@page
@vskip 0pt plus 1filll
+@cindex copyright
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2010 Ivo Timmermans,
@end titlepage
-@ifnottex
+@ifinfo
@c ==================================================================
@node Top
@top Top
* Installation::
* Configuration::
* Running tinc::
+* Controlling tinc::
* Technical information::
* Platform specific information::
* About us::
* Concept Index:: All used terms explained
@end menu
-@end ifnottex
+@end ifinfo
@c ==================================================================
@node Introduction
* OpenSSL::
* zlib::
* lzo::
+* libevent::
@end menu
default).
+@c ==================================================================
+@node libevent
+@subsection libevent
+
+@cindex libevent
+For the main event loop, tinc uses the libevent library.
+
+If this library is not installed, you wil get an error when configuring
+tinc for build.
+
+You can use your operating system's package manager to install this if
+available. Make sure you install the development AND runtime versions
+of this package.
+
+If you have to install libevent manually, you can get the source code
+from @url{http://monkey.org/~provos/libevent/}. Instructions on how to configure,
+build and install this package are included within the package. Please
+make sure you build development and runtime libraries (which is the
+default).
+
+
@c
@c
@c
in the `=' sign, but doing so improves readability. If you leave it
out, remember to replace it with at least one space character.
+ The server configuration is complemented with host specific configuration (see
+ the next section). Although all host configuration options for the local node
+ listed in this document can also be put in
+ @file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf}, it is recommended to
+ put host specific configuration options in the host configuration file, as this
+ makes it easy to exchange with other nodes.
+
In this section all valid variables are listed in alphabetical order.
The default value is given between parentheses,
other comments are between square brackets.
@cindex PrivateKeyFile
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
This is the full path name of the RSA private key file that was
-generated by @samp{tincd --generate-keys}. It must be a full path, not a
+generated by @samp{tincctl generate-keys}. It must be a full path, not a
relative directory.
Note that there must be exactly one of PrivateKey
@cindex PublicKeyFile
@item PublicKeyFile = <@var{path}> [obsolete]
This is the full path name of the RSA public key file that was generated
-by @samp{tincd --generate-keys}. It must be a full path, not a relative
+by @samp{tincctl generate-keys}. It must be a full path, not a relative
directory.
@cindex PEM format
/22. This conforms to standard CIDR notation as described in
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
-@cindex Subnet weight
A Subnet can be given a weight to indicate its priority over identical Subnets
owned by different nodes. The default weight is 10. Lower values indicate
higher priority. Packets will be sent to the node with the highest priority,
priority will be tried, and so on.
@cindex TCPonly
-@item TCPonly = <yes|no> (no) [deprecated]
+@item TCPonly = <yes|no> (no)
If this variable is set to yes, then the packets are tunnelled over a
TCP connection instead of a UDP connection. This is especially useful
for those who want to run a tinc daemon from behind a masquerading
firewall, or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData.
-
-Since version 1.0.10, tinc will automatically detect whether communication via
-UDP is possible or not.
@end table
@item SUBNET
When a subnet becomes (un)reachable, this is set to the subnet.
-@cindex WEIGHT
-@item WEIGHT
-When a subnet becomes (un)reachable, this is set to the subnet weight.
-
@end table
you can easily create a public/private keypair by entering the following command:
@example
-tincd -n @var{netname} -K
+tincctl -n @var{netname} generate-keys
@end example
Tinc will generate a public and a private key and ask you where to put them.
A, B, C and D all have generated a public/private keypair with the following command:
@example
-tincd -n company -K
+tincctl -n company generate-keys
@end example
The private key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
Set debug level to @var{level}. The higher the debug level, the more gets
logged. Everything goes via syslog.
-@item -k, --kill[=@var{signal}]
-Attempt to kill a running tincd (optionally with the specified @var{signal} instead of SIGTERM) and exit.
-Use it in conjunction with the -n option to make sure you kill the right tinc daemon.
-Under native Windows the optional argument is ignored,
-the service will always be stopped and removed.
-
@item -n, --net=@var{netname}
Use configuration for net @var{netname}. @xref{Multiple networks}.
-@item -K, --generate-keys[=@var{bits}]
-Generate public/private keypair of @var{bits} length. If @var{bits} is not specified,
-2048 is the default. tinc will ask where you want to store the files,
-but will default to the configuration directory (you can use the -c or -n option
-in combination with -K). After that, tinc will quit.
+@item --controlsocket=@var{filename}
+Open control socket at @var{filename}. If unspecified, the default is
+@file{@value{localstatedir}/run/tinc.@var{netname}.control}.
@item -L, --mlock
Lock tinc into main memory.
Write log entries to a file instead of to the system logging facility.
If @var{file} is omitted, the default is @file{@value{localstatedir}/log/tinc.@var{netname}.log}.
-@item --pidfile=@var{file}
-Write PID to @var{file} instead of @file{@value{localstatedir}/run/tinc.@var{netname}.pid}.
-
@item --bypass-security
Disables encryption and authentication.
Only useful for debugging.
@c from the manpage
@table @samp
-@item ALRM
-Forces tinc to try to connect to all uplinks immediately.
-Usually tinc attempts to do this itself,
-but increases the time it waits between the attempts each time it failed,
-and if tinc didn't succeed to connect to an uplink the first time after it started,
-it defaults to the maximum time of 15 minutes.
-
@item HUP
Partially rereads configuration files.
Connections to hosts whose host config file are removed are closed.
New outgoing connections specified in @file{tinc.conf} will be made.
-@item INT
-Temporarily increases debug level to 5.
-Send this signal again to revert to the original level.
-
-@item USR1
-Dumps the connection list to syslog.
-
-@item USR2
-Dumps virtual network device statistics, all known nodes, edges and subnets to syslog.
-
-@item WINCH
-Purges all information remembered about unreachable nodes.
-
@end table
@c ==================================================================
If so, check that it allows TCP and UDP traffic on port 655.
If it masquerades and the host running tinc is behind it, make sure that it forwards TCP and UDP traffic to port 655 to the host running tinc.
You can add @samp{TCPOnly = yes} to your host config file to force tinc to only use a single TCP connection,
-this works through most firewalls and NATs. Since version 1.0.10, tinc will automatically fall back to TCP if direct communication via UDP is not possible.
+this works through most firewalls and NATs.
@end itemize
@itemize
@item If you see this only sporadically, it is harmless and caused by a node sending packets using an old key.
+@item If you see this often and another node is not reachable anymore, then a NAT (masquerading firewall) is changing the source address of UDP packets.
