X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet.c;h=b0d3cd1ebd94ff4b4050be338b1591ed89b33a0e;hp=8d92cc10088c305ded504ce6246648a9ba2f163e;hb=65247c063b36a76dd68156fe17b017c7460d982f;hpb=485f7a5043a4b3345bd02e5063502603550b4c76 diff --git a/src/net.c b/src/net.c index 8d92cc10..b0d3cd1e 100644 --- a/src/net.c +++ b/src/net.c @@ -1,7 +1,7 @@ /* net.c -- most of the network code - Copyright (C) 1998,1999,2000 Ivo Timmermans , - 2000 Guus Sliepen + Copyright (C) 1998-2001 Ivo Timmermans , + 2000,2001 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.76 2000/11/16 22:11:40 zarq Exp $ + $Id: net.c,v 1.35.4.109 2001/05/28 08:21:43 guus Exp $ */ #include "config.h" @@ -26,6 +26,10 @@ #include #include #include +#ifndef HAVE_FREEBSD + #include + #include +#endif #include #include #include @@ -59,22 +63,31 @@ # include #endif +#ifdef HAVE_OPENSSL_PEM_H +# include +#else +# include +#endif + #ifdef HAVE_TUNTAP #include LINUX_IF_TUN_H #endif #include #include +#include +#include #include "conf.h" -#include "connlist.h" -#include "list.h" +#include "connection.h" #include "meta.h" #include "net.h" #include "netutl.h" #include "process.h" #include "protocol.h" #include "subnet.h" +#include "process.h" +#include "route.h" #include "system.h" @@ -93,209 +106,117 @@ int keyexpires = 0; char *unknown = NULL; -subnet_t mymac; - -int xsend(conn_list_t *cl, vpn_packet_t *inpkt) +void send_udppacket(connection_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; EVP_CIPHER_CTX ctx; + struct sockaddr_in to; + socklen_t tolen = sizeof(to); + vpn_packet_t *copy; cp - outpkt.len = inpkt->len; - - /* Encrypt the packet */ - - EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); - EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); - outlen += outpad + 2; + if(!cl->status.validkey) + { + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), + cl->name, cl->hostname); -/* Bypass - outlen = outpkt.len + 2; - memcpy(&outpkt, inpkt, outlen); -*/ + /* Since packet is on the stack of handle_tap_input(), + we have to make a copy of it first. */ - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), - outlen, cl->name, cl->hostname); + copy = xmalloc(sizeof(vpn_packet_t)); + memcpy(copy, inpkt, sizeof(vpn_packet_t)); - total_socket_out += outlen; + list_insert_tail(cl->queue, copy); - if((send(cl->socket, (char *) &(outpkt.len), outlen, 0)) < 0) - { - syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), - cl->name, cl->hostname); - return -1; + if(!cl->status.waitingforkey) + send_req_key(myself, cl); + return; } -cp - return 0; -} -int xrecv(conn_list_t *cl, vpn_packet_t *inpkt) -{ - vpn_packet_t outpkt; - int outlen, outpad; - EVP_CIPHER_CTX ctx; -cp - outpkt.len = inpkt->len; + /* Encrypt the packet. */ - /* Decrypt the packet */ + RAND_bytes(inpkt->salt, sizeof(inpkt->salt)); - EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); - EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8); - EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); + EVP_EncryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len + sizeof(inpkt->salt)); + EVP_EncryptFinal(&ctx, outpkt.salt + outlen, &outpad); outlen += outpad; -/* Bypass - outlen = outpkt.len+2; - memcpy(&outpkt, inpkt, outlen); -*/ - - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_ERR, _("Writing packet of %d bytes to tap device"), - outpkt.len, outlen); - - /* Fix mac address */ + total_socket_out += outlen; - memcpy(outpkt.data, mymac.net.mac.address.x, 6); + to.sin_family = AF_INET; + to.sin_addr.s_addr = htonl(cl->address); + to.sin_port = htons(cl->port); - if(taptype == TAP_TYPE_TUNTAP) + if((sendto(myself->socket, (char *) outpkt.salt, outlen, 0, (const struct sockaddr *)&to, tolen)) < 0) { - if(write(tap_fd, outpkt.data, outpkt.len) < 0) - syslog(LOG_ERR, _("Can't write to tun/tap device: %m")); - else - total_tap_out += outpkt.len; - } - else /* ethertap */ - { - if(write(tap_fd, outpkt.data - 2, outpkt.len + 2) < 0) - syslog(LOG_ERR, _("Can't write to ethertap device: %m")); - else - total_tap_out += outpkt.len + 2; + syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), + cl->name, cl->hostname); + return; } cp - return 0; } -/* - add the given packet of size s to the - queue q, be it the send or receive queue -*/ -void add_queue(packet_queue_t **q, void *packet, size_t s) +void receive_packet(connection_t *cl, vpn_packet_t *packet) { - queue_element_t *e; cp - e = xmalloc(sizeof(*e)); - e->packet = xmalloc(s); - memcpy(e->packet, packet, s); - - if(!