There is a successor, so we are not tail */
- {
- if(e->prev) /* There is a predecessor, so we are not head */
- {
- e->next->prev = e->prev;
- e->prev->next = e->next;
- }
- else /* We are head */
- {
- e->next->prev = NULL;
- (*q)->head = e->next;
- }
- }
- else /* We are tail (or all alone!) */
- {
- if(e->prev) /* We are not alone :) */
- {
- e->prev->next = NULL;
- (*q)->tail = e->prev;
- }
- else /* Adieu */
- {
- free(*q);
- *q = NULL;
- }
- }
-
- free(e);
+ receive_packet(cl, &outpkt);
cp
}
-/*
- flush a queue by calling function for
- each packet, and removing it when that
- returned a zero exit code
-*/
-void flush_queue(connection_t *cl, packet_queue_t **pq,
- int (*function)(connection_t*,vpn_packet_t*))
+void accept_packet(vpn_packet_t *packet)
{
- queue_element_t *p, *next = NULL;
cp
- for(p = (*pq)->head; p != NULL; )
- {
- next = p->next;
-
- if(!function(cl, p->packet))
- del_queue(pq, p);
-
- p = next;
- }
-
if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Queue flushed"));
-cp
-}
+ syslog(LOG_DEBUG, _("Writing packet of %d bytes to tap device"),
+ packet->len);
-/*
- flush the send&recv queues
- void because nothing goes wrong here, packets
- remain in the queue if something goes wrong
-*/
-void flush_queues(connection_t *cl)
-{
-cp
- if(cl->sq)
+ if(taptype == TAP_TYPE_TUNTAP)
{
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Flushing send queue for %s (%s)"),
- cl->name, cl->hostname);
- flush_queue(cl, &(cl->sq), xsend);
+ if(write(tap_fd, packet->data, packet->len) < 0)
+ syslog(LOG_ERR, _("Can't write to tun/tap device: %m"));
+ else
+ total_tap_out += packet->len;
}
-
- if(cl->rq)
+ else /* ethertap */
{
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Flushing receive queue for %s (%s)"),
- cl->name, cl->hostname);
- flush_queue(cl, &(cl->rq), xrecv);
+ if(write(tap_fd, packet->data - 2, packet->len + 2) < 0)
+ syslog(LOG_ERR, _("Can't write to ethertap device: %m"));
+ else
+ total_tap_out += packet->len;
}
cp
}
/*
send a packet to the given vpn ip.
*/
-int send_packet(ip_t to, vpn_packet_t *packet)
+void send_packet(connection_t *cl, vpn_packet_t *packet)
{
- connection_t *cl;
- subnet_t *subnet;
cp
- if((subnet = lookup_subnet_ipv4(to)) == NULL)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- {
- syslog(LOG_NOTICE, _("Trying to look up %d.%d.%d.%d in connection list failed!"),
- IP_ADDR_V(to));
- }
-
- return -1;
- }
+ if(debug_lvl >= DEBUG_TRAFFIC)
+ syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
+ packet->len, cl->name, cl->hostname);
- cl = subnet->owner;
-
if(cl == myself)
{
if(debug_lvl >= DEBUG_TRAFFIC)
{
- syslog(LOG_NOTICE, _("Packet with destination %d.%d.%d.%d is looping back to us!"),
- IP_ADDR_V(to));
+ syslog(LOG_NOTICE, _("Packet is looping back to us!"));
}
- return -1;
+ return;
}
- /* If we ourselves have indirectdata flag set, we should send only to our uplink! */
-
- /* FIXME - check for indirection and reprogram it The Right Way(tm) this time. */
-
- if(!cl->status.validkey)
+ if(!cl->status.active)
{
-/* FIXME: Don't queue until everything else is fixed.
if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
+ syslog(LOG_INFO, _("%s (%s) is not active, dropping packet"),
cl->name, cl->hostname);
- add_queue(&(cl->sq), packet, packet->len + 2);
-*/
- if(!cl->status.waitingforkey)
- send_req_key(myself, cl); /* Keys should be sent to the host running the tincd */
- return 0;
+
+ return;
}
- if(!cl->status.active)
+ /* Check if it has to go via TCP or UDP... */
+cp
+ if((cl->options | myself->options) & OPTION_TCPONLY)
{
-/* FIXME: Don't queue until everything else is fixed.
