X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=3328863e633d160df1cee8d6e18f096880e98136;hp=4f3999071e9c0ddf855ef91b76238053f1e9b1d0;hb=f64b41a73b3b432aae17ba990414e0be2f61ce62;hpb=ba918dce287788aaf6a90b3c7a9f349b197068d6 diff --git a/src/net.c b/src/net.c index 4f399907..3328863e 100644 --- a/src/net.c +++ b/src/net.c @@ -1,7 +1,7 @@ /* net.c -- most of the network code - Copyright (C) 1998-2001 Ivo Timmermans , - 2000,2001 Guus Sliepen + Copyright (C) 1998-2002 Ivo Timmermans , + 2000-2002 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.114 2001/06/08 18:02:10 guus Exp $ + $Id: net.c,v 1.35.4.155 2002/02/12 14:36:45 guus Exp $ */ #include "config.h" @@ -33,7 +33,7 @@ #include #include #include -#include +#include #include #include #include @@ -45,33 +45,16 @@ #include #include -#ifdef HAVE_OPENSSL_RAND_H -# include -#else -# include -#endif - -#ifdef HAVE_OPENSSL_EVP_H -# include -#else -# include -#endif +#include +#include +#include +#include -#ifdef HAVE_OPENSSL_ERR_H -# include -#else -# include +#ifndef HAVE_RAND_PSEUDO_BYTES +#define RAND_pseudo_bytes RAND_bytes #endif -#ifdef HAVE_OPENSSL_PEM_H -# include -#else -# include -#endif - -#ifdef HAVE_TUNTAP -#include LINUX_IF_TUN_H -#endif +#include #include #include @@ -86,137 +69,214 @@ #include "process.h" #include "protocol.h" #include "subnet.h" +#include "graph.h" #include "process.h" #include "route.h" +#include "device.h" +#include "event.h" #include "system.h" -int tap_fd = -1; -int taptype = TAP_TYPE_ETHERTAP; -int total_tap_in = 0; -int total_tap_out = 0; -int total_socket_in = 0; -int total_socket_out = 0; - -config_t *upstreamcfg; +int maxtimeout = 900; int seconds_till_retry = 5; +int tcp_socket = -1; +int udp_socket = -1; + int keylifetime = 0; int keyexpires = 0; -void send_udppacket(connection_t *cl, vpn_packet_t *inpkt) +int do_prune = 0; +int do_purge = 0; +int sighup = 0; +int sigalrm = 0; + +#define MAX_SEQNO 1073741824 + +/* VPN packet I/O */ + +void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { - vpn_packet_t outpkt; + vpn_packet_t pkt1, pkt2; + vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2}; + int nextpkt = 0; + vpn_packet_t *outpkt = pkt[0]; int outlen, outpad; + long int complen = MTU + 12; EVP_CIPHER_CTX ctx; - struct sockaddr_in to; - socklen_t tolen = sizeof(to); - vpn_packet_t *copy; + char hmac[EVP_MAX_MD_SIZE]; cp - if(!cl->status.validkey) + /* Check the message authentication code */ + + if(myself->digest && myself->maclength) { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), - cl->name, cl->hostname); + inpkt->len -= myself->maclength; + HMAC(myself->digest, myself->key, myself->keylength, (char *)&inpkt->seqno, inpkt->len, hmac, NULL); + if(memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength)) + { + syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname); + return; + } + } - /* Since packet is on the stack of handle_tap_input(), - we have to make a copy of it first. */ + /* Decrypt the packet */ - copy = xmalloc(sizeof(vpn_packet_t)); - memcpy(copy, inpkt, sizeof(vpn_packet_t)); + if(myself->cipher) + { + outpkt = pkt[nextpkt++]; - list_insert_tail(cl->queue, copy); + EVP_DecryptInit(&ctx, myself->cipher, myself->key, myself->key + myself->cipher->key_len); + EVP_DecryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len); + EVP_DecryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad); - if(!cl->status.waitingforkey) - send_req_key(myself, cl); - return; - } + outpkt->len = outlen + outpad; + inpkt = outpkt; + } - /* Encrypt the packet. */ + /* Check the sequence number */ - RAND_bytes(inpkt->salt, sizeof(inpkt->salt)); + inpkt->len -= sizeof(inpkt->seqno); + inpkt->seqno = ntohl(inpkt->seqno); - EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); - EVP_EncryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len + sizeof(inpkt->salt)); - EVP_EncryptFinal(&ctx, outpkt.salt + outlen, &outpad); - outlen += outpad; + if(inpkt->seqno <= n->received_seqno) + { + syslog(LOG_DEBUG, _("Got late or replayed packet from %s (%s), seqno %d"), n->name, n->hostname, inpkt->seqno); + return; + } + + n->received_seqno = inpkt->seqno; - total_socket_out += outlen; + if(n->received_seqno > MAX_SEQNO) + keyexpires = 0; - to.sin_family = AF_INET; - to.sin_addr.s_addr = htonl(cl->address); - to.sin_port = htons(cl->port); + /* Decompress the packet */ + + if(myself->compression) + { + outpkt = pkt[nextpkt++]; - if((sendto(myself->socket, (char *) outpkt.salt, outlen, 0, (const struct sockaddr *)&to, tolen)) < 0) + if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK) { - syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), - cl->name, cl->hostname); + syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname); return; } + + outpkt->len = complen; + inpkt = outpkt; + } + + receive_packet(n, inpkt); cp } -void receive_packet(connection_t *cl, vpn_packet_t *packet) +void receive_tcppacket(connection_t *c, char *buffer, int len) +{ + vpn_packet_t outpkt; +cp + outpkt.len = len; + memcpy(outpkt.data, buffer, len); + + receive_packet(c->node, &outpkt); +cp +} + +void receive_packet(node_t *n, vpn_packet_t *packet) { cp if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, cl->name, cl->hostname); + syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, n->name, n->hostname); - route_incoming(cl, packet); + route_incoming(n, packet); cp } -void receive_udppacket(connection_t *cl, vpn_packet_t *inpkt) +void send_udppacket(node_t *n, vpn_packet_t *inpkt) { - vpn_packet_t outpkt; + vpn_packet_t pkt1, pkt2; + vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2}; + int nextpkt = 0; + vpn_packet_t *outpkt; int outlen, outpad; + long int complen = MTU + 12; EVP_CIPHER_CTX ctx; + struct sockaddr_in to; + socklen_t tolen = sizeof(to); + vpn_packet_t *copy; cp - /* Decrypt the packet */ + if(!n->status.validkey) + { + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), + n->name, n->hostname); - EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); - EVP_DecryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len); - EVP_DecryptFinal(&ctx, outpkt.salt + outlen, &outpad); - outlen += outpad; - outpkt.len = outlen - sizeof(outpkt.salt); + /* Since packet is on the stack of handle_tap_input(), + we have to make a copy of it first. */ - total_socket_in += outlen; + copy = xmalloc(sizeof(vpn_packet_t)); + memcpy(copy, inpkt, sizeof(vpn_packet_t)); - receive_packet(cl, &outpkt); -cp -} + list_insert_tail(n->queue, copy); -void receive_tcppacket(connection_t *cl, char *buffer, int len) -{ - vpn_packet_t outpkt; -cp - outpkt.len = len; - memcpy(outpkt.data, buffer, len); + if(!n->status.waitingforkey) + send_req_key(n->nexthop->connection, myself, n); - receive_packet(cl, &outpkt); -cp -} + return; + } -void accept_packet(vpn_packet_t *packet) -{ -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Writing packet of %d bytes to tap device"), - packet->len); + /* Compress the packet */ - if(taptype == TAP_TYPE_TUNTAP) + if(n->compression) + { + outpkt = pkt[nextpkt++]; + + if(compress2(outpkt->data, &complen, inpkt->data, inpkt->len, n->compression) != Z_OK) { - if(write(tap_fd, packet->data, packet->len) < 0) - syslog(LOG_ERR, _("Can't write to tun/tap device: %m")); - else - total_tap_out += packet->len; + syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname); + return; + } + + outpkt->len = complen; + inpkt = outpkt; + } + + /* Add sequence number */ + + inpkt->seqno = htonl(++(n->sent_seqno)); + inpkt->len += sizeof(inpkt->seqno); + + /* Encrypt the packet */ + + if(n->cipher) + { + outpkt = pkt[nextpkt++]; + + EVP_EncryptInit(&ctx, n->cipher, n->key, n->key + n->cipher->key_len); + EVP_EncryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len); + EVP_EncryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad); + + outpkt->len = outlen + outpad; + inpkt = outpkt; + } + + /* Add the message authentication code */ + + if(n->digest && n->maclength) + { + HMAC(n->digest, n->key, n->keylength, (char *)&inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len, &outlen); + inpkt->len += n->maclength; } - else /* ethertap */ + + /* Send the packet */ + + to.sin_family = AF_INET; + to.sin_addr.s_addr = htonl(n->address); + to.sin_port = htons(n->port); + + if((sendto(udp_socket, (char *)&inpkt->seqno, inpkt->len, 0, (const struct sockaddr *)&to, tolen)) < 0) { - if(write(tap_fd, packet->data - 2, packet->len + 2) < 0) - syslog(LOG_ERR, _("Can't write to ethertap device: %m")); - else - total_tap_out += packet->len; + syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), + n->name, n->hostname); + return; } cp } @@ -224,14 +284,15 @@ cp /* send a packet to the given vpn ip. */ -void send_packet(connection_t *cl, vpn_packet_t *packet) +void send_packet(node_t *n, vpn_packet_t *packet) { + node_t *via; cp if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), - packet->len, cl->name, cl->hostname); + packet->len, n->name, n->hostname); - if(cl == myself) + if(n == myself) { if(debug_lvl >= DEBUG_TRAFFIC) { @@ -240,33 +301,36 @@ cp return; } - - if(!cl->status.active) + + if(!n->status.reachable) { if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("%s (%s) is not active, dropping packet"), - cl->name, cl->hostname); - + syslog(LOG_INFO, _("Node %s (%s) is not reachable"), + n->name, n->hostname); return; } - /* Check if it has to go via TCP or UDP... */ -cp - if((cl->options | myself->options) & OPTION_TCPONLY) + via = (n->via == myself)?n->nexthop:n->via; + + if(via != n && debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Sending packet to %s via %s (%s)"), + n->name, via->name, n->via->hostname); + + if((myself->options | via->options) & OPTION_TCPONLY) { - if(send_tcppacket(cl, packet)) - terminate_connection(cl); + if(send_tcppacket(via->connection, packet)) + terminate_connection(via->connection, 1); } else - send_udppacket(cl, packet); + send_udppacket(via, packet); } -/* Broadcast a packet to all active connections */ +/* Broadcast a packet using the minimum spanning tree */ -void broadcast_packet(connection_t *from, vpn_packet_t *packet) +void broadcast_packet(node_t *from, vpn_packet_t *packet) { avl_node_t *node; - connection_t *cl; + connection_t *c; cp if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"), @@ -274,116 +338,40 @@ cp for(node = connection_tree->head; node; node = node->next) { - cl = (connection_t *)node->data; - if(cl->status.meta && cl != from) - send_packet(cl, packet); + c = (connection_t *)node->data; + if(c->status.active && c->status.mst && c != from->nexthop->connection) + send_packet(c->node, packet); } cp } -void flush_queue(connection_t *cl) +void flush_queue(node_t *n) { list_node_t *node, *next; cp if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("Flushing queue for %s (%s)"), cl->name, cl->hostname); + syslog(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname); - for(node = cl->queue->head; node; node = next) + for(node = n->queue->head; node; node = next) { next = node->next; - send_udppacket(cl, (vpn_packet_t *)node->data); - list_delete_node(cl->queue, node); + send_udppacket(n, (vpn_packet_t *)node->data); + list_delete_node(n->queue, node); } cp } -/* - open the local ethertap device -*/ -int setup_tap_fd(void) -{ - int nfd; - const char *tapfname; - config_t const *cfg; -#ifdef HAVE_LINUX -# ifdef HAVE_TUNTAP - struct ifreq ifr; -# endif -#endif +/* Setup sockets */ -cp - if((cfg = get_config_val(config, config_tapdevice))) - tapfname = cfg->data.ptr; - else - { -#ifdef HAVE_LINUX -# ifdef HAVE_TUNTAP - tapfname = "/dev/net/tun"; -# else - tapfname = "/dev/tap0"; -# endif -#endif -#ifdef HAVE_FREEBSD - tapfname = "/dev/tap0"; -#endif -#ifdef HAVE_SOLARIS - tapfname = "/dev/tun"; -#endif - } -cp - if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0) - { - syslog(LOG_ERR, _("Could not open %s: %m"), tapfname); - return -1; - } -cp - tap_fd = nfd; - - taptype = TAP_TYPE_ETHERTAP; - - /* Set default MAC address for ethertap devices */ - - mymac.type = SUBNET_MAC; - mymac.net.mac.address.x[0] = 0xfe; - mymac.net.mac.address.x[1] = 0xfd; - mymac.net.mac.address.x[2] = 0x00; - mymac.net.mac.address.x[3] = 0x00; - mymac.net.mac.address.x[4] = 0x00; - mymac.net.mac.address.x[5] = 0x00; - -#ifdef HAVE_LINUX - #ifdef HAVE_TUNTAP - /* Ok now check if this is an old ethertap or a new tun/tap thingie */ - memset(&ifr, 0, sizeof(ifr)); -cp - ifr.ifr_flags = IFF_TAP | IFF_NO_PI; - if (netname) - strncpy(ifr.ifr_name, netname, IFNAMSIZ); -cp - if (!ioctl(tap_fd, TUNSETIFF, (void *) &ifr)) - { - syslog(LOG_INFO, _("%s is a new style tun/tap device"), tapfname); - taptype = TAP_TYPE_TUNTAP; - } - #endif -#endif -#ifdef HAVE_FREEBSD - taptype = TAP_TYPE_TUNTAP; -#endif -cp - return 0; -} - -/* - set up the socket that we listen on for incoming - (tcp) connections -*/ -int setup_listen_meta_socket(int port) +int setup_listen_socket(port_t port) { int nfd, flags; struct sockaddr_in a; int option; - config_t const *cfg; + ipv4_t *address; +#ifdef HAVE_LINUX + char *interface; +#endif cp if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { @@ -411,25 +399,25 @@ cp option = IPTOS_LOWDELAY; setsockopt(nfd, SOL_IP, IP_TOS, &option, sizeof(option)); - if((cfg = get_config_val(config, config_interface))) - { - if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, cfg->data.ptr, strlen(cfg->data.ptr))) - { - close(nfd); - syslog(LOG_ERR, _("Unable to bind listen socket to interface %s: %m"), cfg->data.ptr); - return -1; - } - } + if(get_config_string(lookup_config(config_tree, "BindToInterface"), &interface)) + if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface))) + { + close(nfd); + syslog(LOG_ERR, _("Can't bind to interface %s: %m"), interface); + return -1; + } #endif memset(&a, 0, sizeof(a)); a.sin_family = AF_INET; + a.sin_addr.s_addr = htonl(INADDR_ANY); a.sin_port = htons(port); - if((cfg = get_config_val(config, config_interfaceip))) - a.sin_addr.s_addr = htonl(cfg->data.ip->address); - else - a.sin_addr.s_addr = htonl(INADDR_ANY); + if(get_config_address(lookup_config(config_tree, "BindToAddress"), &address)) + { + a.sin_addr.s_addr = htonl(*address); + free(address); + } if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr))) { @@ -449,11 +437,7 @@ cp return nfd; } -/* - setup the socket for incoming encrypted - data (the udp part) -*/ -int setup_vpn_in_socket(int port) +int setup_vpn_in_socket(port_t port) { int nfd, flags; struct sockaddr_in a; @@ -492,357 +476,407 @@ cp return nfd; } -/* - setup an outgoing meta (tcp) socket -*/ -int setup_outgoing_meta_socket(connection_t *cl) +void retry_outgoing(outgoing_t *outgoing) +{ + event_t *event; +cp + outgoing->timeout += 5; + if(outgoing->timeout > maxtimeout) + outgoing->timeout = maxtimeout; + + event = new_event(); + event->handler = (event_handler_t)setup_outgoing_connection; + event->time = time(NULL) + outgoing->timeout; + event->data = outgoing; + event_add(event); + + if(debug_lvl >= DEBUG_CONNECTIONS) + syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), outgoing->timeout); +cp +} + +int setup_outgoing_socket(connection_t *c) { int flags; struct sockaddr_in a; - config_t const *cfg; - int option; cp if(debug_lvl >= DEBUG_CONNECTIONS) - syslog(LOG_INFO, _("Trying to connect to %s"), cl->hostname); + syslog(LOG_INFO, _("Trying to connect to %s (%s)"), c->name, c->hostname); - if((cfg = get_config_val(cl->config, config_port)) == NULL) - cl->port = 655; - else - cl->port = cfg->data.val; + c->socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - cl->meta_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if(cl->meta_socket == -1) + if(c->socket == -1) { syslog(LOG_ERR, _("Creating socket for %s port %d failed: %m"), - cl->hostname, cl->port); + c->hostname, c->port); return -1; } - /* Bind first to get a fix on our source port */ + /* Bind first to get a fix on our source port??? a.sin_family = AF_INET; a.sin_port = htons(0); a.sin_addr.s_addr = htonl(INADDR_ANY); - if(bind(cl->meta_socket, (struct sockaddr *)&a, sizeof(struct sockaddr))) + if(bind(c->socket, (struct sockaddr *)&a, sizeof(struct sockaddr))) { - close(cl->meta_socket); + close(c->socket); syslog(LOG_ERR, _("System call `%s' failed: %m"), "bind"); return -1; } - /* Optimize TCP settings */ + */ + + /* Optimize TCP settings? option = 1; - setsockopt(cl->meta_socket, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); + setsockopt(c->socket, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); #ifdef HAVE_LINUX - setsockopt(cl->meta_socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); + setsockopt(c->socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); option = IPTOS_LOWDELAY; - setsockopt(cl->meta_socket, SOL_IP, IP_TOS, &option, sizeof(option)); + setsockopt(c->socket, SOL_IP, IP_TOS, &option, sizeof(option)); #endif + + */ + /* Connect */ a.sin_family = AF_INET; - a.sin_port = htons(cl->port); - a.sin_addr.s_addr = htonl(cl->address); + a.sin_port = htons(c->port); + a.sin_addr.s_addr = htonl(c->address); - if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1) + if(connect(c->socket, (struct sockaddr *)&a, sizeof(a)) == -1) { - close(cl->meta_socket); - syslog(LOG_ERR, _("%s port %hd: %m"), cl->hostname, cl->port); + close(c->socket); + syslog(LOG_ERR, _("%s port %hd: %m"), c->hostname, c->port); return -1; } - flags = fcntl(cl->meta_socket, F_GETFL); - if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0) + flags = fcntl(c->socket, F_GETFL); + + if(fcntl(c->socket, F_SETFL, flags | O_NONBLOCK) < 0) { - close(cl->meta_socket); + close(c->socket); syslog(LOG_ERR, _("fcntl for %s port %d: %m"), - cl->hostname, cl->port); + c->hostname, c->port); return -1; } if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_INFO, _("Connected to %s port %hd"), - cl->hostname, cl->port); - - cl->status.meta = 1; + c->hostname, c->port); cp return 0; } -/* - Setup