*q) - { - *q = xmalloc(sizeof(**q)); - (*q)->head = (*q)->tail = NULL; - } - - e->next = NULL; /* We insert at the tail */ - - if((*q)->tail) /* Do we have a tail? */ - { - (*q)->tail->next = e; - e->prev = (*q)->tail; - } - else /* No tail -> no head too */ - { - (*q)->head = e; - e->prev = NULL; - } + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, cl->name, cl->hostname); - (*q)->tail = e; + route_incoming(cl, packet); cp } -/* Remove a queue element */ -void del_queue(packet_queue_t **q, queue_element_t *e) +void receive_udppacket(connection_t *cl, vpn_packet_t *inpkt) { + vpn_packet_t outpkt; + int outlen, outpad; + EVP_CIPHER_CTX ctx; cp - free(e->packet); + /* Decrypt the packet */ - if(e->next) /* There is a successor, so we are not tail */ - { - if(e->prev) /* There is a predecessor, so we are not head */ - { - e->next->prev = e->prev; - e->prev->next = e->next; - } - else /* We are head */ - { - e->next->prev = NULL; - (*q)->head = e->next; - } - } - else /* We are tail (or all alone!) */ - { - if(e->prev) /* We are not alone :) */ - { - e->prev->next = NULL; - (*q)->tail = e->prev; - } - else /* Adieu */ - { - free(*q); - *q = NULL; - } - } - - free(e); + EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); + EVP_DecryptUpdate(&ctx, outpkt.salt, &outlen, inpkt->salt, inpkt->len); + EVP_DecryptFinal(&ctx, outpkt.salt + outlen, &outpad); + outlen += outpad; + outpkt.len = outlen - sizeof(outpkt.salt); + + receive_packet(cl, &outpkt); cp } -/* - flush a queue by calling function for - each packet, and removing it when that - returned a zero exit code -*/ -void flush_queue(conn_list_t *cl, packet_queue_t **pq, - int (*function)(conn_list_t*,vpn_packet_t*)) +void receive_tcppacket(connection_t *cl, char *buffer, int len) { - queue_element_t *p, *next = NULL; + vpn_packet_t outpkt; cp - for(p = (*pq)->head; p != NULL; ) - { - next = p->next; - - if(!function(cl, p->packet)) - del_queue(pq, p); - - p = next; - } + outpkt.len = len; + memcpy(outpkt.data, buffer, len); - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Queue flushed")); + receive_packet(cl, &outpkt); cp } -/* - flush the send&recv queues - void because nothing goes wrong here, packets - remain in the queue if something goes wrong -*/ -void flush_queues(conn_list_t *cl) +void accept_packet(vpn_packet_t *packet) { cp - if(cl->sq) + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_DEBUG, _("Writing packet of %d bytes to tap device"), + packet->len); + + if(taptype == TAP_TYPE_TUNTAP) { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Flushing send queue for %s (%s)"), - cl->name, cl->hostname); - flush_queue(cl, &(cl->sq), xsend); + if(write(tap_fd, packet->data, packet->len) < 0) + syslog(LOG_ERR, _("Can't write to tun/tap device: %m")); + else + total_tap_out += packet->len; } - - if(cl->rq) + else /* ethertap */ { - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Flushing receive queue for %s (%s)"), - cl->name, cl->hostname); - flush_queue(cl, &(cl->rq), xrecv); + if(write(tap_fd, packet->data - 2, packet->len + 2) < 0) + syslog(LOG_ERR, _("Can't write to ethertap device: %m")); + else + total_tap_out += packet->len; } cp } @@ -303,77 +224,57 @@ cp /* send a packet to the given vpn ip. */ -int send_packet(ip_t to, vpn_packet_t *packet) +void send_packet(connection_t *cl, vpn_packet_t *packet) { - conn_list_t *cl; - subnet_t *subnet; cp - if((subnet = lookup_subnet_ipv4(to)) == NULL) - { - if(debug_lvl >= DEBUG_TRAFFIC) - { - syslog(LOG_NOTICE, _("Trying to look up %d.%d.%d.%d in connection list failed!"), - IP_ADDR_V(to)); - } - - return -1; - } + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), + packet->len, cl->name, cl->hostname); - cl = subnet->owner; - if(cl == myself) { if(debug_lvl >= DEBUG_TRAFFIC) { - syslog(LOG_NOTICE, _("Packet with destination %d.%d.%d.