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
- cl->name, cl->hostname);
- add_queue(&(cl->sq), packet, packet->len + 2);
-*/
- return 0; /* We don't want to mess up, do we? */
+ if(send_tcppacket(cl, packet))
+ terminate_connection(cl);
}
+ else
+ send_udppacket(cl, packet);
+}
- /* can we send it? can we? can we? huh? */
+void flush_queue(connection_t *cl)
+{
+ list_node_t *node, *next;
+cp
+ if(debug_lvl >= DEBUG_TRAFFIC)
+ syslog(LOG_INFO, _("Flushing queue for %s (%s)"), cl->name, cl->hostname);
+
+ for(node = cl->queue->head; node; node = next)
+ {
+ next = node->next;
+ send_udppacket(cl, (vpn_packet_t *)node->data);
+ list_delete_node(cl->queue, node);
+ }
cp
- return xsend(cl, packet);
}
/*
const char *tapfname;
config_t const *cfg;
#ifdef HAVE_LINUX
- #ifdef HAVE_TUNTAP
+# ifdef HAVE_TUNTAP
struct ifreq ifr;
- #endif
+# endif
#endif
-cp
+cp
if((cfg = get_config_val(config, config_tapdevice)))
tapfname = cfg->data.ptr;
else
{
#ifdef HAVE_LINUX
- #ifdef HAVE_TUNTAP
- tapfname = "/dev/misc/net/tun";
- #else
+# ifdef HAVE_TUNTAP
+ tapfname = "/dev/net/tun";
+# else
tapfname = "/dev/tap0";
- #endif
+# endif
#endif
#ifdef HAVE_FREEBSD
tapfname = "/dev/tap0";
taptype = TAP_TYPE_ETHERTAP;
/* Set default MAC address for ethertap devices */
-
+
mymac.type = SUBNET_MAC;
mymac.net.mac.address.x[0] = 0xfe;
mymac.net.mac.address.x[1] = 0xfd;
{
int nfd, flags;
struct sockaddr_in a;
- const int one = 1;
+ int option;
config_t const *cfg;
cp
if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
return -1;
}
- if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
- {
- close(nfd);
- syslog(LOG_ERR, _("System call `%s' failed: %m"),
- "setsockopt");
- return -1;
- }
-
- if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one)))
- {
- close(nfd);
- syslog(LOG_ERR, _("System call `%s' failed: %m"),
- "setsockopt");
- return -1;
- }
-
flags = fcntl(nfd, F_GETFL);
if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
{
return -1;
}
+ /* Optimize TCP settings */
+
+ option = 1;
+ setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option));
+ setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option));
+#ifdef HAVE_LINUX
+ setsockopt(nfd, SOL_TCP, TCP_NODELAY, &option, sizeof(option));
+
+ option = IPTOS_LOWDELAY;
+ setsockopt(nfd, SOL_IP, IP_TOS, &option, sizeof(option));
+
if((cfg = get_config_val(config, config_interface)))
{
- if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, cfg->data.ptr, strlen(cfg->data.ptr)))
+ if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, cfg->data.ptr, strlen(cfg->data.ptr)))
{
close(nfd);
syslog(LOG_ERR, _("Unable to bind listen socket to interface %s: %m"), cfg->data.ptr);
return -1;
}
}
+#endif
memset(&a, 0, sizeof(a));
a.sin_family = AF_INET;
a.sin_port = htons(port);
-
+
if((cfg = get_config_val(config, config_interfaceip)))
a.sin_addr.s_addr = htonl(cfg->data.ip->address);
else
return -1;
}
- if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
- {
- close(nfd);
- syslog(LOG_ERR, _("System call `%s' failed: %m"),
- "setsockopt");
- return -1;
- }
+ setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
flags = fcntl(nfd, F_GETFL);
if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
int flags;
struct sockaddr_in a;
config_t const *cfg;
+ int option;
cp
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_INFO, _("Trying to connect to %s"), cl->hostname);
return -1;
}
+ /* Bind first to get a fix on our source port */
+
+ a.sin_family = AF_INET;
+ a.sin_port = htons(0);