an outgoing meta connection. -*/ -int setup_outgoing_connection(char *name) +void setup_outgoing_connection(outgoing_t *outgoing) { - connection_t *ncn; + connection_t *c; + node_t *n; struct hostent *h; - config_t const *cfg; cp - if(check_id(name)) - { - syslog(LOG_ERR, _("Invalid name for outgoing connection")); - return -1; - } + n = lookup_node(outgoing->name); + + if(n) + if(n->connection) + { + if(debug_lvl >= DEBUG_CONNECTIONS) + syslog(LOG_INFO, _("Already connected to %s"), outgoing->name); + n->connection->outgoing = outgoing; + return; + } - ncn = new_connection(); - asprintf(&ncn->name, "%s", name); + c = new_connection(); + c->name = xstrdup(outgoing->name); - if(read_host_config(ncn)) + init_configuration(&c->config_tree); + read_connection_config(c); + + if(!get_config_string(lookup_config(c->config_tree, "Address"), &c->hostname)) { - syslog(LOG_ERR, _("Error reading host configuration file for %s"), ncn->name); - free_connection(ncn); - return -1; + syslog(LOG_ERR, _("No address specified for %s"), c->name); + free_connection(c); + free(outgoing->name); + free(outgoing); + return; } - if(!(cfg = get_config_val(ncn->config, config_address))) - { - syslog(LOG_ERR, _("No address specified for %s"), ncn->name); - free_connection(ncn); - return -1; - } + if(!get_config_port(lookup_config(c->config_tree, "Port"), &c->port)) + c->port = 655; - if(!(h = gethostbyname(cfg->data.ptr))) + if(!(h = gethostbyname(c->hostname))) { - syslog(LOG_ERR, _("Error looking up `%s': %m"), cfg->data.ptr); - free_connection(ncn); - return -1; + syslog(LOG_ERR, _("Error looking up `%s': %m"), c->hostname); + free_connection(c); + retry_outgoing(outgoing); + return; } - ncn->address = ntohl(*((ipv4_t*)(h->h_addr_list[0]))); - ncn->hostname = hostlookup(htonl(ncn->address)); + c->address = ntohl(*((ipv4_t*)(h->h_addr_list[0]))); + c->hostname = hostlookup(htonl(c->address)); - if(setup_outgoing_meta_socket(ncn) < 0) + if(setup_outgoing_socket(c) < 0) { - syslog(LOG_ERR, _("Could not set up a meta connection to %s"), - ncn->hostname); - free_connection(ncn); - return -1; + syslog(LOG_ERR, _("Could not set up a meta connection to %s (%s)"), + c->name, c->hostname); + retry_outgoing(outgoing); + return; } - ncn->status.outgoing = 1; - ncn->buffer = xmalloc(MAXBUFSIZE); - ncn->buflen = 0; - ncn->last_ping_time = time(NULL); + c->outgoing = outgoing; + c->last_ping_time = time(NULL); - connection_add(ncn); + connection_add(c); - send_id(ncn); + send_id(c); cp - return 0; } -int read_rsa_public_key(connection_t *cl) +int read_rsa_public_key(connection_t *c) { - config_t const *cfg; FILE *fp; char *fname; - void *result; + char *key; cp - if(!cl->rsa_key) - cl->rsa_key = RSA_new(); + if(!c->rsa_key) + c->rsa_key = RSA_new(); /* First, check for simple PublicKey statement */ - if((cfg = get_config_val(cl->config, config_publickey))) + if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) { - BN_hex2bn(&cl->rsa_key->n, cfg->data.ptr); - BN_hex2bn(&cl->rsa_key->e, "FFFF"); + BN_hex2bn(&c->rsa_key->n, key); + BN_hex2bn(&c->rsa_key->e, "FFFF"); + free(key); return 0; } /* Else, check for PublicKeyFile statement and read it */ - if((cfg = get_config_val(cl->config, config_publickeyfile))) + if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) { - if(is_safe_path(cfg->data.ptr)) + if(is_safe_path(fname)) { - if((fp = fopen(cfg->data.ptr, "r")) == NULL) + if((fp = fopen(fname, "r")) == NULL) { syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"), - cfg->data.ptr); + fname); + free(fname); return -1; } - result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL); + free(fname); + c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL); fclose(fp); - if(!result) + if(!c->rsa_key) { syslog(LOG_ERR, _("Reading RSA public key file `%s' failed: %m"), - cfg->data.ptr); + fname); return -1; } return 0; } else - return -1; + { + free(fname); + return -1; + } } /* Else, check if a harnessed public key is in the config file */ - asprintf(&fname, "%s/hosts/%s", confbase, cl->name); + asprintf(&fname, "%s/hosts/%s", confbase, c->name); if((fp = fopen(fname, "r"))) { - result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL); + c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL); fclose(fp); - free(fname); - if(result) - return 0; } free(fname); - /* Nothing worked. */ - - syslog(LOG_ERR, _("No public key for %s specified!"), cl->name); -cp - return -1; + if(c->rsa_key) + return 0; + else + { + syslog(LOG_ERR, _("No public key for %s specified!"), c->name); + return -1; + } } int read_rsa_private_key(void) { - config_t const *cfg; FILE *fp; - void *result; + char *fname, *key; cp - if(!myself->rsa_key) - myself->rsa_key = RSA_new(); - - if((cfg = get_config_val(config, config_privatekey))) + if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { - BN_hex2bn(&myself->rsa_key->d, cfg->data.ptr); - BN_hex2bn(&myself->rsa_key->e, "FFFF"); + myself->connection->rsa_key = RSA_new(); + BN_hex2bn(&myself->connection->rsa_key->d, key); + BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); + free(key); + return 0; } - else if((cfg = get_config_val(config, config_privatekeyfile))) + + if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname)) + asprintf(&fname, "%s/rsa_key.priv", confbase); + + if(is_safe_path(fname)) { - if((fp = fopen(cfg->data.ptr, "r")) == NULL) + if((fp = fopen(fname, "r")) == NULL) { syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"), - cfg->data.ptr); + fname); + free(fname); return -1; } - result = PEM_read_RSAPrivateKey(fp, &myself->rsa_key, NULL, NULL); + free(fname); + myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); fclose(fp); - if(!result) + if(!myself->connection->rsa_key) { syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"), - cfg->data.ptr); + fname); return -1; } + return 0; + } + + free(fname); + return -1; +} + +int check_rsa_key(RSA *rsa_key) +{ + char *test1, *test2, *test3; +cp + if(rsa_key->p && rsa_key->q) + { + if(RSA_check_key(rsa_key) != 1) + return -1; } else { - syslog(LOG_ERR, _("No private key for tinc daemon specified!")); - return -1; + test1 = xmalloc(RSA_size(rsa_key)); + test2 = xmalloc(RSA_size(rsa_key)); + test3 = xmalloc(RSA_size(rsa_key)); + + if(RSA_public_encrypt(RSA_size(rsa_key), test1, test2, rsa_key, RSA_NO_PADDING) != RSA_size(rsa_key)) + return -1; + + if(RSA_private_decrypt(RSA_size(rsa_key), test2, test3, rsa_key, RSA_NO_PADDING) != RSA_size(rsa_key)) + return -1; + + if(memcmp(test1, test3, RSA_size(rsa_key))) + return -1; } cp return 0; } /* - Configure connection_t myself and set up the local sockets (listen only) + Configure node_t myself and set up the local sockets (listen only) */ int setup_myself(void) { - config_t const *cfg; - config_t *next; - subnet_t *net; + config_t *cfg; + subnet_t *subnet; + char *name, *mode, *cipher, *digest; + int choice; cp - myself = new_connection(); + myself = new_node(); + myself->connection = new_connection(); + init_configuration(&myself->connection->config_tree); asprintf(&myself->hostname, _("MYSELF")); - myself->options = 0; - myself->protocol_version = PROT_CURRENT; + asprintf(&myself->connection->hostname, _("MYSELF")); + + myself->connection->options = 0; + myself->connection->protocol_version = PROT_CURRENT; - if(!(cfg = get_config_val(config, config_name))) /* Not acceptable */ + if(!get_config_string(lookup_config(config_tree, "Name"), &name)) /* Not acceptable */ { syslog(LOG_ERR, _("Name for tinc daemon required!")); return -1; } - else - asprintf(&myself->name, "%s", (char*)cfg->data.val); - if(check_id(myself->name)) + if(check_id(name)) { syslog(LOG_ERR, _("Invalid name for myself!")); + free(name); return -1; } + + myself->name = name; + myself->connection->name = xstrdup(name); + cp if(read_rsa_private_key()) return -1; - if(read_host_config(myself)) + if(read_connection_config(myself->connection)) { syslog(LOG_ERR, _("Cannot open host configuration file for myself!")); return -1; } - if(read_rsa_public_key(myself)) + if(read_rsa_public_key(myself->connection)) return -1; cp -/* - if(RSA_check_key(myself->rsa_key) != 1) + if(check_rsa_key(myself->connection->rsa_key)) { syslog(LOG_ERR, _("Invalid public/private keypair!")); return -1; } -*/ - if(!(cfg = get_config_val(myself->config, config_port))) + + if(!get_config_port(lookup_config(myself->connection->config_tree, "Port"), &myself->port)) myself->port = 655; - else - myself->port = cfg->data.val; + + myself->connection->port = myself->port; /* Read in all the subnets specified in the host configuration file */ - for(next = myself->config; (cfg = get_config_val(next, config_subnet)); next = cfg->next) - { - net = new_subnet(); - net->type = SUBNET_IPV4; - net->net.ipv4.address = cfg->data.ip->address; - net->net.ipv4.mask = cfg->data.ip->mask; + cfg = lookup_config(myself->connection->config_tree, "Subnet"); - /* Teach newbies what subnets are... */ + while(cfg) + { + if(!get_config_subnet(cfg, &subnet)) + return -1; - if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address) - { - syslog(LOG_ERR, _("Network address and subnet mask do not match!")); - return -1; - } + subnet_add(myself, subnet); - subnet_add(myself, net); + cfg = lookup_config_next(myself->connection->config_tree, cfg); } cp /* Check some options */ - if((cfg = get_config_val(config, config_indirectdata))) - if(cfg->data.val == stupid_true) + if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice)) + if(choice) myself->options |= OPTION_INDIRECT; - if((cfg = get_config_val(config, config_tcponly))) - if(cfg->data.val == stupid_true) + if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice)) + if(choice) myself->options |= OPTION_TCPONLY; - if((cfg = get_config_val(myself->config, config_indirectdata))) - if(cfg->data.val == stupid_true) + if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice)) + if(choice) myself->options |= OPTION_INDIRECT; - if((cfg = get_config_val(myself->config, config_tcponly))) - if(cfg->data.val == stupid_true) + if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice)) + if(choice) myself->options |= OPTION_TCPONLY; if(myself->options & OPTION_TCPONLY) myself->options |= OPTION_INDIRECT; - if((cfg = get_config_val(config, config_mode))) + if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) { - if(!strcasecmp(cfg->data.ptr, "router")) + if(!strcasecmp(mode, "router")) routing_mode = RMODE_ROUTER; - else if (!strcasecmp(cfg->data.ptr, "switch")) + else if (!strcasecmp(mode, "switch")) routing_mode = RMODE_SWITCH; - else if (!strcasecmp(cfg->data.ptr, "hub")) + else if (!strcasecmp(mode, "hub")) routing_mode = RMODE_HUB; else { @@ -856,13 +890,13 @@ cp cp /* Open sockets */ - if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0) + if((tcp_socket = setup_listen_socket(myself->port)) < 0) { syslog(LOG_ERR, _("Unable to set up a listening TCP socket!")); return -1; } - if((myself->socket = setup_vpn_in_socket(myself->port)) < 0) + if((udp_socket = setup_vpn_in_socket(myself->port)) < 0) { syslog(LOG_ERR, _("Unable to set up a listening UDP socket!")); return -1; @@ -870,72 +904,101 @@ cp cp /* Generate packet encryption key */ - myself->cipher_pkttype = EVP_bf_cbc(); + if(get_config_string(lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) + { + if(!strcasecmp(cipher, "none")) + { + myself->cipher = NULL; + } + else + { + if(!(myself->cipher = EVP_get_cipherbyname(cipher))) + { + syslog(LOG_ERR, _("Unrecognized cipher type!")); + return -1; + } + } + } + else + myself->cipher = EVP_bf_cbc(); - myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; + if(myself->cipher) + myself->keylength = myself->cipher->key_len + myself->cipher->iv_len; + else + myself->keylength = 1; - myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); - RAND_pseudo_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + myself->key = (char *)xmalloc(myself->keylength); + RAND_pseudo_bytes(myself->key, myself->keylength); - if(!