+You can add @samp{TCPOnly = yes} to host configuration files to force all VPN traffic to go over a TCP connection.
@end itemize
@item Got bad/bogus/unauthorized REQUEST from foo (1.2.3.4 port 12345)
@item The output of any command that fails to work as it should (like ping or traceroute).
@end itemize
+@c ==================================================================
+@node Controlling tinc
+@chapter Controlling tinc
+
+You can control and inspect a running @samp{tincd} through the @samp{tincctl}
+command. A quick example:
+
+@example
+tincctl -n @var{netname} reload
+@end example
+
+@menu
+* tincctl runtime options::
+* tincctl commands::
+@end menu
+
+
+@c ==================================================================
+@node tincctl runtime options
+@section tincctl runtime options
+
+@c from the manpage
+@table @option
+@item -c, --config=@var{path}
+Read configuration options from the directory @var{path}. The default is
+@file{@value{sysconfdir}/tinc/@var{netname}/}.
+
+@item -n, --net=@var{netname}
+Use configuration for net @var{netname}. @xref{Multiple networks}.
+
+@item --controlsocket=@var{filename}
+Open control socket at @var{filename}. If unspecified, the default is
+@file{@value{localstatedir}/run/tinc.@var{netname}.control}.
+
+@item --help
+Display a short reminder of runtime options and commands, then terminate.
+
+@item --version
+Output version information and exit.
+
+@end table
+
+
+@c ==================================================================
+@node tincctl commands
+@section tincctl commands
+
+@c from the manpage
+@table @code
+
+@item start
+Start @samp{tincd}.
+
+@item stop
+Stop @samp{tincd}.
+
+@item restart
+Restart @samp{tincd}.
+
+@item reload
+Partially rereads configuration files. Connections to hosts whose host
+config files are removed are closed. New outgoing connections specified
+in @file{tinc.conf} will be made.
+
+@item pid
+Shows the PID of the currently running @samp{tincd}.
+
+@item generate-keys [@var{bits}]
+Generate public/private keypair of @var{bits} length. If @var{bits} is not specified,
+1024 is the default. tinc will ask where you want to store the files,
+but will default to the configuration directory (you can use the -c or -n
+option).
+
+@item dump nodes
+Dump a list of all known nodes in the VPN.
+
+@item dump edges
+Dump a list of all known connections in the VPN.
+
+@item dump subnets
+Dump a list of all known subnets in the VPN.
+
+@item dump connections
+Dump a list of all meta connections with ourself.
+
+@item dump graph
+Dump a graph of the VPN in dotty format.
+
+@item purge
+Purges all information remembered about unreachable nodes.
+
+@item debug @var{level}
+Sets debug level to @var{level}.
+
+@item retry
+Forces tinc to try to connect to all uplinks immediately.
+Usually tinc attempts to do this itself,
+but increases the time it waits between the attempts each time it failed,
+and if tinc didn't succeed to connect to an uplink the first time after it started,
+it defaults to the maximum time of 15 minutes.
+
+@end table
+
+
@c ==================================================================
@node Technical information
@chapter Technical information
.Nd tinc VPN daemon
.Sh SYNOPSIS
.Nm
-.Op Fl cdDkKnLRU
+.Op Fl cdDKnLRU
.Op Fl -config Ns = Ns Ar DIR
.Op Fl -no-detach
.Op Fl -debug Ns Op = Ns Ar LEVEL
-.Op Fl -kill Ns Op = Ns Ar SIGNAL
.Op Fl -net Ns = Ns Ar NETNAME
-.Op Fl -generate-keys Ns Op = Ns Ar BITS
.Op Fl -mlock
.Op Fl -logfile Ns Op = Ns Ar FILE
-.Op Fl -pidfile Ns = Ns Ar FILE
.Op Fl -bypass-security
.Op Fl -chroot
.Op Fl -user Ns = Ns Ar USER
Increase debug level or set it to
.Ar LEVEL
(see below).
-.It Fl k, -kill Ns Op = Ns Ar SIGNAL
-Attempt to kill a running
-.Nm
-(optionally with the specified
-.Ar SIGNAL
-instead of SIGTERM) and exit.
-Under Windows (not Cygwin) the optional argument is ignored,
-the service will always be stopped and removed.
.It Fl n, -net Ns = Ns Ar NETNAME
Connect to net
.Ar NETNAME .
-.It Fl K, -generate-keys Ns Op = Ns Ar BITS
-Generate public/private RSA keypair and exit.
-If
-.Ar BITS
-is omitted, the default length will be 2048 bits.
-When saving keys to existing files, tinc will not delete the old keys,
-you have to remove them manually.
.It Fl L, -mlock
Lock tinc into main memory.
This will prevent sensitive data like shared private keys to be written to the system swap files/partitions.
.Ar FILE
is omitted, the default is
.Pa @localstatedir@/log/tinc. Ns Ar NETNAME Ns Pa .log.
-.It Fl -pidfile Ns = Ns Ar FILE
-Write PID to
+.It Fl -controlsocket Ns = Ns Ar FILENAME
+Open control socket at
+.Ar FILENAME .
+If
.Ar FILE
-instead of
-.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .pid.
-Under Windows this option will be ignored.
+is omitted, the default is
+.Pa @localstatedir@/run/tinc. Ns Ar NETNAME Ns Pa .control.
.It Fl -bypass-security
Disables encryption and authentication of the meta protocol.
Only useful for debugging.
- .It Fl -chroot
+ .It Fl R, -chroot
With this option tinc chroots into the directory where network
config is located (@sysconfdir@/tinc/NETNAME if -n option is used,
or to the directory specified with -c option) after initialization.
- .It Fl -user Ns = Ns Ar USER
+ .It Fl U, -user Ns = Ns Ar USER
setuid to the specified
.Ar USER
after initialization.
.El
.Sh SIGNALS
.Bl -tag -width indent
-.It ALRM
-Forces
-.Nm
-to try to connect to all uplinks immediately.
-Usually
-.Nm
-attempts to do this itself,
-but increases the time it waits between the attempts each time it failed,
-and if
-.Nm
-didn't succeed to connect to an uplink the first time after it started,
-it defaults to the maximum time of 15 minutes.
.It HUP
Partially rereads configuration files.
Connections to hosts whose host config file are removed are closed.
New outgoing connections specified in
.Pa tinc.conf
will be made.
-.It INT
-Temporarily increases debug level to 5.
-Send this signal again to revert to the original level.
-.It USR1
-Dumps the connection list to syslog.
