X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=b0d3cd1ebd94ff4b4050be338b1591ed89b33a0e;hp=5c59c6fa5e11abf11063f8be58d077b3c9d73d50;hb=65247c063b36a76dd68156fe17b017c7460d982f;hpb=4fa12eb85d72f039df5004abc201f01f5573c2e4 diff --git a/src/net.c b/src/net.c index 5c59c6fa..b0d3cd1e 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.100 2001/02/27 16:37:25 guus Exp $ + $Id: net.c,v 1.35.4.109 2001/05/28 08:21:43 guus Exp $ */ #include "config.h" @@ -26,8 +26,10 @@ #include #include #include -#include -#include +#ifndef HAVE_FREEBSD + #include + #include +#endif #include #include #include @@ -84,6 +86,8 @@ #include "process.h" #include "protocol.h" #include "subnet.h" +#include "process.h" +#include "route.h" #include "system.h" @@ -102,33 +106,42 @@ int keyexpires = 0; char *unknown = NULL; -subnet_t mymac; - -int xsend(connection_t *cl, vpn_packet_t *inpkt) +void send_udppacket(connection_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; EVP_CIPHER_CTX ctx; struct sockaddr_in to; socklen_t tolen = sizeof(to); + vpn_packet_t *copy; cp - outpkt.len = inpkt->len; - + if(!cl->status.validkey) + { + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), + cl->name, cl->hostname); + + /* Since packet is on the stack of handle_tap_input(), + we have to make a copy of it first. */ + + copy = xmalloc(sizeof(vpn_packet_t)); + memcpy(copy, inpkt, sizeof(vpn_packet_t)); + + list_insert_tail(cl->queue, copy); + + if(!cl->status.waitingforkey) + send_req_key(myself, cl); + return; + } + /* Encrypt the packet. */ - - EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); - EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); - outlen += outpad + 2; -/* Bypass - outlen = outpkt.len + 2; - memcpy(&outpkt, inpkt, outlen); -*/ + RAND_bytes(inpkt->salt, sizeof(inpkt->salt)); - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), - outlen, cl->name, cl->hostname); + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); + EVP_EncryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len + sizeof(inpkt->salt)); + EVP_EncryptFinal(&ctx, outpkt.salt + outlen, &outpad); + outlen += outpad; total_socket_out += outlen; @@ -136,48 +149,60 @@ cp to.sin_addr.s_addr = htonl(cl->address); to.sin_port = htons(cl->port); - if((sendto(myself->socket, (char *) &(outpkt.len), outlen, 0, (const struct sockaddr *)&to, tolen)) < 0) + if((sendto(myself->socket, (char *) outpkt.salt, outlen, 0, (const struct sockaddr *)&to, tolen)) < 0) { syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), cl->name, cl->hostname); - return -1; + return; } cp - return 0; } -int xrecv(connection_t *cl, vpn_packet_t *inpkt) +void receive_packet(connection_t *cl, vpn_packet_t *packet) +{ +cp + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, cl->name, cl->hostname); + + route_incoming(cl, packet); +cp +} + +void receive_udppacket(connection_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; EVP_CIPHER_CTX ctx; cp - outpkt.len = inpkt->len; - /* Decrypt the packet */ EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); - EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8); - EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); + EVP_DecryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len); + EVP_DecryptFinal(&ctx, outpkt.salt + outlen, &outpad); outlen += outpad; + outpkt.len = outlen - sizeof(outpkt.salt); -/* Bypass - outlen = outpkt.len+2; - memcpy(&outpkt, inpkt, outlen); -*/ + receive_packet(cl, &outpkt); cp - return receive_packet(cl, &outpkt); } -int receive_packet(connection_t *cl, vpn_packet_t *packet) +void receive_tcppacket(connection_t *cl, char *buffer, int len) { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"), - packet->len); + vpn_packet_t outpkt; +cp + outpkt.len = len; + memcpy(outpkt.data, buffer, len); - /* Fix mac address */ + receive_packet(cl, &outpkt); +cp +} - memcpy(packet->data, mymac.net.mac.address.x, 6); +void accept_packet(vpn_packet_t *packet) +{ +cp + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_DEBUG, _("Writing packet of %d bytes to tap device"), + packet->len); if(taptype == TAP_TYPE_TUNTAP) { @@ -191,43 +216,29 @@ int receive_packet(connection_t *cl, vpn_packet_t *packet) if(write(tap_fd, packet->data - 2, packet->len + 2) < 0) syslog(LOG_ERR, _("Can't write to ethertap device: %m")); else - total_tap_out += packet->len + 2; + total_tap_out += packet->len; } cp - return 0; } /* send a packet to the given vpn ip. */ -int send_packet(ip_t to, vpn_packet_t *packet) +void send_packet(connection_t *cl, vpn_packet_t *packet) { - connection_t *cl; - subnet_t *subnet; - vpn_packet_t *copy; cp - if((subnet = lookup_subnet_ipv4(&to)) == NULL) - { - if(debug_lvl >= DEBUG_TRAFFIC) - { - syslog(LOG_NOTICE, _("Trying to look up %d.%d.%d.%d in connection list failed!"), - IP_ADDR_V(to)); - } - - return -1; - } + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), + packet->len, cl->name, cl->hostname); - cl = subnet->owner; - if(cl == myself) { if(debug_lvl >= DEBUG_TRAFFIC) { - syslog(LOG_NOTICE, _("Packet with destination %d.%d.%d.%d is looping back to us!"), - IP_ADDR_V(to)); + syslog(LOG_NOTICE, _("Packet is looping back to us!")); } - return -1; + return; } if(!cl->status.active) @@ -236,34 +247,18 @@ cp syslog(LOG_INFO, _("%s (%s) is not active, dropping packet"), cl->name, cl->hostname); - return 0; + return; } - if(!cl->status.validkey) + /* Check if it has to go via TCP or UDP... */ +cp + if((cl->options | myself->options) & OPTION_TCPONLY) { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), - cl->name, cl->hostname); - - /* Since packet is on the stack of handle_tap_input(), - we have to make a copy of it first. */ - - copy = xmalloc(sizeof(vpn_packet_t)); - memcpy(copy, packet, sizeof(vpn_packet_t)); - - list_insert_tail(cl->queue, copy); - - if(!cl->status.waitingforkey) - send_req_key(myself, cl); /* Keys should be sent to the host running the tincd */ - return 0; + if(send_tcppacket(cl, packet)) + terminate_connection(cl); } - - /* Check if it has to go via UDP or TCP... */ -cp - if(cl->options & OPTION_TCPONLY) - return send_tcppacket(cl, packet); else - return xsend(cl, packet); + send_udppacket(cl, packet); } void flush_queue(connection_t *cl) @@ -272,11 +267,11 @@ void flush_queue(connection_t *cl) cp if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("Flushing queue for %s (%s)"), cl->name, cl->hostname); - + for(node = cl->queue->head; node; node = next) { next = node->next; - xsend(cl, (vpn_packet_t *)node->data); + send_udppacket(cl, (vpn_packet_t *)node->data); list_delete_node(cl->queue, node); } cp @@ -296,14 +291,14 @@ int setup_tap_fd(void) # endif #endif -cp +cp if((cfg = get_config_val(config, config_tapdevice))) tapfname = cfg->data.ptr; else { #ifdef HAVE_LINUX # ifdef HAVE_TUNTAP - tapfname = "/dev/misc/net/tun"; + tapfname = "/dev/net/tun"; # else tapfname = "/dev/tap0"; # endif @@ -327,7 +322,7 @@ cp taptype = TAP_TYPE_ETHERTAP; /* Set default MAC address for ethertap devices */ - + mymac.type = SUBNET_MAC; mymac.net.mac.address.x[0] = 0xfe; mymac.net.mac.address.x[1] = 0xfd; @@ -386,15 +381,16 @@ cp } /* Optimize TCP settings */ - + option = 1; setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option)); setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); +#ifndef HAVE_FREEBSD setsockopt(nfd, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); option = IPTOS_LOWDELAY; setsockopt(nfd, SOL_IP, IP_TOS, &option, sizeof(option)); - + if((cfg = get_config_val(config, config_interface))) { if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, cfg->data.ptr, strlen(cfg->data.ptr))) @@ -404,11 +400,12 @@ cp return -1; } } +#endif memset(&a, 0, sizeof(a)); a.sin_family = AF_INET; a.sin_port = htons(port); - + if((cfg = get_config_val(config, config_interfaceip))) a.sin_addr.s_addr = htonl(cfg->data.ip->address); else @@ -515,16 +512,17 @@ cp } /* Optimize TCP settings */ - + option = 1; setsockopt(cl->meta_socket, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); +#ifndef HAVE_FREEBSD setsockopt(cl->meta_socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); option = IPTOS_LOWDELAY; setsockopt(cl->meta_socket, SOL_IP, IP_TOS, &option, sizeof(option)); - +#endif /* Connect */ - + a.sin_family = AF_INET; a.sin_port = htons(cl->port); a.sin_addr.s_addr = htonl(cl->address); @@ -571,21 +569,21 @@ cp ncn = new_connection(); asprintf(&ncn->name, "%s", name); - + if(read_host_config(ncn)) { syslog(LOG_ERR, _("Error reading host configuration file for %s"), ncn->name); free_connection(ncn); return -1; } - + if(!