%d is looping back to us!"), - IP_ADDR_V(to)); + syslog(LOG_NOTICE, _("Packet is looping back to us!")); } - return -1; + return; } - /* If we ourselves have indirectdata flag set, we should send only to our uplink! */ - - /* FIXME - check for indirection and reprogram it The Right Way(tm) this time. */ - - /* Connections are now opened beforehand... - - if(!cl->status.dataopen) - if(setup_vpn_connection(cl) < 0) - { - syslog(LOG_ERR, _("Could not open UDP connection to %s (%s)"), - cl->name, cl->hostname); - return -1; - } - */ - - if(!cl->status.validkey) + if(!cl->status.active) { -/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), + syslog(LOG_INFO, _("%s (%s) is not active, dropping packet"), cl->name, cl->hostname); - add_queue(&(cl->sq), packet, packet->len + 2); -*/ - if(!cl->status.waitingforkey) - send_req_key(myself, cl); /* Keys should be sent to the host running the tincd */ - return 0; + + return; } - if(!cl->status.active) + /* Check if it has to go via TCP or UDP... */ +cp + if((cl->options | myself->options) & OPTION_TCPONLY) { -/* FIXME: Don't queue until everything else is fixed. - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), - cl->name, cl->hostname); - add_queue(&(cl->sq), packet, packet->len + 2); -*/ - return 0; /* We don't want to mess up, do we? */ + if(send_tcppacket(cl, packet)) + terminate_connection(cl); } + else + send_udppacket(cl, packet); +} - /* can we send it? can we? can we? huh? */ +void flush_queue(connection_t *cl) +{ + list_node_t *node, *next; +cp + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_INFO, _("Flushing queue for %s (%s)"), cl->name, cl->hostname); + + for(node = cl->queue->head; node; node = next) + { + next = node->next; + send_udppacket(cl, (vpn_packet_t *)node->data); + list_delete_node(cl->queue, node); + } cp - return xsend(cl, packet); } /* @@ -384,16 +285,31 @@ int setup_tap_fd(void) int nfd; const char *tapfname; config_t const *cfg; +#ifdef HAVE_LINUX +# ifdef HAVE_TUNTAP + struct ifreq ifr; +# endif +#endif -cp +cp if((cfg = get_config_val(config, config_tapdevice))) tapfname = cfg->data.ptr; else -#ifdef HAVE_TUNTAP - tapfname = "/dev/misc/net/tun"; -#else - tapfname = "/dev/tap0"; + { +#ifdef HAVE_LINUX +# ifdef HAVE_TUNTAP + tapfname = "/dev/net/tun"; +# else + tapfname = "/dev/tap0"; +# endif #endif +#ifdef HAVE_FREEBSD + tapfname = "/dev/tap0"; +#endif +#ifdef HAVE_SOLARIS + tapfname = "/dev/tun"; +#endif + } cp if((nfd = open(tapfname, O_RDWR | O_NONBLOCK)) < 0) { @@ -403,9 +319,10 @@ cp cp tap_fd = nfd; - /* Set default MAC address for ethertap devices */ - taptype = TAP_TYPE_ETHERTAP; + + /* Set default MAC address for ethertap devices */ + mymac.type = SUBNET_MAC; mymac.net.mac.address.x[0] = 0xfe; mymac.net.mac.address.x[1] = 0xfd; @@ -414,7 +331,8 @@ cp mymac.net.mac.address.x[4] = 0x00; mymac.net.mac.address.x[5] = 0x00; -#ifdef HAVE_TUNTAP +#ifdef HAVE_LINUX + #ifdef HAVE_TUNTAP /* Ok now check if this is an old ethertap or a new tun/tap thingie */ memset(&ifr, 0, sizeof(ifr)); cp @@ -427,6 +345,10 @@ cp syslog(LOG_INFO, _("%s is a new style tun/tap device"), tapfname); taptype = TAP_TYPE_TUNTAP; } + #endif +#endif +#ifdef HAVE_FREEBSD + taptype = TAP_TYPE_TUNTAP; #endif cp return 0; @@ -440,7 +362,7 @@ int setup_listen_meta_socket(int port) { int nfd, flags; struct sockaddr_in a; - const int one = 1; + int option; config_t const *cfg; cp if((nfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) @@ -449,22 +371,6 @@ cp return -1; } - if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) - { - close(nfd); - syslog(LOG_ERR, _("System call `%s' failed: %m"), - "setsockopt"); - return -1; - } - - if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &one, sizeof(one))) - { - close(nfd); - syslog(LOG_ERR, _("System call `%s' failed: %m"), - "setsockopt"); - return -1; - } - flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { @@ -474,20 +380,32 @@ cp return -1; } + /* Optimize TCP settings */ + + option = 1; + setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option)); + setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); +#ifndef HAVE_FREEBSD + setsockopt(nfd, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); + + option = IPTOS_LOWDELAY; + setsockopt(nfd, SOL_IP, IP_TOS, &option, sizeof(option)); + if((cfg = get_config_val(config, config_interface))) { - if(setsockopt(nfd, SOL_SOCKET, SO_KEEPALIVE, cfg->data.ptr, strlen(cfg->data.ptr))) + if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, cfg->data.ptr, strlen(cfg->data.ptr))) { close(nfd); syslog(LOG_ERR, _("Unable to bind listen socket to interface %s: %m"), cfg->data.ptr); return -1; } } +#endif memset(&a, 0, sizeof(a)); a.sin_family = AF_INET; a.sin_port = htons(port); - + if((cfg = get_config_val(config, config_interfaceip))) a.sin_addr.s_addr = htonl(cfg->data.ip->address); else @@ -528,13 +446,7 @@ cp return -1; } - if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) - { - close(nfd); - syslog(LOG_ERR, _("System call `%s' failed: %m"), - "setsockopt"); - return -1; - } + setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) @@ -563,11 +475,12 @@ cp /* setup an outgoing meta (tcp) socket */ -int setup_outgoing_meta_socket(conn_list_t *cl) +int setup_outgoing_meta_socket(connection_t *cl) { int flags; struct sockaddr_in a; config_t const *cfg; + int option; cp if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_INFO, _("Trying to connect to %s"), cl->hostname); @@ -585,6 +498,31 @@ cp return -1; } + /* Bind first to get a fix on our source port */ + + a.sin_family = AF_INET; + a.sin_port = htons(0); + a.sin_addr.s_addr = htonl(INADDR_ANY); + + if(bind(cl->meta_socket, (struct sockaddr *)&a, sizeof(struct sockaddr))) + { + close(cl->meta_socket); + syslog(LOG_ERR, _("System call `%s' failed: %m"), "bind"); + return -1; + } + + /* Optimize TCP settings */ + + option = 1; + setsockopt(cl->meta_socket, SOL_SOCKET, SO_KEEPALIVE, &option, sizeof(option)); +#ifndef HAVE_FREEBSD + setsockopt(cl->meta_socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); + + option = IPTOS_LOWDELAY; + setsockopt(cl->meta_socket, SOL_IP, IP_TOS, &option, sizeof(option)); +#endif + /* Connect */ + a.sin_family = AF_INET; a.sin_port = htons(cl->port); a.sin_addr.s_addr = htonl(cl->address); @@ -615,15 +553,11 @@ cp } /* - setup an outgoing connection. It's not - necessary to also open an udp socket as - well, because the other host will initiate - an authentication sequence during which - we will do just that. + Setup an outgoing meta connection. */ int setup_outgoing_connection(char *name) { - conn_list_t *ncn; + connection_t *ncn; struct hostent *h; config_t const *cfg; cp @@ -633,38 +567,38 @@ cp return -1; } - ncn = new_conn_list(); + ncn = new_connection(); asprintf(&ncn->name, "%s", name); - + if(read_host_config(ncn)) { - syslog(LOG_ERR, _("Error reading host configuration file for %s")); - free_conn_list(ncn); + syslog(LOG_ERR, _("Error reading host configuration file for %s"), ncn->name); + free_connection(ncn); return -1; } - + if(!(cfg = get_config_val(ncn->config, config_address))) { - syslog(LOG_ERR, _("No address specified for %s")); - free_conn_list(ncn); + syslog(LOG_ERR, _("No address specified for %s"), ncn->name); + free_connection(ncn); return -1; } - + if(!(h = gethostbyname(cfg->data.ptr))) { syslog(LOG_ERR, _("Error looking up `%s': %m"), cfg->data.ptr); - free_conn_list(ncn); + free_connection(ncn); return -1; } - ncn->address = ntohl(*((ip_t*)(h->h_addr_list[0]))); + ncn->address = ntohl(*((ipv4_t*)(h->h_addr_list[0]))); ncn->hostname = hostlookup(htonl(ncn->address)); - + if(setup_outgoing_meta_socket(ncn) < 0) { syslog(LOG_ERR, _("Could not set up a meta connection to %s"), ncn->hostname); - free_conn_list(ncn); + free_connection(ncn); return -1; } @@ -673,15 +607,121 @@ cp ncn->buflen = 0; ncn->last_ping_time = time(NULL); - conn_list_add(ncn); + connection_add(ncn); send_id(ncn); cp return 0; } +int read_rsa_public_key(connection_t *cl) +{ + config_t const *cfg; + FILE *fp; + char *fname; + void *result; +cp + if(!cl->rsa_key) + cl->rsa_key = RSA_new(); + + /* First, check for simple PublicKey statement */ + + if((cfg = get_config_val(cl->config, config_publickey))) + { + BN_hex2bn(&cl->rsa_key->n, cfg->data.ptr); + BN_hex2bn(&cl->rsa_key->e, "FFFF"); + return 0; + } + + /* Else, check for PublicKeyFile statement and read it */ + + if((cfg = get_config_val(cl->config, config_publickeyfile))) + { + if(is_safe_path(cfg->data.ptr)) + { + if((fp = fopen(cfg->data.ptr, "r")) == NULL) + { + syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"), + cfg->data.ptr); + return -1; + } + result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL); + fclose(fp); + if(!result) + { + syslog(LOG_ERR, _("Reading RSA public key file `%s' failed: %m"), + cfg->data.ptr); + return -1; + } + return 0; + } + else + return -1; + } + + /* Else, check if a harnessed public key is in the config file */ + + asprintf(&fname, "%s/hosts/%s", confbase, cl->name); + if((fp = fopen(fname, "r"))) + { + result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL); + fclose(fp); + free(fname); + if(result) + return 0; + } + + free(fname); + + /* Nothing worked. */ + + syslog(LOG_ERR, _("No public key for %s specified!"), cl->name); +cp + return -1; +} + +int read_rsa_private_key(void) +{ + config_t const *cfg; + FILE *fp; + void *result; +cp + if(!myself->rsa_key) + myself->rsa_key = RSA_new(); + + if((cfg = get_config_val(config, config_privatekey))) + { + BN_hex2bn(&myself->rsa_key->d, cfg->data.ptr); + BN_hex2bn(&myself->rsa_key->e, "FFFF"); + } + else if((cfg = get_config_val(config, config_privatekeyfile))) + { + if((fp = fopen(cfg->data.ptr, "r")) == NULL) + { + syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"), + cfg->data.ptr); + return -1; + } + result = PEM_read_RSAPrivateKey(fp, &myself->rsa_key, NULL, NULL); + fclose(fp); + if(!result) + { + syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"), + cfg->data.ptr); + return -1; + } + } + else + { + syslog(LOG_ERR, _("No private key for tinc daemon specified!")); + return -1; + } +cp + return 0; +} + /* - Configure conn_list_t myself and set up the local sockets (listen only) + Configure connection_t myself and set up the local sockets (listen only) */ int setup_myself(void) { @@ -689,10 +729,10 @@ int setup_myself(void) config_t *next; subnet_t *net; cp - myself = new_conn_list(); + myself = new_connection(); - asprintf(&myself->hostname, "MYSELF"); /* FIXME? Do hostlookup on ourselves? */ - myself->flags = 0; + asprintf(&myself->hostname, "MYSELF"); + myself->options = 0; myself->protocol_version = PROT_CURRENT; if(!(cfg = get_config_val(config, config_name))) /* Not acceptable */ @@ -709,33 +749,19 @@ cp return -1; } cp - if(!(cfg = get_config_val(config, config_privatekey))) - { - syslog(LOG_ERR, _("Private key for tinc daemon required!")); - return -1; - } - else - { - myself->rsa_key = RSA_new(); - BN_hex2bn(&myself->rsa_key->d, cfg->data.ptr); - BN_hex2bn(&myself->rsa_key->e, "FFFF"); - } + if(read_rsa_private_key()) + return -1; if(read_host_config(myself)) { syslog(LOG_ERR, _("Cannot open host configuration file for myself!")); return -1; } -cp - if(!(cfg = get_config_val(myself->config, config_publickey))) - { - syslog(LOG_ERR, _("Public key for tinc daemon required!")); - return -1; - } - else - { - BN_hex2bn(&myself->rsa_key->n, cfg->data.ptr); - } + + if(read_rsa_public_key(myself)) + return -1; +cp + /* if(RSA_check_key(myself->rsa_key) != 1) { @@ -750,11 +776,11 @@ cp if((cfg = get_config_val(myself->config, config_indirectdata))) if(cfg->data.val == stupid_true) - myself->flags |= EXPORTINDIRECTDATA; + myself->options |= OPTION_INDIRECT; if((cfg = get_config_val(myself->config, config_tcponly))) if(cfg->data.val == stupid_true) - myself->flags |= TCPONLY; + myself->options |= OPTION_TCPONLY; /* Read in all the subnets specified in the host configuration file */ @@ -764,47 +790,68 @@ cp net->type = SUBNET_IPV4; net->net.ipv4.address = cfg->data.ip->address; net->net.ipv4.mask = cfg->data.ip->mask; - + /* Teach newbies what subnets are... */ - + if((net->net.ipv4.address & net->net.ipv4.mask) != net->net.ipv4.address) { syslog(LOG_ERR, _("Network address and subnet mask do not match!")); return -1; - } - + } + subnet_add(myself, net); } - + if((myself->meta_socket = setup_listen_meta_socket(myself->port)) < 0) { - syslog(LOG_ERR, _("Unable to set up a listening socket!")); + syslog(LOG_ERR, _("Unable to set up a listening TCP socket!")); return -1; } + if((myself->socket = setup_vpn_in_socket(myself->port)) < 0) + { + syslog(LOG_ERR, _("Unable to set up a listening UDP socket!")); + return -1; + } +cp /* Generate packet encryption key */ - myself->cipher_pkttype = EVP_bf_cfb(); + myself->cipher_pkttype = EVP_bf_cbc(); myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); - RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); + RAND_pseudo_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); if(!