-.It USR2
-Dumps virtual network device statistics, all known nodes, edges and subnets to syslog.
-.It WINCH
-Purges all information remembered about unreachable nodes.
.El
.Sh DEBUG LEVELS
The tinc daemon can send a lot of messages to the syslog.
.Sh TODO
A lot, especially security auditing.
.Sh SEE ALSO
+.Xr tincctl 8 ,
.Xr tinc.conf 5 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa http://www.cabal.org/ .
#ifndef __TINC_HAVE_H__
#define __TINC_HAVE_H__
+ #ifdef HAVE_MINGW
+ #ifdef WITH_WINDOWS2000
+ #define WINVER Windows2000
+ #else
+ #define WINVER WindowsXP
+ #endif
++#define WIN32_LEAN_AND_MEAN
+ #endif
+
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#ifdef HAVE_MINGW
- #ifdef WITH_WINDOWS2000
- #define WINVER Windows2000
- #else
- #define WINVER WindowsXP
- #endif
- #define WIN32_LEAN_AND_MEAN
#include <w32api.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <sys/time.h>
#endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#include <sys/uio.h>
#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+
#ifdef HAVE_DIRENT_H
#include <dirent.h>
#endif
#include <netinet/if_ether.h>
#endif
+#ifdef HAVE_EVENT_H
+#include <event.h>
+#endif
+
#endif /* __TINC_SYSTEM_H__ */
char *device = NULL;
char *iface = NULL;
static char *device_info = NULL;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
#if defined(TUNEMU)
static device_type_t device_type = DEVICE_TYPE_TUNEMU;
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD)
device = xstrdup(DEFAULT_DEVICE);
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
- iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device);
+ iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
if(!strcasecmp(type, "tun"))
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
switch(device_type) {
case DEVICE_TYPE_TUN:
#ifdef HAVE_TUNEMU
case DEVICE_TYPE_TUNEMU:
if(device_type == DEVICE_TYPE_TUNEMU)
- lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
+ inlen = tunemu_read(device_fd, packet->data + 14, MTU - 14);
else
#else
- lenin = read(device_fd, packet->data + 14, MTU - 14);
+ inlen = read(device_fd, packet->data + 14, MTU - 14);
#endif
- if(lenin <= 0) {
+ if(inlen <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
return false;
}
- packet->len = lenin + 14;
+ packet->len = inlen + 14;
break;
case DEVICE_TYPE_TUNIFHEAD: {
u_int32_t type;
- struct iovec vector[2] = {{&type, sizeof(type)}, {packet->data + 14, MTU - 14}};
+ struct iovec vector[2] = {{&type, sizeof type}, {packet->data + 14, MTU - 14}};
- if((lenin = readv(device_fd, vector, 2)) <= 0) {
+ if((inlen = readv(device_fd, vector, 2)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
return false;
}
- packet->len = lenin + 10;
+ packet->len = inlen + 10;
break;
}
case DEVICE_TYPE_TAP:
- if((lenin = read(device_fd, packet->data, MTU)) <= 0) {
+ if((inlen = read(device_fd, packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
}
- packet->len = lenin;
+ packet->len = inlen;
break;
default:
case DEVICE_TYPE_TUNIFHEAD: {
u_int32_t type;
- struct iovec vector[2] = {{&type, sizeof(type)}, {packet->data + 14, packet->len - 14}};
+ struct iovec vector[2] = {{&type, sizeof type}, {packet->data + 14, packet->len - 14}};
int af;
af = (packet->data[12] << 8) + packet->data[13];
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
conf.c -- configuration code
Copyright (C) 1998 Robert van der Meulen
1998-2005 Ivo Timmermans
- 2000-2009 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2010 Guus Sliepen <guus@tinc-vpn.org>
+ 2010 Julien Muchembled <jm@jmuchemb.eu>
2000 Cris van Pelt
This program is free software; you can redistribute it and/or modify
#include "system.h"
-#include "avl_tree.h"
+#include "splay_tree.h"
+ #include "connection.h"
#include "conf.h"
#include "logger.h"
#include "netutl.h" /* for str2address */
#include "utils.h" /* for cp */
#include "xalloc.h"
-avl_tree_t *config_tree;
+splay_tree_t *config_tree;
int pinginterval = 0; /* seconds between pings */
int pingtimeout = 0; /* seconds to wait for response */
char *confbase = NULL; /* directory in which all config files are */
char *netname = NULL; /* name of the vpn network */
+ list_t *cmdline_conf = NULL; /* global/host configuration values given at the command line */
+
static int config_compare(const config_t *a, const config_t *b) {
int result;
if(result)
return result;
+ /* give priority to command line options */
+ result = !b->file - !a->file;
+ if (result)
+ return result;
+
result = a->line - b->line;
if(result)
return result;
else
- return strcmp(a->file, b->file);
+ return a->file ? strcmp(a->file, b->file) : 0;
}
-void init_configuration(avl_tree_t ** config_tree) {
- *config_tree = avl_alloc_tree((avl_compare_t) config_compare, (avl_action_t) free_config);
+void init_configuration(splay_tree_t ** config_tree) {
+ *config_tree = splay_alloc_tree((splay_compare_t) config_compare, (splay_action_t) free_config);
}
-void exit_configuration(avl_tree_t ** config_tree) {
- avl_delete_tree(*config_tree);
+void exit_configuration(splay_tree_t ** config_tree) {
+ splay_delete_tree(*config_tree);
*config_tree = NULL;
}
free(cfg);
}
-void config_add(avl_tree_t *config_tree, config_t *cfg) {
- avl_insert(config_tree, cfg);
+void config_add(splay_tree_t *config_tree, config_t *cfg) {
+ splay_insert(config_tree, cfg);
}
-config_t *lookup_config(avl_tree_t *config_tree, char *variable) {
+config_t *lookup_config(splay_tree_t *config_tree, char *variable) {
config_t cfg, *found;
cfg.variable = variable;
- cfg.file = "";
+ cfg.file = NULL;
cfg.line = 0;
- found = avl_search_closest_greater(config_tree, &cfg);
+ found = splay_search_closest_greater(config_tree, &cfg);