+ a.sin_addr.s_addr = htonl(INADDR_ANY);
+
+ if(bind(cl->meta_socket, (struct sockaddr *)&a, sizeof(struct sockaddr)))
+ {
+ close(cl->meta_socket);
+ syslog(LOG_ERR, _("System call `%s' failed: %m"), "bind");
+ return -1;
+ }
+
+ /* Optimize TCP settings */
+
+ option = 1;
+ setsockopt(cl->meta_socket, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option));
+#ifdef HAVE_LINUX
+ setsockopt(cl->meta_socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option));
+
+ option = IPTOS_LOWDELAY;
+ setsockopt(cl->meta_socket, SOL_IP, IP_TOS, &option, sizeof(option));
+#endif
+ /* Connect */
+
a.sin_family = AF_INET;
a.sin_port = htons(cl->port);
a.sin_addr.s_addr = htonl(cl->address);
ncn = new_connection();
asprintf(&ncn->name, "%s", name);
-
+
if(read_host_config(ncn))
{
- syslog(LOG_ERR, _("Error reading host configuration file for %s"));
+ syslog(LOG_ERR, _("Error reading host configuration file for %s"), ncn->name);
free_connection(ncn);
return -1;
}
-
+
if(!(cfg = get_config_val(ncn->config, config_address)))
{
- syslog(LOG_ERR, _("No address specified for %s"));
+ syslog(LOG_ERR, _("No address specified for %s"), ncn->name);
free_connection(ncn);
return -1;
}
-
+
if(!(h = gethostbyname(cfg->data.ptr)))
{
syslog(LOG_ERR, _("Error looking up `%s': %m"), cfg->data.ptr);
return -1;
}
- ncn->address = ntohl(*((ip_t*)(h->h_addr_list[0])));
+ ncn->address = ntohl(*((ipv4_t*)(h->h_addr_list[0])));
ncn->hostname = hostlookup(htonl(ncn->address));
-
+
if(setup_outgoing_meta_socket(ncn) < 0)
{
syslog(LOG_ERR, _("Could not set up a meta connection to %s"),
return 0;
}
-int read_rsa_public_key(RSA **key, const char *file)
+int read_rsa_public_key(connection_t *cl)
{
+ config_t const *cfg;
FILE *fp;
+ char *fname;
+ void *result;
+cp
+ if(!cl->rsa_key)
+ cl->rsa_key = RSA_new();
- if((fp = fopen(file, "r")) == NULL)
- {
- syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"),
- file);
- return -1;
- }
- if(PEM_read_RSAPublicKey(fp, key, NULL, NULL) == NULL)
+ /* First, check for simple PublicKey statement */
+
+ if((cfg = get_config_val(cl->config, config_publickey)))
{
- syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"),
- file);
- return -1;
+ BN_hex2bn(&cl->rsa_key->n, cfg->data.ptr);
+ BN_hex2bn(&cl->rsa_key->e, "FFFF");
+ return 0;
}
- return 0;
-}
-
-int read_rsa_private_key(RSA **key, const char *file)
-{
- FILE *fp;
+ /* Else, check for PublicKeyFile statement and read it */
- if((fp = fopen(file, "r")) == NULL)
+ if((cfg = get_config_val(cl->config, config_publickeyfile)))
{
- syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"),
- file);
- return -1;
+ if(is_safe_path(cfg->data.ptr))
+ {
+ if((fp = fopen(cfg->data.ptr, "r")) == NULL)
+ {
+ syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"),
+ cfg->data.ptr);
+ return -1;
+ }
+ result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL);
+ fclose(fp);
+ if(!result)
+ {
+ syslog(LOG_ERR, _("Reading RSA public key file `%s' failed: %m"),
+ cfg->data.ptr);
+ return -1;
+ }
+ return 0;
+ }
+ else
+ return -1;
}
- if(PEM_read_RSAPrivateKey(fp, key, NULL, NULL) == NULL)
+
+ /* Else, check if a harnessed public key is in the config file */
+
+ asprintf(&fname, "%s/hosts/%s", confbase, cl->name);
+ if((fp = fopen(fname, "r")))
{
- syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"),
- file);
- return -1;
+ result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL);
+ fclose(fp);
+ free(fname);
+ if(result)
+ return 0;
}
- return 0;
+ free(fname);
+
+ /* Nothing worked. */
+