(cfg = get_config_val(config, config_keyexpire))) keylifetime = 3600; else keylifetime = cfg->data.val; - + keyexpires = time(NULL) + keylifetime; +cp + /* Check some options */ + + if((cfg = get_config_val(config, config_indirectdata))) + { + if(cfg->data.val == stupid_true) + myself->options |= OPTION_INDIRECT; + } + + if((cfg = get_config_val(config, config_tcponly))) + { + if(cfg->data.val == stupid_true) + myself->options |= OPTION_TCPONLY; + } + + if(myself->options & OPTION_TCPONLY) + myself->options |= OPTION_INDIRECT; /* Activate ourselves */ - + myself->status.active = 1; syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); - - child_pids = list_new(); cp return 0; } @@ -816,10 +863,21 @@ sigalrm_handler(int a) cp cfg = get_config_val(upstreamcfg, config_connectto); - if(!cfg && upstreamcfg == config) - /* No upstream IP given, we're listen only. */ - return; - + if(!cfg) + { + if(upstreamcfg == config) + { + /* No upstream IP given, we're listen only. */ + signal(SIGALRM, SIG_IGN); + return; + } + } + else + { + /* We previously tried all the ConnectTo lines. Now wrap back to the first. */ + cfg = get_config_val(config, config_connectto); + } + while(cfg) { upstreamcfg = cfg->next; @@ -849,6 +907,9 @@ int setup_network_connections(void) { config_t const *cfg; cp + init_connections(); + init_subnets(); + if((cfg = get_config_val(config, config_pingtimeout)) == NULL) timeout = 60; else @@ -863,12 +924,12 @@ cp if(setup_tap_fd() < 0) return -1; + /* Run tinc-up script to further initialize the tap interface */ + execute_script("tinc-up"); + if(setup_myself() < 0) return -1; - /* Run tinc-up script to further initialize the tap interface */ - execute_script("tinc-up"); - if(!(cfg = get_config_val(config, config_connectto))) /* No upstream IP given, we're listen only. */ return 0; @@ -880,12 +941,18 @@ cp return 0; cfg = get_config_val(upstreamcfg, config_connectto); /* Or else we try the next ConnectTo line */ } - - signal(SIGALRM, sigalrm_handler); - upstreamcfg = config; - seconds_till_retry = MAXTIMEOUT; - syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); - alarm(seconds_till_retry); + + if(do_detach) + { + signal(SIGALRM, sigalrm_handler); + upstreamcfg = config; + seconds_till_retry = MAXTIMEOUT; + syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in %d seconds"), seconds_till_retry); + alarm(seconds_till_retry); + } + else + return -1; + cp return 0; } @@ -895,10 +962,13 @@ cp */ void close_network_connections(void) { - conn_list_t *p; + avl_node_t *node; + connection_t *p; cp - for(p = conn_list; p != NULL; p = p->next) + for(node = connection_tree->head; node; node = node->next) { + p = (connection_t *)node->data; + p->status.outgoing = 0; p->status.active = 0; terminate_connection(p); } @@ -907,7 +977,7 @@ cp if(myself->status.active) { close(myself->meta_socket); - free_conn_list(myself); + free_connection(myself); myself = NULL; } @@ -916,116 +986,41 @@ cp /* Execute tinc-down script right after shutting down the interface */ execute_script("tinc-down"); - destroy_conn_list(); - - syslog(LOG_NOTICE, _("Terminating")); + destroy_connection_tree(); cp return; } -/* - create a data (udp) socket -*/ -int setup_vpn_connection(conn_list_t *cl) -{ - int nfd, flags; - struct sockaddr_in a; - const int one = 1; -cp - if(debug_lvl >= DEBUG_TRAFFIC) - syslog(LOG_DEBUG, _("Opening UDP socket to %s"), cl->hostname); - - nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); - if(nfd == -1) - { - syslog(LOG_ERR, _("Creating UDP socket failed: %m")); - return -1; - } - - if(setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) - { - close(nfd); - syslog(LOG_ERR, _("System call `%s' failed: %m"), - "setsockopt"); - return -1; - } - - flags = fcntl(nfd, F_GETFL); - if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) - { - close(nfd); - syslog(LOG_ERR, _("System call `%s' failed: %m"), - "fcntl"); - return -1; - } - - memset(&a, 0, sizeof(a)); - a.sin_family = AF_INET; - a.sin_port = htons(myself->port); - a.sin_addr.s_addr = htonl(INADDR_ANY); - - if(bind(nfd, (struct sockaddr *)&a, sizeof(struct sockaddr))) - { - close(nfd); - syslog(LOG_ERR, _("Can't bind to port %hd/udp: %m"), myself->port); - return -1; - } - - a.sin_family = AF_INET; - a.sin_port = htons(cl->port); - a.sin_addr.s_addr = htonl(cl->address); - - if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1) - { - close(nfd); - syslog(LOG_ERR, _("Connecting to %s port %d failed: %m"), - cl->hostname, cl->port); - return -1; - } - - flags = fcntl(nfd, F_GETFL); - if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) - { - close(nfd); - syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, nfd, - cl->name, cl->hostname); - return -1; - } - - cl->socket = nfd; - cl->status.dataopen = 1; -cp - return 0; -} - /* handle an incoming tcp connect call and open a connection to it. */ -conn_list_t *create_new_connection(int sfd) +connection_t *create_new_connection(int sfd) { - conn_list_t *p; + connection_t *p; struct sockaddr_in ci; int len = sizeof(ci); cp - p = new_conn_list(); + p = new_connection(); if(getpeername(sfd, (struct sockaddr *) &ci, (socklen_t *) &len) < 0) { syslog(LOG_ERR, _("System call `%s' failed: %m"), "getpeername"); + close(sfd); return NULL; } p->name = unknown; p->address = ntohl(ci.sin_addr.s_addr); p->hostname = hostlookup(ci.sin_addr.s_addr); + p->port = htons(ci.sin_port); /* This one will be overwritten later */ p->meta_socket = sfd; p->status.meta = 1; p->buffer = xmalloc(MAXBUFSIZE); p->buflen = 0; p->last_ping_time = time(NULL); - + if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection from %s port %d"), p->hostname, htons(ci.sin_port)); @@ -1040,16 +1035,18 @@ cp */ void build_fdset(fd_set *fs) { - conn_list_t *p; + avl_node_t *node; + connection_t *p; cp FD_ZERO(fs); - for(p = conn_list; p != NULL; p = p->next) + FD_SET(myself->socket, fs); + + for(node = connection_tree->head; node; node = node->next) { + p = (connection_t *)node->data; if(p->status.meta) - FD_SET(p->meta_socket, fs); - if(p->status.dataopen) - FD_SET(p->socket, fs); + FD_SET(p->meta_socket, fs); } FD_SET(myself->meta_socket, fs); @@ -1062,95 +1059,115 @@ cp udp socket and write it to the ethertap device after being decrypted */ -int handle_incoming_vpn_data(conn_list_t *cl) +void handle_incoming_vpn_data(void) { vpn_packet_t pkt; int x, l = sizeof(x); - int lenin; + struct sockaddr_in from; + socklen_t fromlen = sizeof(from); + connection_t *cl; cp - if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) + if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) { syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m"), - __FILE__, __LINE__, cl->socket); - return -1; + __FILE__, __LINE__, myself->socket); + return; } if(x) { syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x)); - return -1; + return; } - if((lenin = recv(cl->socket, (char *) &(pkt.len), MTU, 0)) <= 0) + if((pkt.len = recvfrom(myself->socket, (char *) pkt.salt, MTU, 0, (struct sockaddr *)&from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); - return -1; + return; } - if(debug_lvl >= DEBUG_TRAFFIC) + cl = lookup_connection(ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); + + if(!cl) { - syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), lenin, - cl->name, cl->hostname); + syslog(LOG_WARNING, _("Received UDP packets on port %hd from unknown source %x:%hd"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); + return; } + cl->last_ping_time = time(NULL); + + receive_udppacket(cl, &pkt); cp - return xrecv(cl, &pkt); } /* terminate a connection and notify the other end before closing the sockets */ -void terminate_connection(conn_list_t *cl) +void terminate_connection(connection_t *cl) { - conn_list_t *p; - subnet_t *s; + connection_t *p; + subnet_t *subnet; + avl_node_t *node, *next; cp if(cl->status.remove) return; - cl->status.remove = 1; - if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), cl->name, cl->hostname); - + + cl->status.remove = 1; + if(cl->socket) close(cl->socket); if(cl->status.meta) close(cl->meta_socket); -cp - /* Find all connections that were lost because they were behind cl - (the connection that was dropped). */ - if(cl->status.meta) - for(p = conn_list; p != NULL; p = p->next) - if((p->nexthop == cl) && (p != cl)) - terminate_connection(p); /* Sounds like recursion, but p does not have a meta connection :) */ + { + + /* Find all connections that were lost because they were behind cl + (the connection that was dropped). */ - /* Inform others of termination if it was still active */ + for(node = connection_tree->head; node; node = node->next) + { + p = (connection_t *)node->data; + if(p->nexthop == cl && p != cl) + terminate_connection(p); + } - if(cl->status.active) - for(p = conn_list; p != NULL; p = p->next) - if(p->status.meta && p->status.active && p!