if(!found)
return NULL;
return found;
}
-config_t *lookup_config_next(avl_tree_t *config_tree, const config_t *cfg) {
- avl_node_t *node;
+config_t *lookup_config_next(splay_tree_t *config_tree, const config_t *cfg) {
+ splay_node_t *node;
config_t *found;
- node = avl_search_node(config_tree, cfg);
+ node = splay_search_node(config_tree, cfg);
if(node) {
if(node->next) {
/* Teach newbies what subnets are... */
if(((subnet.type == SUBNET_IPV4)
- && !maskcheck(&subnet.net.ipv4.address, subnet.net.ipv4.prefixlength, sizeof(ipv4_t)))
+ && !maskcheck(&subnet.net.ipv4.address, subnet.net.ipv4.prefixlength, sizeof subnet.net.ipv4.address))
|| ((subnet.type == SUBNET_IPV6)
- && !maskcheck(&subnet.net.ipv6.address, subnet.net.ipv6.prefixlength, sizeof(ipv6_t)))) {
+ && !maskcheck(&subnet.net.ipv6.address, subnet.net.ipv6.prefixlength, sizeof subnet.net.ipv6.address))) {
logger(LOG_ERR, "Network address and prefix length do not match for configuration variable %s in %s line %d",
cfg->variable, cfg->file, cfg->line);
return false;
return buf;
}
+ config_t *parse_config_line(char *line, const char *fname, int lineno) {
+ config_t *cfg;
+ int len;
+ char *variable, *value, *eol;
+ variable = value = line;
+
+ eol = line + strlen(line);
+ while(strchr("\t ", *--eol))
+ *eol = '\0';
+
+ len = strcspn(value, "\t =");
+ value += len;
+ value += strspn(value, "\t ");
+ if(*value == '=') {
+ value++;
+ value += strspn(value, "\t ");
+ }
+ variable[len] = '\0';
+
+ if(!*value) {
+ const char err[] = "No value for variable";
+ if (fname)
+ logger(LOG_ERR, "%s `%s' on line %d while reading config file %s",
+ err, variable, lineno, fname);
+ else
+ logger(LOG_ERR, "%s `%s' in command line option %d",
+ err, variable, lineno);
+ return NULL;
+ }
+
+ cfg = new_config();
+ cfg->variable = xstrdup(variable);
+ cfg->value = xstrdup(value);
+ cfg->file = fname ? xstrdup(fname) : NULL;
+ cfg->line = lineno;
+
+ return cfg;
+ }
+
/*
Parse a configuration file and put the results in the configuration tree
starting at *base.
*/
- int read_config_file(splay_tree_t *config_tree, const char *fname) {
-bool read_config_file(avl_tree_t *config_tree, const char *fname) {
++bool read_config_file(splay_tree_t *config_tree, const char *fname) {
FILE *fp;
char buffer[MAX_STRING_SIZE];
char *line;
- char *variable, *value, *eol;
int lineno = 0;
- int len;
bool ignore = false;
config_t *cfg;
bool result = false;
continue;
}
- variable = value = line;
-
- eol = line + strlen(line);
- while(strchr("\t ", *--eol))
- *eol = '\0';
-
- len = strcspn(value, "\t =");
- value += len;
- value += strspn(value, "\t ");
- if(*value == '=') {
- value++;
- value += strspn(value, "\t ");
- }
- variable[len] = '\0';
-
-
- if(!*value) {
- logger(LOG_ERR, "No value for variable `%s' on line %d while reading config file %s",
- variable, lineno, fname);
+ cfg = parse_config_line(line, fname, lineno);
+ if (!cfg)
break;
- }
-
- cfg = new_config();
- cfg->variable = xstrdup(variable);
- cfg->value = xstrdup(value);
- cfg->file = xstrdup(fname);
- cfg->line = lineno;
-
config_add(config_tree, cfg);
}
return result;
}
-void read_config_options(avl_tree_t *config_tree, const char *prefix) {
++void read_config_options(splay_tree_t *config_tree, const char *prefix) {
+ list_node_t *node, *next;
+ size_t prefix_len = prefix ? strlen(prefix) : 0;
+
+ for(node = cmdline_conf->tail; node; node = next) {
+ config_t *cfg = (config_t *)node->data;
+ next = node->prev;
+
+ if(!prefix && strchr(cfg->variable, '.'))
+ continue;
+
+ if(prefix && (strncmp(prefix, cfg->variable, prefix_len) || cfg->variable[prefix_len] != '.'))
+ continue;
+
+ config_add(config_tree, cfg);
+ node->data = NULL;
+ list_unlink_node(cmdline_conf, node);
+ }
+ }
+
bool read_server_config() {
char *fname;
bool x;
+ read_config_options(config_tree, NULL);
+
xasprintf(&fname, "%s/tinc.conf", confbase);
x = read_config_file(config_tree, fname);
return x;
}
-FILE *ask_and_open(const char *filename, const char *what) {
- FILE *r;
- char *directory;
- char line[PATH_MAX];
- const char *fn;
-
- /* Check stdin and stdout */
- if(!isatty(0) || !isatty(1)) {
- /* Argh, they are running us from a script or something. Write
- the files to the current directory and let them burn in hell
- for ever. */
- fn = filename;
- } else {
- /* Ask for a file and/or directory name. */
- fprintf(stdout, "Please enter a file to save %s to [%s]: ",
- what, filename);
- fflush(stdout);
-
- fn = readline(stdin, line, sizeof line);
-
- if(!fn) {
- fprintf(stderr, "Error while reading stdin: %s\n",
- strerror(errno));
- return NULL;
- }
-
- if(!strlen(fn))
- /* User just pressed enter. */
- fn = filename;
- }
-
-#ifdef HAVE_MINGW
- if(fn[0] != '\\' && fn[0] != '/' && !strchr(fn, ':')) {
-#else
- if(fn[0] != '/') {
-#endif
- /* The directory is a relative path or a filename. */
- char *p;
-
- directory = get_current_dir_name();
- xasprintf(&p, "%s/%s", directory, fn);
- free(directory);
- fn = p;
- }
-
- umask(0077); /* Disallow everything for group and other */
-
- /* Open it first to keep the inode busy */
-
- r = fopen(fn, "r+") ?: fopen(fn, "w+");
-
- if(!r) {
- fprintf(stderr, "Error opening file `%s': %s\n",
- fn, strerror(errno));
- return NULL;
- }
-
- return r;
-}
-
+ bool read_connection_config(connection_t *c) {
+ char *fname;
+ bool x;
+
+ read_config_options(c->config_tree, c->name);
+
+ xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
+ x = read_config_file(c->config_tree, fname);
+ free(fname);
+
+ return x;
+ }
+
bool disable_old_keys(FILE *f) {
char buf[100];
long pos;
rewind(f);
pos = ftell(f);
+ if(pos < 0)
+ return false;
+
while(fgets(buf, sizeof buf, f)) {