(cfg = get_config_val(ncn->config, config_address))) { syslog(LOG_ERR, _("No address specified for %s"), ncn->name); free_connection(ncn); return -1; } - + if(!(h = gethostbyname(cfg->data.ptr))) { syslog(LOG_ERR, _("Error looking up `%s': %m"), cfg->data.ptr); @@ -593,9 +591,9 @@ cp return -1; } - ncn->address = ntohl(*((ip_t*)(h->h_addr_list[0]))); + ncn->address = ntohl(*((ipv4_t*)(h->h_addr_list[0]))); ncn->hostname = hostlookup(htonl(ncn->address)); - + if(setup_outgoing_meta_socket(ncn) < 0) { syslog(LOG_ERR, _("Could not set up a meta connection to %s"), @@ -659,10 +657,10 @@ cp } else return -1; - } + } /* Else, check if a harnessed public key is in the config file */ - + asprintf(&fname, "%s/hosts/%s", confbase, cl->name); if((fp = fopen(fname, "r"))) { @@ -712,7 +710,7 @@ cp cfg->data.ptr); return -1; } - } + } else { syslog(LOG_ERR, _("No private key for tinc daemon specified!")); @@ -734,7 +732,7 @@ cp myself = new_connection(); asprintf(&myself->hostname, "MYSELF"); - myself->flags = 0; + myself->options = 0; myself->protocol_version = PROT_CURRENT; if(!(cfg = get_config_val(config, config_name))) /* Not acceptable */ @@ -762,7 +760,7 @@ cp if(read_rsa_public_key(myself)) return -1; -cp +cp /* if(RSA_check_key(myself->rsa_key) != 1) @@ -778,11 +776,11 @@ cp if((cfg = get_config_val(myself->config, config_indirectdata))) if(cfg->data.val == stupid_true) - myself->flags |= EXPORTINDIRECTDATA; + myself->options |= OPTION_INDIRECT; if((cfg = get_config_val(myself->config, config_tcponly))) if(cfg->data.val == stupid_true) - myself->flags |= TCPONLY; + myself->options |= OPTION_TCPONLY; /* Read in all the subnets specified in the host configuration file */ @@ -792,18 +790,18 @@ cp net->type = SUBNET_IPV4; net->net.ipv4.address = cfg->data.ip->address; net->net.ipv4.mask = cfg->data.ip->mask; - + /* Teach newbies what subnets are... */ - + if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address) { syslog(LOG_ERR, _("Network address and subnet mask do not match!")); return -1; - } - + } + subnet_add(myself, net); } - + if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0) { syslog(LOG_ERR, _("Unable to set up a listening TCP socket!")); @@ -823,17 +821,17 @@ cp myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); - RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + RAND_pseudo_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); if(!(cfg = get_config_val(config, config_keyexpire))) keylifetime = 3600; else keylifetime = cfg->data.val; - + keyexpires = time(NULL) + keylifetime; cp /* Check some options */ - + if((cfg = get_config_val(config, config_indirectdata))) { if(cfg->data.val == stupid_true) @@ -845,6 +843,10 @@ cp if(cfg->data.val == stupid_true) myself->options |= OPTION_TCPONLY; } + + if(myself->options & OPTION_TCPONLY) + myself->options |= OPTION_INDIRECT; + /* Activate ourselves */ myself->status.active = 1; @@ -861,10 +863,21 @@ sigalrm_handler(int a) cp cfg = get_config_val(upstreamcfg, config_connectto); - if(!cfg && upstreamcfg == config) - /* No upstream IP given, we're listen only. */ - return; - + if(!cfg) + { + if(upstreamcfg == config) + { + /* No upstream IP given, we're listen only. */ + signal(SIGALRM, SIG_IGN); + return; + } + } + else + { + /* We previously tried all the ConnectTo lines. Now wrap back to the first. */ + cfg = get_config_val(config, config_connectto); + } + while(cfg) { upstreamcfg = cfg->next; @@ -913,7 +926,7 @@ cp /* Run tinc-up script to further initialize the tap interface */ execute_script("tinc-up"); - + if(setup_myself() < 