+ syslog(LOG_ERR, _("No public key for %s specified!"), cl->name);
+cp
+ return -1;
}
-int read_rsa_keys(void)
+int read_rsa_private_key(void)
{
config_t const *cfg;
+ FILE *fp;
+ void *result;
+cp
+ if(!myself->rsa_key)
+ myself->rsa_key = RSA_new();
- if(!(cfg = get_config_val(config, config_privatekey)))
+ if((cfg = get_config_val(config, config_privatekey)))
+ {
+ BN_hex2bn(&myself->rsa_key->d, cfg->data.ptr);
+ BN_hex2bn(&myself->rsa_key->e, "FFFF");
+ }
+ else if((cfg = get_config_val(config, config_privatekeyfile)))
{
- syslog(LOG_ERR, _("Private key for tinc daemon required!"));
+ if((fp = fopen(cfg->data.ptr, "r")) == NULL)
+ {
+ syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"),
+ cfg->data.ptr);
+ return -1;
+ }
+ result = PEM_read_RSAPrivateKey(fp, &myself->rsa_key, NULL, NULL);
+ fclose(fp);
+ if(!result)
+ {
+ syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"),
+ cfg->data.ptr);
+ return -1;
+ }
+ }
+ else
+ {
+ syslog(LOG_ERR, _("No private key for tinc daemon specified!"));
return -1;
}
-
- myself->rsa_key = RSA_new();
-
- return read_rsa_private_key(&(myself->rsa_key), cfg->data.ptr);
+cp
+ return 0;
}
/*
cp
myself = new_connection();
- asprintf(&myself->hostname, "MYSELF"); /* FIXME? Do hostlookup on ourselves? */
- myself->flags = 0;
+ asprintf(&myself->hostname, "MYSELF");
+ myself->options = 0;
myself->protocol_version = PROT_CURRENT;
if(!(cfg = get_config_val(config, config_name))) /* Not acceptable */
return -1;
}
cp
- if(read_rsa_keys())
+ if(read_rsa_private_key())
return -1;
if(read_host_config(myself))
syslog(LOG_ERR, _("Cannot open host configuration file for myself!"));
return -1;
}
-cp
+
+ if(read_rsa_public_key(myself))
+ return -1;
+cp
/*
if(RSA_check_key(myself->rsa_key) != 1)
if((cfg = get_config_val(myself->config, config_indirectdata)))
if(cfg->data.val == stupid_true)
- myself->flags |= EXPORTINDIRECTDATA;
+ myself->options |= OPTION_INDIRECT;
if((cfg = get_config_val(myself->config, config_tcponly)))
if(cfg->data.val == stupid_true)
- myself->flags |= TCPONLY;
+ myself->options |= OPTION_TCPONLY;
/* Read in all the subnets specified in the host configuration file */
net->type = SUBNET_IPV4;
net->net.ipv4.address = cfg->data.ip->address;
net->net.ipv4.mask = cfg->data.ip->mask;
-
+
/* Teach newbies what subnets are... */
-
+
if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address)
{
syslog(LOG_ERR, _("Network address and subnet mask do not match!"));
return -1;
- }
-
+ }
+
subnet_add(myself, net);
}
-
+
if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0)
{
syslog(LOG_ERR, _("Unable to set up a listening TCP socket!"));
syslog(LOG_ERR, _("Unable to set up a listening UDP socket!"));
return -1;
}
-
+cp
/* Generate packet encryption key */
- myself->cipher_pkttype = EVP_bf_cfb();
+ myself->cipher_pkttype = EVP_bf_cbc();
myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len;
myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength);
- RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
+ RAND_pseudo_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
if(!(cfg = get_config_val(config, config_keyexpire)))
keylifetime = 3600;
else
keylifetime = cfg->data.val;
-
+
keyexpires = time(NULL) + keylifetime;
+cp
+ /* Check some options */
+
+ if((cfg = get_config_val(config, config_indirectdata)))
+ {
+ if(cfg->data.val == stupid_true)
+ myself->options |= OPTION_INDIRECT;
+ }
+
+ if((cfg = get_config_val(config, config_tcponly)))
+ {
+ if(cfg->data.val == stupid_true)