if(!strncmp(buf, "-----BEGIN RSA", 14)) {
buf[11] = 'O';
buf[12] = 'L';
buf[13] = 'D';
- fseek(f, pos, SEEK_SET);
- fputs(buf, f);
+ if(fseek(f, pos, SEEK_SET))
+ break;
+ if(fputs(buf, f) <= 0)
+ break;
disabled = true;
}
else if(!strncmp(buf, "-----END RSA", 12)) {
buf[ 9] = 'O';
buf[10] = 'L';
buf[11] = 'D';
- fseek(f, pos, SEEK_SET);
- fputs(buf, f);
+ if(fseek(f, pos, SEEK_SET))
+ break;
+ if(fputs(buf, f) <= 0)
+ break;
disabled = true;
}
pos = ftell(f);
+ if(pos < 0)
+ break;
}
return disabled;
#ifndef __TINC_CONF_H__
#define __TINC_CONF_H__
-#include "avl_tree.h"
+#include "splay_tree.h"
+ #include "list.h"
typedef struct config_t {
char *variable;
#include "subnet.h"
-extern avl_tree_t *config_tree;
+extern splay_tree_t *config_tree;
extern int pinginterval;
extern int pingtimeout;
extern bool bypass_security;
extern char *confbase;
extern char *netname;
+ extern list_t *cmdline_conf;
-extern void init_configuration(avl_tree_t **);
-extern void exit_configuration(avl_tree_t **);
+extern void init_configuration(splay_tree_t **);
+extern void exit_configuration(splay_tree_t **);
extern config_t *new_config(void) __attribute__ ((__malloc__));
extern void free_config(config_t *);
-extern void config_add(avl_tree_t *, config_t *);
-extern config_t *lookup_config(avl_tree_t *, char *);
-extern config_t *lookup_config_next(avl_tree_t *, const config_t *);
+extern void config_add(splay_tree_t *, config_t *);
+extern config_t *lookup_config(splay_tree_t *, char *);
+extern config_t *lookup_config_next(splay_tree_t *, const config_t *);
extern bool get_config_bool(const config_t *, bool *);
extern bool get_config_int(const config_t *, int *);
extern bool get_config_string(const config_t *, char **);
extern bool get_config_address(const config_t *, struct addrinfo **);
extern bool get_config_subnet(const config_t *, struct subnet_t **);
- extern int read_config_file(splay_tree_t *, const char *);
+ extern config_t *parse_config_line(char *, const char *, int);
-extern bool read_config_file(avl_tree_t *, const char *);
-extern void read_config_options(avl_tree_t *, const char *);
++extern bool read_config_file(splay_tree_t *, const char *);
++extern void read_config_options(splay_tree_t *, const char *);
extern bool read_server_config(void);
-extern FILE *ask_and_open(const char *, const char *);
+ extern bool read_connection_config(struct connection_t *);
+extern FILE *ask_and_open(const char *, const char *, const char *);
extern bool is_safe_path(const char *);
extern bool disable_old_keys(FILE *);
#include "system.h"
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
#include "conf.h"
+#include "control_common.h"
#include "list.h"
#include "logger.h"
#include "net.h" /* Don't ask. */
#include "utils.h"
#include "xalloc.h"
-avl_tree_t *connection_tree; /* Meta connections */
+splay_tree_t *connection_tree; /* Meta connections */
connection_t *broadcast;
static int connection_compare(const connection_t *a, const connection_t *b) {
}
void init_connections(void) {
- connection_tree = avl_alloc_tree((avl_compare_t) connection_compare, (avl_action_t) free_connection);
+ connection_tree = splay_alloc_tree((splay_compare_t) connection_compare, (splay_action_t) free_connection);
broadcast = new_connection();
broadcast->name = xstrdup("everyone");
broadcast->hostname = xstrdup("BROADCAST");
}
void exit_connections(void) {
- avl_delete_tree(connection_tree);
+ splay_delete_tree(connection_tree);
free_connection(broadcast);
}
connection_t *new_connection(void) {
- connection_t *c;
-
- c = xmalloc_and_zero(sizeof(connection_t));
-
- if(!c)
- return NULL;
-
- gettimeofday(&c->start, NULL);
-
- return c;
+ return xmalloc_and_zero(sizeof(connection_t));
}
void free_connection(connection_t *c) {
+ if(!c)
+ return;
+
if(c->name)
free(c->name);
if(c->hostname)
free(c->hostname);
- if(c->inkey)
- free(c->inkey);
-
- if(c->outkey)
- free(c->outkey);
-
- if(c->inctx) {
- EVP_CIPHER_CTX_cleanup(c->inctx);
- free(c->inctx);
- }
-
- if(c->outctx) {
- EVP_CIPHER_CTX_cleanup(c->outctx);
- free(c->outctx);
- }
-
- if(c->mychallenge)
- free(c->mychallenge);
+ cipher_close(&c->incipher);
+ cipher_close(&c->outcipher);
if(c->hischallenge)
free(c->hischallenge);
if(c->config_tree)
exit_configuration(&c->config_tree);
- if(c->outbuf)
- free(c->outbuf);
-
- if(c->rsa_key)
- RSA_free(c->rsa_key);
+ if(c->buffer)
+ bufferevent_free(c->buffer);
+
+ if(event_initialized(&c->inevent))
+ event_del(&c->inevent);
free(c);
}
void connection_add(connection_t *c) {
- avl_insert(connection_tree, c);
+ splay_insert(connection_tree, c);
}
void connection_del(connection_t *c) {
- avl_delete(connection_tree, c);
+ splay_delete(connection_tree, c);
}
-void dump_connections(void) {
- avl_node_t *node;
+bool dump_connections(connection_t *cdump) {
+ splay_node_t *node;
connection_t *c;
- logger(LOG_DEBUG, "Connections:");
-
for(node = connection_tree->head; node; node = node->next) {
c = node->data;
- logger(LOG_DEBUG, " %s at %s options %x socket %d status %04x outbuf %d/%d/%d",
- c->name, c->hostname, c->options, c->socket, bitfield_to_int(&c->status, sizeof c->status),
- c->outbufsize, c->outbufstart, c->outbuflen);
+ send_request(cdump, "%d %d %s at %s options %x socket %d status %04x",
+ CONTROL, REQ_DUMP_CONNECTIONS,
+ c->name, c->hostname, c->options, c->socket,
+ bitfield_to_int(&c->status, sizeof c->status));
}
- logger(LOG_DEBUG, "End of connections.");
+ return send_request(cdump, "%d %d", CONTROL, REQ_DUMP_CONNECTIONS);
}
-
- bool read_connection_config(connection_t *c) {
- char *fname;
- bool x;
-
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- x = read_config_file(c->config_tree, fname);
