X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=308a64f6796007685878338c92bab2e9d52063ff;hp=b52412d8f5a10e6b6cecc4365e1b592ee8c16a28;hb=013fcb0e9f9c0222f4f63ddf42a2f25bfc4a5546;hpb=8fa9bc017d89b53798903df3fa98311067d4de90 diff --git a/src/net.c b/src/net.c index b52412d8..308a64f6 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.53 2000/10/29 09:19:24 guus Exp $ + $Id: net.c,v 1.35.4.57 2000/11/02 22:05:35 zarq Exp $ */ #include "config.h" @@ -39,6 +39,9 @@ #include #include #include +#include +#include +#include #ifdef HAVE_TUNTAP #include LINUX_IF_TUN_H @@ -67,6 +70,9 @@ int total_socket_out = 0; config_t *upstreamcfg; static int seconds_till_retry; +int keylifetime = 0; +int keyexpires = 0; + char *unknown = NULL; subnet_t mymac; @@ -101,19 +107,22 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL); - EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad); + + /* Encrypt the packet */ + + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); + EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); + EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad + 2; - Do encryption when everything else is fixed... -*/ +/* Bypass outlen = outpkt.len + 2; memcpy(&outpkt, inpkt, outlen); - +*/ + if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), outlen, cl->name, cl->hostname); @@ -136,19 +145,26 @@ int xrecv(vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL); - EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad); + + /* Decrypt the packet */ + + EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); + EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8); + EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad; - Do decryption is everything else is fixed... -*/ +/* Bypass outlen = outpkt.len+2; memcpy(&outpkt, inpkt, outlen); +*/ + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"), + outpkt.len, outlen); + /* Fix mac address */ memcpy(outpkt.data, mymac.net.mac.address.x, 6); @@ -329,7 +345,7 @@ cp if(!cl->status.validkey) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), cl->name, cl->hostname); @@ -342,7 +358,7 @@ cp if(!cl->status.active) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), cl->name, cl->hostname); @@ -441,20 +457,23 @@ cp if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { - syslog(LOG_ERR, _("fcntl: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "fcntl"); return -1; } @@ -484,7 +503,8 @@ cp if(listen(nfd, 3)) { - syslog(LOG_ERR, _("listen: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "listen"); return -1; } cp @@ -509,14 +529,16 @@ cp if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) { - syslog(LOG_ERR, _("setsockopt: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "setsockopt"); return -1; } flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { - syslog(LOG_ERR, _("fcntl: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "fcntl"); return -1; } @@ -761,6 +783,24 @@ cp return -1; } + /* Generate packet encryption key */ + + myself->cipher_pkttype = EVP_bf_cfb(); + + myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; + + myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + + if(!(cfg = get_config_val(config, keyexpire))) + keylifetime = 3600; + else + keylifetime = cfg->data.val; + + keyexpires = time(NULL) + keylifetime; + + /* Activate ourselves */ + myself->status.active = 1; syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); @@ -826,7 +866,6 @@ cp if(!fork()) { - execl(scriptname, NULL); if(errno != ENOENT) @@ -962,7 +1001,8 @@ cp if(getpeername(sfd, &ci, &len) < 0) { - syslog(LOG_ERR, _("Error: getpeername: %m")); + syslog(LOG_ERR, _("System call `%s' failed: %m"), + "getpeername"); return NULL; } @@ -1018,6 +1058,7 @@ int handle_incoming_vpn_data() vpn_packet_t pkt; int x, l = sizeof(x); struct sockaddr from; + int lenin; socklen_t fromlen = sizeof(from); cp if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) @@ -1032,18 +1073,17 @@ cp return -1; } - if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0) + if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); return -1; } -/* + if(debug_lvl >= DEBUG_TRAFFIC) { - syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len, - from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]); + syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin); } -*/ + cp return xrecv(&pkt); } @@ -1281,6 +1321,7 @@ void main_loop(void) struct timeval tv; int r; time_t last_ping_check; + int t; cp last_ping_check = time(NULL); @@ -1322,11 +1363,26 @@ cp continue; } - if(last_ping_check + timeout < time(NULL)) - /* Let's check if everybody is still alive */ + t = time(NULL); + + /* Let's check if everybody is still alive */ + + if(last_ping_check + timeout < t) { check_dead_connections(); last_ping_check = time(NULL); + + /* Should we regenerate our key? */ + + if(keyexpires < t) + { + if(debug_lvl >= DEBUG_STATUS) + syslog(LOG_INFO, _("Regenerating symmetric key")); + + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + send_key_changed(myself, NULL); + keyexpires = time(NULL) + keylifetime; + } } if(r > 0)