+ myself->options |= OPTION_TCPONLY;
+ }
+
+ if(myself->options & OPTION_TCPONLY)
+ myself->options |= OPTION_INDIRECT;
/* Activate ourselves */
-
+
myself->status.active = 1;
syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
cp
cfg = get_config_val(upstreamcfg, config_connectto);
- if(!cfg && upstreamcfg == config)
- /* No upstream IP given, we're listen only. */
- return;
-
+ if(!cfg)
+ {
+ if(upstreamcfg == config)
+ {
+ /* No upstream IP given, we're listen only. */
+ signal(SIGALRM, SIG_IGN);
+ return;
+ }
+ }
+ else
+ {
+ /* We previously tried all the ConnectTo lines. Now wrap back to the first. */
+ cfg = get_config_val(config, config_connectto);
+ }
+
while(cfg)
{
upstreamcfg = cfg->next;
/* Run tinc-up script to further initialize the tap interface */
execute_script("tinc-up");
-
+
if(setup_myself() < 0)
return -1;
return 0;
cfg = get_config_val(upstreamcfg, config_connectto); /* Or else we try the next ConnectTo line */
}
-
- signal(SIGALRM, sigalrm_handler);
- upstreamcfg = config;
- seconds_till_retry = MAXTIMEOUT;
- syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry);
- alarm(seconds_till_retry);
+
+ if(do_detach)
+ {
+ signal(SIGALRM, sigalrm_handler);
+ upstreamcfg = config;
+ seconds_till_retry = MAXTIMEOUT;
+ syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry);
+ alarm(seconds_till_retry);
+ }
+ else
+ return -1;
+
cp
return 0;
}
*/
void close_network_connections(void)
{
- rbl_t *rbl;
+ avl_node_t *node;
connection_t *p;
cp
- RBL_FOREACH(connection_tree, rbl)
+ for(node = connection_tree->head; node; node = node->next)
{
- p = (connection_t *)rbl->data;
+ p = (connection_t *)node->data;
+ p->status.outgoing = 0;
p->status.active = 0;
terminate_connection(p);
}
return;
}
-/*
- create a data (udp) socket
- OBSOLETED: use only one listening socket for compatibility with non-Linux operating systems
-*/
-int setup_vpn_connection(connection_t *cl)
-{
- int nfd, flags;
- struct sockaddr_in a;
- const int one = 1;
-cp
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Opening UDP socket to %s"), cl->hostname);
-
- nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
- if(nfd == -1)
- {
- syslog(LOG_ERR, _("Creating UDP socket failed: %m"));
- return -1;
- }
-
- if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)))
- {
- close(nfd);
- syslog(LOG_ERR, _("System call `%s' failed: %m"),
- "setsockopt");
- return -1;
- }
-
- flags = fcntl(nfd, F_GETFL);
- if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- close(nfd);
- syslog(LOG_ERR, _("System call `%s' failed: %m"),
- "fcntl");
- return -1;
- }
-
- memset(&a, 0, sizeof(a));
- a.sin_family = AF_INET;
- a.sin_port = htons(myself->port);
- a.sin_addr.s_addr = htonl(INADDR_ANY);
-
- if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr)))
- {
- close(nfd);
- syslog(LOG_ERR, _("Can't bind to port %hd/udp: %m"), myself->port);
- return -1;
- }
-
- a.sin_family = AF_INET;
- a.sin_port = htons(cl->port);
- a.sin_addr.s_addr = htonl(cl->address);
-
- if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1)
- {
- close(nfd);
- syslog(LOG_ERR, _("Connecting to %s port %d failed: %m"),
- cl->hostname, cl->port);
- return -1;
- }
-
- flags = fcntl(nfd, F_GETFL);
- if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0)
- {
- close(nfd);
- syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, nfd,
- cl->name, cl->hostname);
- return -1;
- }
-
- cl->socket = nfd;
- cl->status.dataopen = 1;
-cp
- return 0;
-}
-
/*
handle an incoming tcp connect call and open
a connection to it.