- free(fname);
-
- return x;
- }
#ifndef __TINC_CONNECTION_H__
#define __TINC_CONNECTION_H__
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-
-#include "avl_tree.h"
+#include "cipher.h"
+#include "digest.h"
+#include "rsa.h"
+#include "splay_tree.h"
#define OPTION_INDIRECT 0x0001
#define OPTION_TCPONLY 0x0002
#define OPTION_CLAMP_MSS 0x0008
typedef struct connection_status_t {
- int pinged:1; /* sent ping */
- int active:1; /* 1 if active.. */
- int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
- int termreq:1; /* the termination of this connection was requested */
- int remove:1; /* Set to 1 if you want this connection removed */
- int timeout:1; /* 1 if gotten timeout */
- int encryptout:1; /* 1 if we can encrypt outgoing traffic */
- int decryptin:1; /* 1 if we have to decrypt incoming traffic */
- int mst:1; /* 1 if this connection is part of a minimum spanning tree */
- int unused:23;
+ int pinged:1; /* sent ping */
+ int active:1; /* 1 if active.. */
+ int connecting:1; /* 1 if we are waiting for a non-blocking connect() to finish */
+ int termreq:1; /* the termination of this connection was requested */
+ int remove_unused:1; /* Set to 1 if you want this connection removed */
+ int timeout_unused:1; /* 1 if gotten timeout */
+ int encryptout:1; /* 1 if we can encrypt outgoing traffic */
+ int decryptin:1; /* 1 if we have to decrypt incoming traffic */
+ int mst:1; /* 1 if this connection is part of a minimum spanning tree */
+ int control:1;
+ int unused:22;
} connection_status_t;
#include "edge.h"
struct node_t *node; /* node associated with the other end */
struct edge_t *edge; /* edge associated with this connection */
- RSA *rsa_key; /* his public/private key */
- const EVP_CIPHER *incipher; /* Cipher he will use to send data to us */
- const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */
- EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */
- EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */
- char *inkey; /* His symmetric meta key + iv */
- char *outkey; /* Our symmetric meta key + iv */
- int inkeylength; /* Length of his key + iv */
- int outkeylength; /* Length of our key + iv */
- const EVP_MD *indigest;
- const EVP_MD *outdigest;
+ rsa_t rsa; /* his public/private key */
+ cipher_t incipher; /* Cipher he will use to send data to us */
+ cipher_t outcipher; /* Cipher we will use to send data to him */
+ digest_t indigest;
+ digest_t outdigest;
+
int inmaclength;
int outmaclength;
int incompression;
int outcompression;
- char *mychallenge; /* challenge we received from him */
- char *hischallenge; /* challenge we sent to him */
- char buffer[MAXBUFSIZE]; /* metadata input buffer */
- int buflen; /* bytes read into buffer */
- int reqlen; /* length of incoming request */
+ char *hischallenge; /* The challenge we sent to him */
+
+ struct bufferevent *buffer; /* buffer events on this metadata connection */
+ struct event inevent; /* input event on this metadata connection */
int tcplen; /* length of incoming TCPpacket */
int allow_request; /* defined if there's only one request possible */
- char *outbuf; /* metadata output buffer */
- int outbufstart; /* index of first meaningful byte in output buffer */
- int outbuflen; /* number of meaningful bytes in output buffer */
- int outbufsize; /* number of bytes allocated to output buffer */
-
time_t last_ping_time; /* last time we saw some activity from the other end or pinged them */
- time_t last_flushed_time; /* last time buffer was empty. Only meaningful if outbuflen > 0 */
- avl_tree_t *config_tree; /* Pointer to configuration tree belonging to him */
+ splay_tree_t *config_tree; /* Pointer to configuration tree belonging to him */
} connection_t;
-extern avl_tree_t *connection_tree;
+extern splay_tree_t *connection_tree;
extern connection_t *broadcast;
extern void init_connections(void);
extern void free_connection(connection_t *);
extern void connection_add(connection_t *);
extern void connection_del(connection_t *);
-extern void dump_connections(void);
+extern bool dump_connections(struct connection_t *);
- extern bool read_connection_config(connection_t *);
#endif /* __TINC_CONNECTION_H__ */
char *iface = NULL;
static char *device_info = NULL;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
static pid_t reader_pid;
static int sp[2];
}
for (i = 0; ; i++) {
- len = sizeof(adapterid);
+ len = sizeof adapterid;
if(RegEnumKeyEx(key, i, adapterid, &len, 0, 0, 0, NULL))
break;
/* Find out more about this adapter */
- snprintf(regpath, sizeof(regpath), "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, adapterid);
+ snprintf(regpath, sizeof regpath, "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, adapterid);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, regpath, 0, KEY_READ, &key2))
continue;
- len = sizeof(adaptername);
+ len = sizeof adaptername;
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len);
RegCloseKey(key2);
continue;
}
- snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, adapterid);
+ snprintf(tapname, sizeof tapname, USERMODEDEVICEDIR "%s" TAPSUFFIX, adapterid);
device_handle = CreateFile(tapname, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0);
if(device_handle != INVALID_HANDLE_VALUE) {
CloseHandle(device_handle);
if(!iface)
iface = xstrdup(adaptername);
- snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, device);
+ snprintf(tapname, sizeof tapname, USERMODEDEVICEDIR "%s" TAPSUFFIX, device);
/* Now we are going to open this device twice: once for reading and once for writing.
We do this because apparently it isn't possible to check for activity in the select() loop.