=cl) - send_del_host(p, cl); + /* Inform others of termination if it was still active */ + + if(cl->status.active) + for(node = connection_tree->head; node; node = node->next) + { + p = (connection_t *)node->data; + if(p->status.meta && p->status.active && p != cl) + send_del_host(p, cl); /* Sounds like recursion, but p does not have a meta connection :) */ + } + } /* Remove the associated subnets */ - for(s = cl->subnets; s; s = s->next) - subnet_del(s); + for(node = cl->subnet_tree->head; node; node = next) + { + next = node->next; + subnet = (subnet_t *)node->data; + subnet_del(subnet); + } /* Check if this was our outgoing connection */ - - if(cl->status.outgoing && cl->status.active) + + if(cl->status.outgoing) { + cl->status.outgoing = 0; signal(SIGALRM, sigalrm_handler); seconds_till_retry = 5; alarm(seconds_till_retry); syslog(LOG_NOTICE, _("Trying to re-establish outgoing connection in 5 seconds")); } - /* Inactivate */ + /* Deactivate */ cl->status.active = 0; cp @@ -1164,35 +1181,37 @@ cp end does not reply in time, we consider them dead and close the connection. */ -int check_dead_connections(void) +void check_dead_connections(void) { - conn_list_t *p; time_t now; + avl_node_t *node; + connection_t *cl; cp now = time(NULL); - for(p = conn_list; p != NULL; p = p->next) + + for(node = connection_tree->head; node; node = node->next) { - if(p->status.active && p->status.meta) - { - if(p->last_ping_time + timeout < now) + cl = (connection_t *)node->data; + if(cl->status.active && cl->status.meta) + { + if(cl->last_ping_time + timeout < now) { - if(p->status.pinged) + if(cl->status.pinged) { if(debug_lvl >= DEBUG_PROTOCOL) syslog(LOG_INFO, _("%s (%s) didn't respond to PING"), - p->name, p->hostname); - p->status.timeout = 1; - terminate_connection(p); + cl->name, cl->hostname); + cl->status.timeout = 1; + terminate_connection(cl); } else { - send_ping(p); + send_ping(cl); } } - } + } } cp - return 0; } /* @@ -1201,7 +1220,7 @@ cp */ int handle_new_meta_connection() { - conn_list_t *ncn; + connection_t *ncn; struct sockaddr client; int nfd, len = sizeof(client); cp @@ -1219,7 +1238,9 @@ cp return 0; } - conn_list_add(ncn); + connection_add(ncn); + + send_id(ncn); cp return 0; } @@ -1230,27 +1251,18 @@ cp */ void check_network_activity(fd_set *f) { - conn_list_t *p; + connection_t *p; + avl_node_t *node; cp - for(p = conn_list; p != NULL; p = p->next) + if(FD_ISSET(myself->socket, f)) + handle_incoming_vpn_data(); + + for(node = connection_tree->head; node; node = node->next) { + p = (connection_t *)node->data; + if(p->status.remove) - continue; - - if(p->status.dataopen) - if(FD_ISSET(p->socket, f)) - { - handle_incoming_vpn_data(p); - - /* Old error stuff (FIXME: copy this to handle_incoming_vpn_data() - - getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l); - syslog(LOG_ERR, _("Outgoing data socket error for %s (%s): %s"), - p->name, p->hostname, strerror(x)); - terminate_connection(p); - */ - return; - } + return; if(p->status.meta) if(FD_ISSET(p->meta_socket, f)) @@ -1258,9 +1270,9 @@ cp { terminate_connection(p); return; - } + } } - + if(FD_ISSET(myself->meta_socket, f)) handle_new_meta_connection(); cp @@ -1274,7 +1286,7 @@ void handle_tap_input(void) { vpn_packet_t vp; int lenin; -cp +cp if(taptype == TAP_TYPE_TUNTAP) { if((lenin = read(tap_fd, vp.data, MTU)) <= 0) @@ -1294,7 +1306,7 @@ cp vp.len = lenin - 2; } - total_tap_in += lenin; + total_tap_in += vp.len; if(lenin < 32) { @@ -1308,7 +1320,7 @@ cp syslog(LOG_DEBUG, _("Read packet of length %d from tap device"), vp.len); } - send_packet(ntohl(*((unsigned long*)(&vp.data[30]))), &vp); + route_outgoing(&vp); cp } @@ -1330,7 +1342,7 @@ cp tv.tv_sec = timeout; tv.tv_usec = 0; - prune_conn_list(); + prune_connection_tree(); build_fdset(&fset); if((r = select(FD_SETSIZE, &fset, NULL, NULL, &tv)) < 0) @@ -1352,14 +1364,14 @@ cp if(read_server_config()) { syslog(LOG_ERR, _("Unable to reread configuration file, exiting")); - exit(0); + exit(1); } sleep(5); - + if(setup_network_connections()) return; - + continue; } @@ -1378,7 +1390,7 @@ cp { if(debug_lvl >= DEBUG_STATUS) syslog(LOG_INFO, _("Regenerating symmetric key")); - + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); send_key_changed(myself, NULL); keyexpires = time(NULL) + keylifetime; @@ -1393,8 +1405,6 @@ cp if(FD_ISSET(tap_fd, &fset)) handle_tap_input(); } - - check_children(); } cp }