{
syslog(LOG_ERR, _("System call `%s' failed: %m"),
"getpeername");
+ close(sfd);
return NULL;
}
p->name = unknown;
p->address = ntohl(ci.sin_addr.s_addr);
p->hostname = hostlookup(ci.sin_addr.s_addr);
+ p->port = htons(ci.sin_port); /* This one will be overwritten later */
p->meta_socket = sfd;
p->status.meta = 1;
p->buffer = xmalloc(MAXBUFSIZE);
p->buflen = 0;
p->last_ping_time = time(NULL);
-
+
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Connection from %s port %d"),
p->hostname, htons(ci.sin_port));
*/
void build_fdset(fd_set *fs)
{
- rbl_t *rbl;
+ avl_node_t *node;
connection_t *p;
cp
FD_ZERO(fs);
FD_SET(myself->socket, fs);
- RBL_FOREACH(connection_tree, rbl)
+ for(node = connection_tree->head; node; node = node->next)
{
- p = (connection_t *)rbl->data;
+ p = (connection_t *)node->data;
if(p->status.meta)
FD_SET(p->meta_socket, fs);
}
udp socket and write it to the ethertap
device after being decrypted
*/
-int handle_incoming_vpn_data(void)
+void handle_incoming_vpn_data(void)
{
vpn_packet_t pkt;
int x, l = sizeof(x);
- int lenin;
struct sockaddr_in from;
socklen_t fromlen = sizeof(from);
connection_t *cl;
{
syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"),
__FILE__, __LINE__, myself->socket);
- return -1;
+ return;
}
if(x)
{
syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x));
- return -1;
+ return;
}
- if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0)
+ if((pkt.len = recvfrom(myself->socket, (char *) pkt.salt, MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0)
{
syslog(LOG_ERR, _("Receiving packet failed: %m"));
- return -1;
+ return;
}
cl = lookup_connection(ntohl(from.sin_addr.s_addr), ntohs(from.sin_port));
-
+
if(!cl)
{
- syslog(LOG_WARNING, _("Received UDP packets on port %d from unknown source %lx:%d"), ntohl(from.sin_addr.s_addr), ntohs(from.sin_port));
- return 0;
+ syslog(LOG_WARNING, _("Received UDP packets on port %hd from unknown source %x:%hd"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port));
+ return;
}
- if(debug_lvl >= DEBUG_TRAFFIC)
- {
- syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), lenin,
- cl->name, cl->hostname);
- }
+ cl->last_ping_time = time(NULL);
+ receive_udppacket(cl, &pkt);
cp
- return xrecv(cl, &pkt);
}
/*
{
connection_t *p;
subnet_t *subnet;
- rbl_t *rbl;
+ avl_node_t *node, *next;
cp
if(cl->status.remove)
return;
- cl->status.remove = 1;
-
if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Closing connection with %s (%s)"),
cl->name, cl->hostname);
-
+
+ cl->status.remove = 1;
+
if(cl->socket)
close(cl->socket);
if(cl->status.meta)
close(cl->meta_socket);
- /* Find all connections that were lost because they were behind cl
- (the connection that was dropped). */
-
if(cl->status.meta)
- RBL_FOREACH(connection_tree, rbl)
- {
- p = (connection_t *)rbl->data;
- if(p->nexthop == cl && p != cl)
- terminate_connection(p);
- }
+ {
- /* Inform others of termination if it was still active */
+ /* Find all connections that were lost because they were behind cl
+ (the connection that was dropped). */