/* Get MAC address from tap device */
- if(!DeviceIoControl(device_handle, TAP_IOCTL_GET_MAC, mymac.x, sizeof(mymac.x), mymac.x, sizeof(mymac.x), &len, 0)) {
+ if(!DeviceIoControl(device_handle, TAP_IOCTL_GET_MAC, mymac.x, sizeof mymac.x, mymac.x, sizeof mymac.x, &len, 0)) {
logger(LOG_ERR, "Could not get MAC address from Windows tap device %s (%s): %s", device, iface, winerror(GetLastError()));
return false;
}
It passes everything it reads to the socket. */
char buf[MTU];
- long lenin;
+ long inlen;
CloseHandle(device_handle);
/* Pass packets */
for(;;) {
- ReadFile(device_handle, buf, MTU, &lenin, NULL);
- write(sp[1], buf, lenin);
+ ReadFile(device_handle, buf, MTU, &inlen, NULL);
+ write(sp[1], buf, inlen);
}
}
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
- if((lenin = read(sp[0], packet->data, MTU)) <= 0) {
+ if((inlen = read(sp[0], packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
}
- packet->len = lenin;
+ packet->len = inlen;
device_total_in += packet->len;
}
bool write_packet(vpn_packet_t *packet) {
- long lenout;
+ long outlen;
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
packet->len, device_info);
- if(!WriteFile (device_handle, packet->data, packet->len, &lenout, NULL)) {
+ if(!WriteFile (device_handle, packet->data, packet->len, &outlen, NULL)) {
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info, device, winerror(GetLastError()));
return false;
}
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
#include <stdio.h>
+ #ifdef HAVE_STRING_H
+ #include <string.h>
+ #endif
+
/* Comment out all this code if we are using the GNU C Library, and are not
actually compiling the library itself. This code is part of the GNU C
Library, but also included in many other GNU distributions. Compiling
else
{
if (opterr)
- if (argv[optind - 1][1] == '-')
- /* --option */
- fprintf (stderr,
- "%s: option `--%s' doesn't allow an argument\n",
- argv[0], pfound->name);
- else
- /* +option or -option */
- fprintf (stderr,
- "%s: option `%c%s' doesn't allow an argument\n",
- argv[0], argv[optind - 1][0], pfound->name);
+ {
+ if (argv[optind - 1][1] == '-')
+ /* --option */
+ fprintf (stderr,
+ "%s: option `--%s' doesn't allow an argument\n",
+ argv[0], pfound->name);
+ else
+ /* +option or -option */
+ fprintf (stderr,
+ "%s: option `%c%s' doesn't allow an argument\n",
+ argv[0], argv[optind - 1][0], pfound->name);
+ }
nextchar += strlen (nextchar);
static char ifrname[IFNAMSIZ];
static char *device_info;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
bool setup_device(void) {
struct ifreq ifr;
if (netname != NULL)
iface = xstrdup(netname);
#else
- iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device);
+ iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
#endif
device_fd = open(device, O_RDWR | O_NONBLOCK);
#ifdef HAVE_LINUX_IF_TUN_H
/* Ok now check if this is an old ethertap or a new tun/tap thingie */
- memset(&ifr, 0, sizeof(ifr));
+ memset(&ifr, 0, sizeof ifr);
if(routing_mode == RMODE_ROUTER) {
ifr.ifr_flags = IFF_TUN;
device_type = DEVICE_TYPE_TUN;
device_type = DEVICE_TYPE_ETHERTAP;
if(iface)
free(iface);
- iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device);
+ iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
}
logger(LOG_INFO, "%s is a %s", device, device_info);
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
switch(device_type) {
case DEVICE_TYPE_TUN:
- lenin = read(device_fd, packet->data + 10, MTU - 10);
+ inlen = read(device_fd, packet->data + 10, MTU - 10);
- if(lenin <= 0) {
+ if(inlen <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s",
device_info, device, strerror(errno));
return false;
}
- packet->len = lenin + 10;
+ packet->len = inlen + 10;
break;
case DEVICE_TYPE_TAP:
- lenin = read(device_fd, packet->data, MTU);
+ inlen = read(device_fd, packet->data, MTU);
- if(lenin <= 0) {
+ if(inlen <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s",
device_info, device, strerror(errno));
return false;
}
- packet->len = lenin;
+ packet->len = inlen;
break;
case DEVICE_TYPE_ETHERTAP:
- lenin = read(device_fd, packet->data - 2, MTU + 2);
+ inlen = read(device_fd, packet->data - 2, MTU + 2);
- if(lenin <= 0) {
+ if(inlen <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s",
device_info, device, strerror(errno));
return false;
}
- packet->len = lenin - 2;
+ packet->len = inlen - 2;
break;
}
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
#ifdef HAVE_MINGW
{
char message[4096];
- char *messages[] = {message};
+ const char *messages[] = {message};
- vsnprintf(message, sizeof(message), format, ap);
+ vsnprintf(message, sizeof message, format, ap);
ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL);
}
#else
#else
{
char message[4096];
- vsnprintf(message, sizeof(message), format, ap);
+ vsnprintf(message, sizeof message, format, ap);
syslog(priority, "%s", message);
}
#endif
memcmp_bytes (a, b)
op_t a, b;
{
- long int srcp1 = (long int) &a;
- long int srcp2 = (long int) &b;
+ intptr_t srcp1 = (intptr_t) &a;
+ intptr_t srcp2 = (intptr_t) &b;
op_t a0, b0;
do
}
#endif
- static int memcmp_common_alignment __P((long, long, size_t));
+ static int memcmp_common_alignment __P((intptr_t, intptr_t, size_t));
/* memcmp_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN `op_t'
objects (not LEN bytes!). Both SRCP1 and SRCP2 should be aligned for
#endif
static int
memcmp_common_alignment (srcp1, srcp2, len)
- long int srcp1;
- long int srcp2;
+ intptr_t srcp1;
+ intptr_t srcp2;
size_t len;
{
op_t a0, a1;
return 0;
}
- static int memcmp_not_common_alignment __P((long, long, size_t));
+ static int memcmp_not_common_alignment __P((intptr_t, intptr_t, size_t));
/* memcmp_not_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN
`op_t' objects (not LEN bytes!). SRCP2 should be aligned for memory
#endif
static int
memcmp_not_common_alignment (srcp1, srcp2, len)
- long int srcp1;
- long int srcp2;
+ intptr_t srcp1;
+ intptr_t srcp2;
size_t len;
{
op_t a0, a1, a2, a3;
{
op_t a0;
op_t b0;
- long int srcp1 = (long int) s1;
- long int srcp2 = (long int) s2;
+ intptr_t srcp1 = (intptr_t) s1;
+ intptr_t srcp2 = (intptr_t) s2;
op_t res;
if (len >= OP_T_THRES)
char *iface = NULL;
static char *device_info = NULL;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
