X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=308a64f6796007685878338c92bab2e9d52063ff;hp=81b302960c2b3206b9f002ffe4e1fc3da12dbe30;hb=013fcb0e9f9c0222f4f63ddf42a2f25bfc4a5546;hpb=8738c007b15eea024bc4ca6ee0f972b2f5bf259f diff --git a/src/net.c b/src/net.c index 81b30296..308a64f6 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.48 2000/10/28 21:25:20 guus Exp $ + $Id: net.c,v 1.35.4.57 2000/11/02 22:05:35 zarq Exp $ */ #include "config.h" @@ -38,6 +38,10 @@ #include #include #include +#include +#include +#include +#include #ifdef HAVE_TUNTAP #include LINUX_IF_TUN_H @@ -47,11 +51,12 @@ #include #include "conf.h" -#include "encr.h" #include "net.h" #include "netutl.h" #include "protocol.h" #include "meta.h" +#include "connlist.h" +#include "subnet.h" #include "system.h" @@ -65,8 +70,13 @@ int total_socket_out = 0; config_t *upstreamcfg; static int seconds_till_retry; +int keylifetime = 0; +int keyexpires = 0; + char *unknown = NULL; +subnet_t mymac; + /* strip off the MAC adresses of an ethernet frame */ @@ -97,19 +107,22 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL); - EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad); + + /* Encrypt the packet */ + + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); + EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); + EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad + 2; - Do encryption when everything else is fixed... -*/ +/* Bypass outlen = outpkt.len + 2; memcpy(&outpkt, inpkt, outlen); - +*/ + if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), outlen, cl->name, cl->hostname); @@ -132,22 +145,29 @@ int xrecv(vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL); - EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad); + + /* Decrypt the packet */ + + EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); + EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8); + EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad; - Do decryption is everything else is fixed... -*/ +/* Bypass outlen = outpkt.len+2; memcpy(&outpkt, inpkt, outlen); +*/ - /* FIXME sometime - add_mac_addresses(&outpkt); - */ + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"), + outpkt.len, outlen); + + /* Fix mac address */ + + memcpy(outpkt.data, mymac.net.mac.address.x, 6); if(taptype == TAP_TYPE_TUNTAP) { @@ -325,7 +345,7 @@ cp if(!cl->status.validkey) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), cl->name, cl->hostname); @@ -338,7 +358,7 @@ cp if(!cl->status.active) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), cl->name, cl->hostname); @@ -381,7 +401,16 @@ cp cp tap_fd = nfd; + /* Set default MAC address for ethertap devices */ + taptype = TAP_TYPE_ETHERTAP; + mymac.type = SUBNET_MAC; + mymac.net.mac.address.x[0] = 0xfe; + mymac.net.mac.address.x[1] = 0xfd; + mymac.net.mac.address.x[2] = 0x00; + mymac.net.mac.address.x[3] = 0x00; + mymac.net.mac.address.x[4] = 0x00; + mymac.net.mac.address.x[5] = 0x00; #ifdef HAVE_TUNTAP /* Ok now check if this is an old ethertap or a new tun/tap thingie */ @@ -395,11 +424,6 @@ cp { syslog(LOG_INFO, _("%s is a new style tun/tap device"), tapfname); taptype = TAP_TYPE_TUNTAP; - - if((cfg = get_config_val(config, tapsubnet)) == NULL) - syslog(LOG_INFO, _("tun/tap device will be left unconfigured")); - else - /* Setup inetaddr/netmask etc */; } #endif @@ -433,20 +457,23 @@ cp if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { - syslog(LOG_ERR, _("fcntl: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "fcntl"); return -1; } @@ -476,7 +503,8 @@ cp if(listen(nfd, 3)) { - syslog(LOG_ERR, _("listen: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "listen"); return -1; } cp @@ -501,14 +529,16 @@ cp if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { - syslog(LOG_ERR, _("fcntl: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "fcntl"); return -1; } @@ -652,7 +682,6 @@ int setup_myself(void) { config_t const *cfg; subnet_t *net; - int i; cp myself = new_conn_list(); @@ -723,13 +752,21 @@ cp /* Read in all the subnets specified in the host configuration file */ - for(cfg = myself->config; cfg = get_config_val(cfg, subnet); cfg = cfg->next) + for(cfg = myself->config; (cfg = get_config_val(cfg, subnet)); cfg = cfg->next) { net = new_subnet(); net->type = SUBNET_IPV4; net->net.ipv4.address = cfg->data.ip->address; net->net.ipv4.mask = cfg->data.ip->mask; + /* Teach newbies what subnets are... */ + + if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address) + { + syslog(LOG_ERR, _("Network address and subnet mask do not match!")); + return -1; + } + subnet_add(myself, net); } @@ -746,6 +783,24 @@ cp return -1; } + /* Generate packet encryption key */ + + myself->cipher_pkttype = EVP_bf_cfb(); + + myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; + + myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + + if(!