- if(cl->status.active)
- RBL_FOREACH(connection_tree, rbl)
- {
- p = (connection_t *)rbl->data;
- if(p->status.meta && p->status.active && p!=cl)
- send_del_host(p, cl); /* Sounds like recursion, but p does not have a meta connection :) */
- }
+ for(node = connection_tree->head; node; node = node->next)
+ {
+ p = (connection_t *)node->data;
+ if(p->nexthop == cl && p != cl)
+ terminate_connection(p);
+ }
+
+ /* Inform others of termination if it was still active */
+
+ if(cl->status.active)
+ for(node = connection_tree->head; node; node = node->next)
+ {
+ p = (connection_t *)node->data;
+ if(p->status.meta && p->status.active && p != cl)
+ send_del_host(p, cl); /* Sounds like recursion, but p does not have a meta connection :) */
+ }
+ }
/* Remove the associated subnets */
- RBL_FOREACH(cl->subnet_tree, rbl)
+ for(node = cl->subnet_tree->head; node; node = next)
{
- subnet = (subnet_t *)rbl->data;
+ next = node->next;
+ subnet = (subnet_t *)node->data;
subnet_del(subnet);
}
/* Check if this was our outgoing connection */
-
- if(cl->status.outgoing && cl->status.active)
+
+ if(cl->status.outgoing)
{
+ cl->status.outgoing = 0;
signal(SIGALRM, sigalrm_handler);
seconds_till_retry = 5;
alarm(seconds_till_retry);
syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds"));
}
- /* Inactivate */
+ /* Deactivate */
cl->status.active = 0;
cp
void check_dead_connections(void)
{
time_t now;
- rbl_t *rbl;
+ avl_node_t *node;
connection_t *cl;
cp
now = time(NULL);
- RBL_FOREACH(connection_tree, rbl)
+ for(node = connection_tree->head; node; node = node->next)
{
- cl = (connection_t *)rbl->data;
+ cl = (connection_t *)node->data;
if(cl->status.active && cl->status.meta)
{
if(cl->last_ping_time + timeout < now)
}
connection_add(ncn);
+
+ send_id(ncn);
cp
return 0;
}
void check_network_activity(fd_set *f)
{
connection_t *p;
- rbl_t *rbl;
+ avl_node_t *node;
cp
if(FD_ISSET(myself->socket, f))
handle_incoming_vpn_data();
- RBL_FOREACH(connection_tree, rbl)
+ for(node = connection_tree->head; node; node = node->next)
{
- p = (connection_t *)rbl->data;
+ p = (connection_t *)node->data;
if(p->status.remove)
return;
{
terminate_connection(p);
return;
- }
+ }
}
-
+
if(FD_ISSET(myself->meta_socket, f))
handle_new_meta_connection();
cp
{
vpn_packet_t vp;
int lenin;
-cp
+cp
if(taptype == TAP_TYPE_TUNTAP)
{
if((lenin = read(tap_fd, vp.data, MTU)) <= 0)
vp.len = lenin - 2;
}
- total_tap_in += lenin;
+ total_tap_in += vp.len;
if(lenin < 32)
{
syslog(LOG_DEBUG, _("Read packet of length %d from tap device"), vp.len);
}
- send_packet(ntohl(*((unsigned long*)(&vp.data[30]))), &vp);
+ route_outgoing(&vp);
cp
}
if(read_server_config())
{
syslog(LOG_ERR, _("Unable to reread configuration file, exiting"));
- exit(0);
+ exit(1);
}
sleep(5);
-
+
if(setup_network_connections())
return;
-
+
continue;
}
{
if(debug_lvl >= DEBUG_STATUS)
syslog(LOG_INFO, _("Regenerating symmetric key"));
-
+
RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
send_key_changed(myself, NULL);
keyexpires = time(NULL) + keylifetime;
projects / tinc / blobdiff