X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=e62bb8dc122b519097a0d1cac913fff312d31aec;hp=8b243a5cbd031fb4acaf3e4f26951287c708b929;hb=cea3d8f3056d3c6aaaef473443240b8470c8ea2d;hpb=35932fe6c8cb481eb687f98424776ce429570c21

diff --git a/src/net.c b/src/net.c
index 8b243a5c..e62bb8dc 100644
--- a/src/net.c
+++ b/src/net.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 
-    $Id: net.c,v 1.35.4.50 2000/10/29 00:02:18 guus Exp $
+    $Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $
 */
 
 #include "config.h"
@@ -39,6 +39,9 @@
 #include <syslog.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
 
 #ifdef HAVE_TUNTAP
 #include LINUX_IF_TUN_H
@@ -48,7 +51,6 @@
 #include <xalloc.h>
 
 #include "conf.h"
-#include "encr.h"
 #include "net.h"
 #include "netutl.h"
 #include "protocol.h"
@@ -68,6 +70,9 @@ int total_socket_out = 0;
 config_t *upstreamcfg;
 static int seconds_till_retry;
 
+int keylifetime = 0;
+int keyexpires = 0;
+
 char *unknown = NULL;
 
 subnet_t mymac;
@@ -102,19 +107,20 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt)
 {
   vpn_packet_t outpkt;
   int outlen, outpad;
+  EVP_CIPHER_CTX ctx;
 cp
   outpkt.len = inpkt->len;
-/*
-  EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL);
-  EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
-  EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad);
+  
+  EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey);
+  EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+  EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
   outlen += outpad + 2;
 
-  Do encryption when everything else is fixed...
-*/
+/* Bypass
   outlen = outpkt.len + 2;
   memcpy(&outpkt, inpkt, outlen);
-  
+*/  
+
   if(debug_lvl >= DEBUG_TRAFFIC)
     syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
            outlen, cl->name, cl->hostname);
@@ -137,18 +143,18 @@ int xrecv(vpn_packet_t *inpkt)
 {
   vpn_packet_t outpkt;
   int outlen, outpad;
+  EVP_CIPHER_CTX ctx;
 cp
   outpkt.len = inpkt->len;
-/*
-  EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
-  EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
-  EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad);
+  EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
+  EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+  EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
   outlen += outpad;
 
-  Do decryption is everything else is fixed...
-*/
+/* Bypass
   outlen = outpkt.len+2;
   memcpy(&outpkt, inpkt, outlen);
+*/
      
   /* Fix mac address */
 
@@ -330,7 +336,7 @@ cp
       
   if(!cl->status.validkey)
     {
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
       if(debug_lvl >= DEBUG_TRAFFIC)
 	syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
 	       cl->name, cl->hostname);
@@ -343,7 +349,7 @@ cp
 
   if(!cl->status.active)
     {
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
       if(debug_lvl >= DEBUG_TRAFFIC)
 	syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
 	       cl->name, cl->hostname);
@@ -738,6 +744,14 @@ cp
       net->net.ipv4.address = cfg->data.ip->address;
       net->net.ipv4.mask = cfg->data.ip->mask;
       
+      /* Teach newbies what subnets are... */
+      
+      if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address)
+        {
+          syslog(LOG_ERR, _("Network address and subnet mask do not match!"));
+          return -1;
+        }        
+      
       subnet_add(myself, net);
     }
     
@@ -754,6 +768,22 @@ cp
       return -1;
     }
 
+  /* Generate packet encryption key */
+
+  myself->cipher_pkttype = EVP_bf_cbc();
+
+  myself->cipher_pktkey = (char *)xmalloc(64);
+  RAND_bytes(myself->cipher_pktkey, 64);
+
+  if(!(cfg = get_config_val(config, keyexpire)))
+    keylifetime = 3600;
+  else
+    keylifetime = cfg->data.val;
+    
+  keyexpires = time(NULL) + keylifetime;
+
+  /* Activate ourselves */
+  
   myself->status.active = 1;
 
   syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
@@ -861,16 +891,8 @@ void close_network_connections(void)
 cp
   for(p = conn_list; p != NULL; p = p->next)
     {
-      if(p->status.dataopen)
-	{
-	  shutdown(p->socket, 0); /* No more receptions */
-	  close(p->socket);
-	}
-      if(p->status.meta)
-	{
-	  shutdown(p->meta_socket, 0); /* No more receptions */
-          close(p->meta_socket);
-        }
+      p->status.active = 0;
+      terminate_connection(p);
     }
 
   if(myself)
@@ -878,6 +900,8 @@ cp
       {
 	close(myself->meta_socket);
 	close(myself->socket);
+        free_conn_list(myself);
+        myself = NULL;
       }
 
   /* Execute tinc-down script right before shutting down the interface */
@@ -1057,9 +1081,7 @@ void terminate_connection(conn_list_t *cl)
   subnet_t *s;
 cp
   if(cl->status.remove)
-    {
-      return;
-    }
+    return;
 
   cl->status.remove = 1;
 
@@ -1093,19 +1115,19 @@ cp
   for(s = cl->subnets; s; s = s->next)
     subnet_del(s);
 
-  /* Inactivate */
-
-  cl->status.active = 0;
-
   /* Check if this was our outgoing connection */
     
-  if(cl->status.outgoing)
+  if(cl->status.outgoing && cl->status.active)
     {
       signal(SIGALRM, sigalrm_handler);
       seconds_till_retry = 5;
       alarm(seconds_till_retry);
       syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds"));
     }
+
+  /* Inactivate */
+
+  cl->status.active = 0;
 cp
 }
 
@@ -1282,6 +1304,7 @@ void main_loop(void)
   struct timeval tv;
   int r;
   time_t last_ping_check;
+  int t;
 cp
   last_ping_check = time(NULL);
 
@@ -1304,28 +1327,45 @@ cp
 
       if(sighup)
         {
+          syslog(LOG_INFO, _("Rereading configuration file and restarting in 5 seconds"));
           sighup = 0;
-/* FIXME: reprogram this.
-	  if(debug_lvl > 1)
-	    syslog(LOG_INFO, _("Rereading configuration file"));
           close_network_connections();
-          clear_config();
-          if(read_config_file(&config, configfilename))
+          clear_config(&config);
+
+          if(read_server_config())
             {
               syslog(LOG_ERR, _("Unable to reread configuration file, exiting"));
               exit(0);
             }
+
           sleep(5);
-          setup_network_connections();
-*/
+          
+          if(setup_network_connections())
+            return;
+            
           continue;
         }
 
-      if(last_ping_check + timeout < time(NULL))
-	/* Let's check if everybody is still alive */
+      t = time(NULL);
+
+      /* Let's check if everybody is still alive */
+
+      if(last_ping_check + timeout < t)
 	{
 	  check_dead_connections();
           last_ping_check = time(NULL);
+
+          /* Should we regenerate our key? */
+
+          if(keyexpires < t)
+            {
+              if(debug_lvl >= DEBUG_STATUS)
+                syslog(LOG_INFO, _("Regenerating symmetric key"));
+                
+              RAND_bytes(myself->cipher_pktkey, 64);
+              send_key_changed(myself, NULL);
+              keyexpires = time(NULL) + keylifetime;
+            }
 	}
 
       if(r > 0)