0) return -1; @@ -928,12 +941,18 @@ cp return 0; cfg = get_config_val(upstreamcfg, config_connectto); /* Or else we try the next ConnectTo line */ } - - signal(SIGALRM, sigalrm_handler); - upstreamcfg = config; - seconds_till_retry = MAXTIMEOUT; - syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); - alarm(seconds_till_retry); + + if(do_detach) + { + signal(SIGALRM, sigalrm_handler); + upstreamcfg = config; + seconds_till_retry = MAXTIMEOUT; + syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); + alarm(seconds_till_retry); + } + else + return -1; + cp return 0; } @@ -949,6 +968,7 @@ cp for(node = connection_tree->head; node; node = node->next) { p = (connection_t *)node->data; + p->status.outgoing = 0; p->status.active = 0; terminate_connection(p); } @@ -1000,7 +1020,7 @@ cp p->buffer = xmalloc(MAXBUFSIZE); p->buflen = 0; p->last_ping_time = time(NULL); - + if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection from %s port %d"), p->hostname, htons(ci.sin_port)); @@ -1039,11 +1059,10 @@ cp udp socket and write it to the ethertap device after being decrypted */ -int handle_incoming_vpn_data(void) +void handle_incoming_vpn_data(void) { vpn_packet_t pkt; int x, l = sizeof(x); - int lenin; struct sockaddr_in from; socklen_t fromlen = sizeof(from); connection_t *cl; @@ -1052,36 +1071,32 @@ cp { syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), __FILE__, __LINE__, myself->socket); - return -1; + return; } if(x) { syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x)); - return -1; + return; } - if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0) + if((pkt.len = recvfrom(myself->socket, (char *) pkt.salt, MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); - return -1; + return; } cl = lookup_connection(ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); - + if(!cl) { syslog(LOG_WARNING, _("Received UDP packets on port %hd from unknown source %x:%hd"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); - return 0; + return; } - if(debug_lvl >= DEBUG_TRAFFIC) - { - syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), lenin, - cl->name, cl->hostname); - } + cl->last_ping_time = time(NULL); + receive_udppacket(cl, &pkt); cp - return xrecv(cl, &pkt); } /* @@ -1100,9 +1115,9 @@ cp if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), cl->name, cl->hostname); - + cl->status.remove = 1; - + if(cl->socket) close(cl->socket); if(cl->status.meta) @@ -1110,7 +1125,7 @@ cp if(cl->status.meta) { - + /* Find all connections that were lost because they were behind cl (the connection that was dropped). */ @@ -1142,7 +1157,7 @@ cp } /* Check if this was our outgoing connection */ - + if(cl->status.outgoing) { cl->status.outgoing = 0; @@ -1152,7 +1167,7 @@ cp syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds")); } - /* Inactivate */ + /* Deactivate */ cl->status.active = 0; cp @@ -1224,7 +1239,7 @@ cp } connection_add(ncn); - + send_id(ncn); cp return 0; @@ -1255,9 +1270,9 @@ cp { terminate_connection(p); return; - } + } } - + if(FD_ISSET(myself->meta_socket, f)) handle_new_meta_connection(); cp @@ -1271,7 +1286,7 @@ void handle_tap_input(void) { vpn_packet_t vp; int lenin; -cp +cp if(taptype == TAP_TYPE_TUNTAP) { if((lenin = read(tap_fd, vp.data, MTU)) <= 0) @@ -1291,7 +1306,7 @@ cp vp.len = lenin - 2; } - total_tap_in += lenin; + total_tap_in += vp.len; if(lenin < 32) { @@ -1305,7 +1320,7 @@ cp syslog(LOG_DEBUG, _("Read packet of length %d from tap device"), vp.len); } - send_packet(ntohl(*((unsigned long*)(&vp.data[30]))), &vp); + route_outgoing(&vp); cp } @@ -1349,14 +1364,14 @@ cp if(read_server_config()) { syslog(LOG_ERR, _("Unable to reread configuration file, exiting")); - exit(0); + exit(1); } sleep(5); - + if(setup_network_connections()) return; - + continue; } @@ -1375,7 +1390,7 @@ cp { if(debug_lvl >= DEBUG_STATUS) syslog(LOG_INFO, _("Regenerating symmetric key")); - + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); send_key_changed(myself, NULL); keyexpires = time(NULL) + keylifetime;