(cfg = get_config_val(config, keyexpire))) + keylifetime = 3600; + else + keylifetime = cfg->data.val; + + keyexpires = time(NULL) + keylifetime; + + /* Activate ourselves */ + myself->status.active = 1; syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); @@ -811,7 +866,6 @@ cp if(!fork()) { - execl(scriptname, NULL); if(errno != ENOENT) @@ -853,17 +907,8 @@ void close_network_connections(void) cp for(p = conn_list; p != NULL; p = p->next) { - if(p->status.dataopen) - { - shutdown(p->socket, 0); /* No more receptions */ - close(p->socket); - } - if(p->status.meta) - { - send_termreq(p); - shutdown(p->meta_socket, 0); /* No more receptions */ - close(p->meta_socket); - } + p->status.active = 0; + terminate_connection(p); } if(myself) @@ -871,6 +916,8 @@ cp { close(myself->meta_socket); close(myself->socket); + free_conn_list(myself); + myself = NULL; } /* Execute tinc-down script right before shutting down the interface */ @@ -954,7 +1001,8 @@ cp if(getpeername(sfd, &ci, &len) < 0) { - syslog(LOG_ERR, _("Error: getpeername: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "getpeername"); return NULL; } @@ -1008,9 +1056,9 @@ cp int handle_incoming_vpn_data() { vpn_packet_t pkt; - int lenin; int x, l = sizeof(x); struct sockaddr from; + int lenin; socklen_t fromlen = sizeof(from); cp if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) @@ -1025,18 +1073,17 @@ cp return -1; } - if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0) + if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); return -1; } -/* + if(debug_lvl >= DEBUG_TRAFFIC) { - syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len, - from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]); + syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin); } -*/ + cp return xrecv(&pkt); } @@ -1048,11 +1095,13 @@ cp void terminate_connection(conn_list_t *cl) { conn_list_t *p; - + subnet_t *s; cp if(cl->status.remove) return; + cl->status.remove = 1; + if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), cl->name, cl->hostname); @@ -1062,43 +1111,40 @@ cp if(cl->status.meta) close(cl->meta_socket); - cl->status.remove = 1; - - /* If this cl isn't active, don't send any DEL_HOSTs. */ - -/* FIXME: reprogram this. - if(cl->status.active) - notify_others(cl,NULL,send_del_host); -*/ - cp /* Find all connections that were lost because they were behind cl (the connection that was dropped). */ + if(cl->status.meta) for(p = conn_list; p != NULL; p = p->next) - { - if((p->nexthop == cl) && (p != cl)) - { - if(cl->status.active && p->status.active) -/* FIXME: reprogram this - notify_others(p,cl,send_del_host); -*/; - if(cl->socket) - close(cl->socket); - p->status.active = 0; - p->status.remove = 1; - } - } + if((p->nexthop == cl) && (p != cl)) + terminate_connection(p); /* Sounds like recursion, but p does not have a meta connection :) */ + + /* Inform others of termination if it was still active */ + + if(cl->status.active) + for(p = conn_list; p != NULL; p = p->next) + if(p->status.meta && p->status.active && p!=cl) + send_del_host(p, cl); + + /* Remove the associated subnets */ + + for(s = cl->subnets; s; s = s->next) + subnet_del(s); + + /* Check if this was our outgoing connection */ - cl->status.active = 0; - - if(cl->status.outgoing) + if(cl->status.outgoing && cl->status.active) { signal(SIGALRM, sigalrm_handler); seconds_till_retry = 5; alarm(seconds_till_retry); syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds")); } + + /* Inactivate */ + + cl->status.active = 0; cp } @@ -1118,8 +1164,6 @@ cp now = time(NULL); for(p = conn_list; p != NULL; p = p->next) { - if(p->status.remove) - continue; if(p->status.active && p->status.meta) { if(p->last_ping_time + timeout < now) @@ -1170,9 +1214,7 @@ cp return 0; } - ncn->status.meta = 1; - ncn->next = conn_list; - conn_list = ncn; + conn_list_add(ncn); cp return 0; } @@ -1231,8 +1273,6 @@ cp void handle_tap_input(void) { vpn_packet_t vp; - subnet_t *subnet; - ipv4_t dest; int lenin; cp if(taptype == TAP_TYPE_TUNTAP) @@ -1281,6 +1321,7 @@ void main_loop(void) struct timeval tv; int r; time_t last_ping_check; + int t; cp last_ping_check = time(NULL); @@ -1303,28 +1344,45 @@ cp if(sighup) { + syslog(LOG_INFO, _("Rereading configuration file and restarting in 5 seconds")); sighup = 0; -/* FIXME: reprogram this. - if(debug_lvl > 1) - syslog(LOG_INFO, _("Rereading configuration file")); close_network_connections(); - clear_config(); - if(read_config_file(&config, configfilename)) + clear_config(&config); + + if(read_server_config()) { syslog(LOG_ERR, _("Unable to reread configuration file, exiting")); exit(0); } + sleep(5); - setup_network_connections(); -*/ + + if(setup_network_connections()) + return; + continue; } - if(last_ping_check + timeout < time(NULL)) - /* Let's check if everybody is still alive */ + t = time(NULL); + + /* Let's check if everybody is still alive */ + + if(last_ping_check + timeout < t) { check_dead_connections(); last_ping_check = time(NULL); + + /* Should we regenerate our key? */ + + if(keyexpires < t) + { + if(debug_lvl >= DEBUG_STATUS) + syslog(LOG_INFO, _("Regenerating symmetric key")); + + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + send_key_changed(myself, NULL); + keyexpires = time(NULL) + keylifetime; + } } if(r > 0)