(cfg = get_config_val(config, config_keyexpire))) + if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime)) keylifetime = 3600; - else - keylifetime = cfg->data.val; keyexpires = time(NULL) + keylifetime; -cp - /* Activate ourselves */ + /* Check if we want to use message authentication codes... */ - myself->status.active = 1; - - syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); -cp - return 0; -} - -RETSIGTYPE -sigalrm_handler(int a) -{ - config_t const *cfg; -cp - cfg = get_config_val(upstreamcfg, config_connectto); - - if(!cfg) + if(get_config_string(lookup_config(myself->connection->config_tree, "Digest"), &digest)) { - if(upstreamcfg == config) - { - /* No upstream IP given, we're listen only. */ - signal(SIGALRM, SIG_IGN); - return; - } + if(!strcasecmp(digest, "none")) + { + myself->digest = NULL; + } + else + { + if(!(myself->digest = EVP_get_digestbyname(digest))) + { + syslog(LOG_ERR, _("Unrecognized digest type!")); + return -1; + } + } } else + myself->digest = EVP_sha1(); + + if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->maclength)) { - /* We previously tried all the ConnectTo lines. Now wrap back to the first. */ - cfg = get_config_val(config, config_connectto); + if(myself->digest) + { + if(myself->maclength > myself->digest->md_size) + { + syslog(LOG_ERR, _("MAC length exceeds size of digest!")); + return -1; + } + else if (myself->maclength < 0) + { + syslog(LOG_ERR, _("Bogus MAC length!")); + return -1; + } + } } - - while(cfg) + else + myself->maclength = 4; + + /* Compression */ + + if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), &myself->compression)) { - upstreamcfg = cfg->next; - if(!setup_outgoing_connection(cfg->data.ptr)) /* function returns 0 when there are no problems */ + if(myself->compression < 0 || myself->compression > 9) { - signal(SIGALRM, SIG_IGN); - return; - } - cfg = get_config_val(upstreamcfg, config_connectto); /* Or else we try the next ConnectTo line */ + syslog(LOG_ERR, _("Bogus compression level!")); + return -1; + } } + else + myself->compression = 0; +cp + /* Done */ + + myself->nexthop = myself; + myself->via = myself; + myself->status.active = 1; + node_add(myself); + + graph(); - signal(SIGALRM, sigalrm_handler); - upstreamcfg = config; - seconds_till_retry += 5; - if(seconds_till_retry > MAXTIMEOUT) /* Don't wait more than MAXTIMEOUT seconds. */ - seconds_till_retry = MAXTIMEOUT; - syslog(LOG_ERR, _("Still failed to connect to other, will retry in %d seconds"), - seconds_till_retry); - alarm(seconds_till_retry); + syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); cp + return 0; } /* @@ -943,23 +1006,24 @@ cp */ int setup_network_connections(void) { - config_t const *cfg; cp init_connections(); init_subnets(); + init_nodes(); + init_edges(); + init_events(); - if((cfg = get_config_val(config, config_pingtimeout)) == NULL) - timeout = 60; - else + if(get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout)) { - timeout = cfg->data.val; - if(timeout < 1) + if(pingtimeout < 1) { - timeout = 86400; + pingtimeout = 86400; } - } + } + else + pingtimeout = 60; - if(setup_tap_fd() < 0) + if(setup_device() < 0) return -1; /* Run tinc-up script to further initialize the tap interface */ @@ -968,29 +1032,7 @@ cp if(setup_myself() < 0) return -1; - if(!(cfg = get_config_val(config, config_connectto))) - /* No upstream IP given, we're listen only. */ - return 0; - - while(cfg) - { - upstreamcfg = cfg->next; - if(!setup_outgoing_connection(cfg->data.ptr)) /* function returns 0 when there are no problems */ - return 0; - cfg = get_config_val(upstreamcfg, config_connectto); /* Or else we try the next ConnectTo line */ - } - - if(do_detach) - { - signal(SIGALRM, sigalrm_handler); - upstreamcfg = config; - seconds_till_retry = MAXTIMEOUT; - syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); - alarm(seconds_till_retry); - } - else - return -1; - + try_outgoing_connections(); cp return 0; } @@ -1000,31 +1042,33 @@ cp */ void close_network_connections(void) { - avl_node_t *node; - connection_t *p; + avl_node_t *node, *next; + connection_t *c; cp - for(node = connection_tree->head; node; node = node->next) + for(node = connection_tree->head; node; node = next) { - p = (connection_t *)node->data; - p->status.outgoing = 0; - p->status.active = 0; - terminate_connection(p); + next = node->next; + c = (connection_t *)node->data; + if(c->outgoing) + free(c->outgoing->name), free(c->outgoing); + terminate_connection(c, 0); } - if(myself) - if(myself->status.active) - { - close(myself->meta_socket); - free_connection(myself); - myself = NULL; - } + if(myself && myself->connection) + terminate_connection(myself->connection, 0); + + close(udp_socket); + close(tcp_socket); - close(tap_fd); + exit_events(); + exit_edges(); + exit_subnets(); + exit_nodes(); + exit_connections(); - /* Execute tinc-down script right after shutting down the interface */ execute_script("tinc-down"); - destroy_connection_tree(); + close_device(); cp return; } @@ -1035,11 +1079,11 @@ cp */ connection_t *create_new_connection(int sfd) { - connection_t *p; + connection_t *c; struct sockaddr_in ci; int len = sizeof(ci); cp - p = new_connection(); + c = new_connection(); if(getpeername(sfd, (struct sockaddr *) &ci, (socklen_t *) &len) < 0) { @@ -1049,23 +1093,19 @@ cp return NULL; } - asprintf(&p->name, _("UNKNOWN")); - p->address = ntohl(ci.sin_addr.s_addr); - p->hostname = hostlookup(ci.sin_addr.s_addr); - p->port = htons(ci.sin_port); /* This one will be overwritten later */ - p->meta_socket = sfd; - p->status.meta = 1; - p->buffer = xmalloc(MAXBUFSIZE); - p->buflen = 0; - p->last_ping_time = time(NULL); + c->address = ntohl(ci.sin_addr.s_addr); + c->hostname = hostlookup(ci.sin_addr.s_addr); + c->port = htons(ci.sin_port); + c->socket = sfd; + c->last_ping_time = time(NULL); if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection from %s port %d"), - p->hostname, htons(ci.sin_port)); + c->hostname, c->port); - p->allow_request = ID; + c->allow_request = ID; cp - return p; + return c; } /* @@ -1074,21 +1114,19 @@ cp void build_fdset(fd_set *fs) { avl_node_t *node; - connection_t *p; + connection_t *c; cp FD_ZERO(fs); - FD_SET(myself->socket, fs); - for(node = connection_tree->head; node; node = node->next) { - p = (connection_t *)node->data; - if(p->status.meta) - FD_SET(p->meta_socket, fs); + c = (connection_t *)node->data; + FD_SET(c->socket, fs); } - FD_SET(myself->meta_socket, fs); - FD_SET(tap_fd, fs); + FD_SET(tcp_socket, fs); + FD_SET(udp_socket, fs); + FD_SET(device_fd, fs); cp } @@ -1103,12 +1141,12 @@ void handle_incoming_vpn_data(void) int x, l = sizeof(x); struct sockaddr_in from; socklen_t fromlen = sizeof(from); - connection_t *cl; + node_t *n; cp - if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) + if(getsockopt(udp_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) { syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), - __FILE__, __LINE__, myself->socket); + __FILE__, __LINE__, udp_socket); return; } if(x) @@ -1117,96 +1155,144 @@ cp return; } - if((pkt.len = recvfrom(myself->socket, (char *) pkt.salt, MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0) + if((pkt.len = recvfrom(udp_socket, (char *)&pkt.seqno, MAXSIZE, 0, (struct sockaddr *)&from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); return; } - cl = lookup_connection(ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); + n = lookup_node_udp(ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); - if(!cl) + if(!n) { - syslog(LOG_WARNING, _("Received UDP packets on port %hd from unknown source %x:%hd"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); + syslog(LOG_WARNING, _("Received UDP packet on port %hd from unknown source %x:%hd"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); return; } - cl->last_ping_time = time(NULL); +/* + if(n->connection) + n->connection->last_ping_time = time(NULL); +*/ + receive_udppacket(n, &pkt); +cp +} + +/* Purge edges and subnets of unreachable nodes. Use carefully. */ - receive_udppacket(cl, &pkt); +void purge(void) +{ + avl_node_t *nnode, *nnext, *enode, *enext, *snode, *snext, *cnode; + node_t *n; + edge_t *e; + subnet_t *s; + connection_t *c; +cp + if(debug_lvl >= DEBUG_PROTOCOL) + syslog(LOG_DEBUG, _("Purging unreachable nodes")); + + for(nnode = node_tree->head; nnode; nnode = nnext) + { + nnext = nnode->next; + n = (node_t *)nnode->data; + + if(!n->status.reachable) + { + if(debug_lvl >= DEBUG_SCARY_THINGS) + syslog(LOG_DEBUG, _("Purging node %s (%s)"), n->name, n->hostname); + + for(snode = n->subnet_tree->head; snode; snode = snext) + { + snext = snode->next; + s = (subnet_t *)snode->data; + + for(cnode = connection_tree->head; cnode; cnode = cnode->next) + { + c = (connection_t *)cnode->data; + if(c->status.active) + send_del_subnet(c, s); + } + + subnet_del(n, s); + } + + for(enode = n->edge_tree->head; enode; enode = enext) + { + enext = enode->next; + e = (edge_t *)enode->data; + + for(cnode = connection_tree->head; cnode; cnode = cnode->next) + { + c = (connection_t *)cnode->data; + if(c->status.active) + send_del_edge(c, e); + } + + edge_del(e); + } + + node_del(n); + } + } cp } /* - terminate a connection and notify the other - end before closing the sockets + Terminate a connection: + - Close the socket + - Remove associated edge and tell other connections about it if report = 1 + - Check if we need to retry making an outgoing connection + - Deactivate the host */ -void terminate_connection(connection_t *cl) +void terminate_connection(connection_t *c, int report) { - connection_t *p; - subnet_t *subnet; - avl_node_t *node, *next; + avl_node_t *node; + connection_t *other; cp - if(cl->status.remove) + if(c->status.remove) return; - + if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), - cl->name, cl->hostname); - - cl->status.remove = 1; + c->name, c->hostname); - if(cl->socket) - close(cl->socket); - if(cl->status.meta) - close(cl->meta_socket); + c->status.remove = 1; + + if(c->socket) + close(c->socket); - if(cl->status.meta) + if(c->edge) { + if(report) + { + for(node = connection_tree->head; node; node = node->next) + { + other = (connection_t *)node->data; + if(other->status.active && other != c) + send_del_edge(other, c->edge); + } + } - /* Find all connections that were lost because they were behind cl - (the connection that was dropped). */ - - for(node = connection_tree->head; node; node = node->next) - { - p = (connection_t *)node->data; - if(p->nexthop == cl && p != cl) - terminate_connection(p); - } - - /* Inform others of termination if it was still active */ - - if(cl->status.active) - for(node = connection_tree->head; node; node = node->next) - { - p = (connection_t *)node->data; - if(p->status.meta && p->status.active && p != cl) - send_del_host(p, cl); /* Sounds like recursion, but p does not have a meta connection :) */ - } + edge_del(c->edge); } - /* Remove the associated subnets */ - - for(node = cl->subnet_tree->head; node; node = next) - { - next = node->next; - subnet = (subnet_t *)node->data; - subnet_del(subnet); - } + /* Run MST and SSSP algorithms */ + + graph(); /* Check if this was our outgoing connection */ - if(cl->status.outgoing) + if(c->outgoing) { - cl->status.outgoing = 0; - signal(SIGALRM, sigalrm_handler); - alarm(seconds_till_retry); - syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); + retry_outgoing(c->outgoing); + c->outgoing = NULL; } /* Deactivate */ - cl->status.active = 0; + c->status.active = 0; + if(c->node) + c->node->connection = NULL; + do_prune = 1; cp } @@ -1221,31 +1307,39 @@ cp void check_dead_connections(void) { time_t now; - avl_node_t *node; - connection_t *cl; + avl_node_t *node, *next; + connection_t *c; cp now = time(NULL); - for(node = connection_tree->head; node; node = node->next) + for(node = connection_tree->head; node; node = next) { - cl = (connection_t *)node->data; - if(cl->status.active && cl->status.meta) + next = node->next; + c = (connection_t *)node->data; + if(c->last_ping_time + pingtimeout < now) { - if(cl->last_ping_time + timeout < now) + if(c->status.active) { - if(cl->status.pinged) + if(c->status.pinged) { if(debug_lvl >= DEBUG_PROTOCOL) syslog(LOG_INFO, _("%s (%s) didn't respond to PING"), - cl->name, cl->hostname); - cl->status.timeout = 1; - terminate_connection(cl); + c->name, c->hostname); + c->status.timeout = 1; + terminate_connection(c, 1); } else { - send_ping(cl); + send_ping(c); } } + else + { + if(debug_lvl >= DEBUG_CONNECTIONS) + syslog(LOG_WARNING, _("Timeout from %s (%s) during authentication"), + c->name, c->hostname); + terminate_connection(c, 0); + } } } cp @@ -1257,107 +1351,102 @@ cp */ int handle_new_meta_connection() { - connection_t *ncn; + connection_t *new; struct sockaddr client; - int nfd, len = sizeof(client); + int fd, len = sizeof(client); cp - if((nfd = accept(myself->meta_socket, &client, &len)) < 0) + if((fd = accept(tcp_socket, &client, &len)) < 0) { syslog(LOG_ERR, _("Accepting a new connection failed: %m")); return -1; } - if(!(ncn = create_new_connection(nfd))) + if(!(new = create_new_connection(fd))) { - shutdown(nfd, 2); - close(nfd); + shutdown(fd, 2); + close(fd); syslog(LOG_NOTICE, _("Closed attempted connection")); return 0; } - connection_add(ncn); + connection_add(new); - send_id(ncn); + send_id(new); cp return 0; } +void try_outgoing_connections(void) +{ + static config_t *cfg = NULL; + char *name; + outgoing_t *outgoing; +cp + for(cfg = lookup_config(config_tree, "ConnectTo"); cfg; cfg = lookup_config_next(config_tree, cfg)) + { + get_config_string(cfg, &name); + + if(check_id(name)) + { + syslog(LOG_ERR, _("Invalid name for outgoing connection in %s line %d"), cfg->file, cfg->line); + free(name); + continue; + } + + outgoing = xmalloc_and_zero(sizeof(*outgoing)); + outgoing->name = name; + setup_outgoing_connection(outgoing); + } +} + /* check all connections to see if anything happened on their sockets */ void check_network_activity(fd_set *f) { - connection_t *p; + connection_t *c; avl_node_t *node; cp - if(FD_ISSET(myself->socket, f)) + if(FD_ISSET(udp_socket, f)) handle_incoming_vpn_data(); for(node = connection_tree->head; node; node = node->next) { - p = (connection_t *)node->data; + c = (connection_t *)node->data; - if(p->status.remove) + if(c->status.remove) return; - if(p->status.meta) - if(FD_ISSET(p->meta_socket, f)) - if(receive_meta(p) < 0) - { - terminate_connection(p); - return; - } + if(FD_ISSET(c->socket, f)) + if(receive_meta(c) < 0) + { + terminate_connection(c, c->status.active); + return; + } } - if(FD_ISSET(myself->meta_socket, f)) + if(FD_ISSET(tcp_socket, f)) handle_new_meta_connection(); cp } -/* - read, encrypt and send data that is - available through the ethertap device -*/ -void handle_tap_input(void) +void prune_connections(void) { - vpn_packet_t vp; - int lenin; + connection_t *c; + avl_node_t *node, *next; cp - if(taptype == TAP_TYPE_TUNTAP) - { - if((lenin = read(tap_fd, vp.data, MTU)) <= 0) - { - syslog(LOG_ERR, _("Error while reading from tun/tap device: %m")); - return; - } - vp.len = lenin; - } - else /* ethertap */ - { - if((lenin = read(tap_fd, vp.data - 2, MTU)) <= 0) - { - syslog(LOG_ERR, _("Error while reading from ethertap device: %m")); - return; - } - vp.len = lenin - 2; - } - - total_tap_in += vp.len; - - if(lenin < 32) + for(node = connection_tree->head; node; node = next) { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_WARNING, _("Received short packet from tap device")); - return; - } + next = node->next; + c = (connection_t *)node->data; - if(debug_lvl >= DEBUG_TRAFFIC) - { - syslog(LOG_DEBUG, _("Read packet of length %d from tap device"), vp.len); + if(c->status.remove) + connection_del(c); } - - route_outgoing(&vp); + + if(!connection_tree->head) + purge(); cp } @@ -1371,20 +1460,29 @@ void main_loop(void) int r; time_t last_ping_check; int t; + event_t *event; + vpn_packet_t packet; cp last_ping_check = time(NULL); + srand(time(NULL)); + for(;;) { - tv.tv_sec = timeout; + tv.tv_sec = 1 + (rand() & 7); /* Approx. 5 seconds, randomized to prevent global synchronisation effects */ tv.tv_usec = 0; - prune_connection_tree(); + if(do_prune) + { + prune_connections(); + do_prune = 0; + } + build_fdset(&fset); if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0) { - if(errno != EINTR) /* because of alarm */ + if(errno != EINTR) /* because of a signal */ { syslog(LOG_ERR, _("Error while waiting for input: %m")); return; @@ -1396,7 +1494,7 @@ cp syslog(LOG_INFO, _("Rereading configuration file and restarting in 5 seconds")); sighup = 0; close_network_connections(); - clear_config(&config); + exit_configuration(&config_tree); if(read_server_config()) { @@ -1412,11 +1510,17 @@ cp continue; } + if(do_purge) + { + purge(); + do_purge = 0; + } + t = time(NULL); /* Let's check if everybody is still alive */ - if(last_ping_check + timeout < t) + if(last_ping_check + pingtimeout < t) { check_dead_connections(); last_ping_check = time(NULL); @@ -1428,19 +1532,41 @@ cp if(debug_lvl >= DEBUG_STATUS) syslog(LOG_INFO, _("Regenerating symmetric key")); - RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); - send_key_changed(myself, NULL); + RAND_pseudo_bytes(myself->key, myself->keylength); + send_key_changed(myself->connection, myself); keyexpires = time(NULL) + keylifetime; } } + if(sigalrm) + { + syslog(LOG_INFO, _("Flushing event queue")); + + while(event_tree->head) + { + event = (event_t *)event_tree->head->data; + event->handler(event->data); + event_del(event); + } + sigalrm = 0; + } + + while((event = get_expired_event())) + { + event->handler(event->data); + free(event); + } + if(r > 0) { check_network_activity(&fset); /* local tap data */ - if(FD_ISSET(tap_fd, &fset)) - handle_tap_input(); + if(FD_ISSET(device_fd, &fset)) + { + if(!read_packet(&packet)) + route_outgoing(&packet); + } } } cp