extern char *myport;
}
for (i = 0; ; i++) {
- len = sizeof(adapterid);
+ len = sizeof adapterid;
if(RegEnumKeyEx(key, i, adapterid, &len, 0, 0, 0, NULL))
break;
/* Find out more about this adapter */
- snprintf(regpath, sizeof(regpath), "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, adapterid);
+ snprintf(regpath, sizeof regpath, "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, adapterid);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, regpath, 0, KEY_READ, &key2))
continue;
- len = sizeof(adaptername);
+ len = sizeof adaptername;
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len);
RegCloseKey(key2);
continue;
}
- snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, adapterid);
+ snprintf(tapname, sizeof tapname, USERMODEDEVICEDIR "%s" TAPSUFFIX, adapterid);
device_handle = CreateFile(tapname, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0);
if(device_handle != INVALID_HANDLE_VALUE) {
found = true;
/* Try to open the corresponding tap device */
if(device_handle == INVALID_HANDLE_VALUE) {
- snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, device);
+ snprintf(tapname, sizeof tapname, USERMODEDEVICEDIR "%s" TAPSUFFIX, device);
device_handle = CreateFile(tapname, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, 0);
}
/* Get MAC address from tap device */
- if(!DeviceIoControl(device_handle, TAP_IOCTL_GET_MAC, mymac.x, sizeof(mymac.x), mymac.x, sizeof(mymac.x), &len, 0)) {
+ if(!DeviceIoControl(device_handle, TAP_IOCTL_GET_MAC, mymac.x, sizeof mymac.x, mymac.x, sizeof mymac.x, &len, 0)) {
logger(LOG_ERR, "Could not get MAC address from Windows tap device %s (%s): %s", device, iface, winerror(GetLastError()));
return false;
}
/* Set media status for newer TAP-Win32 devices */
status = true;
- DeviceIoControl(device_handle, TAP_IOCTL_SET_MEDIA_STATUS, &status, sizeof(status), &status, sizeof(status), &len, NULL);
+ DeviceIoControl(device_handle, TAP_IOCTL_SET_MEDIA_STATUS, &status, sizeof status, &status, sizeof status, &len, NULL);
device_info = "Windows tap device";
}
bool write_packet(vpn_packet_t *packet) {
- long lenout;
+ long outlen;
OVERLAPPED overlapped = {0};
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
packet->len, device_info);
- if(!WriteFile(device_handle, packet->data, packet->len, &lenout, &overlapped)) {
+ if(!WriteFile(device_handle, packet->data, packet->len, &outlen, &overlapped)) {
logger(LOG_ERR, "Error while writing to %s %s: %s", device_info, device, winerror(GetLastError()));
return false;
}
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
#include "system.h"
-#include <openssl/rand.h>
-
#include "utils.h"
-#include "avl_tree.h"
+#include "splay_tree.h"
#include "conf.h"
#include "connection.h"
#include "device.h"
-#include "event.h"
#include "graph.h"
#include "logger.h"
#include "meta.h"
#include "netutl.h"
#include "process.h"
#include "protocol.h"
-#include "route.h"
#include "subnet.h"
#include "xalloc.h"
-bool do_purge = false;
-volatile bool running = false;
-
-time_t now = 0;
+ int contradicting_add_edge = 0;
+ int contradicting_del_edge = 0;
+
/* Purge edges and subnets of unreachable nodes. Use carefully. */
-static void purge(void) {
- avl_node_t *nnode, *nnext, *enode, *enext, *snode, *snext;
+void purge(void) {
+ splay_node_t *nnode, *nnext, *enode, *enext, *snode, *snext;
node_t *n;
edge_t *e;
subnet_t *s;
}
}
-/*
- put all file descriptors in an fd_set array
- While we're at it, purge stuff that needs to be removed.
-*/
-static int build_fdset(fd_set *readset, fd_set *writeset) {
- avl_node_t *node, *next;
- connection_t *c;
- int i, max = 0;
-
- FD_ZERO(readset);
- FD_ZERO(writeset);
-
- for(node = connection_tree->head; node; node = next) {
- next = node->next;
- c = node->data;
-
- if(c->status.remove) {
- connection_del(c);
- if(!connection_tree->head)
- purge();
- } else {
- FD_SET(c->socket, readset);
- if(c->outbuflen > 0)
- FD_SET(c->socket, writeset);
- if(c->socket > max)
- max = c->socket;
- }
- }
-
- for(i = 0; i < listen_sockets; i++) {
- FD_SET(listen_socket[i].tcp, readset);
- if(listen_socket[i].tcp > max)
- max = listen_socket[i].tcp;
- FD_SET(listen_socket[i].udp, readset);
- if(listen_socket[i].udp > max)
- max = listen_socket[i].udp;
- }
-
- if(device_fd >= 0)
- FD_SET(device_fd, readset);
- if(device_fd > max)
- max = device_fd;
-
- return max;
-}
-
/*
Terminate a connection:
- Close the socket
- Deactivate the host
*/
void terminate_connection(connection_t *c, bool report) {
- if(c->status.remove)
- return;
-
ifdebug(CONNECTIONS) logger(LOG_NOTICE, "Closing connection with %s (%s)",
c->name, c->hostname);
- c->status.remove = true;
c->status.active = false;
if(c->node)
/* Check if this was our outgoing connection */
- if(c->outgoing) {
+ if(c->outgoing)
retry_outgoing(c->outgoing);
- c->outgoing = NULL;
- }
- free(c->outbuf);
- c->outbuf = NULL;
- c->outbuflen = 0;
- c->outbufsize = 0;
- c->outbufstart = 0;
+ connection_del(c);
}
/*
end does not reply in time, we consider them dead
and close the connection.
*/
-static void check_dead_connections(void) {
- avl_node_t *node, *next;
+static void timeout_handler(int fd, short events, void *event) {
+ splay_node_t *node, *next;
connection_t *c;
+ time_t now = time(NULL);
for(node = connection_tree->head; node; node = next) {
next = node->next;
if(c->status.pinged) {
ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds",
c->name, c->hostname, now - c->last_ping_time);
- c->status.timeout = true;
terminate_connection(c, true);
+ continue;
} else if(c->last_ping_time + pinginterval < now) {
send_ping(c);
}
} else {
- if(c->status.remove) {
- logger(LOG_WARNING, "Old connection_t for %s (%s) status %04x still lingering, deleting...",
- c->name, c->hostname, bitfield_to_int(&c->status, sizeof c->status));
- connection_del(c);
- continue;
- }
- ifdebug(CONNECTIONS) logger(LOG_WARNING, "Timeout from %s (%s) during authentication",
- c->name, c->hostname);
if(c->status.connecting) {
+ ifdebug(CONNECTIONS)
+ logger(LOG_WARNING, "Timeout while connecting to %s (%s)", c->name, c->hostname);
c->status.connecting = false;
closesocket(c->socket);
do_outgoing_connection(c);
} else {
+ ifdebug(CONNECTIONS) logger(LOG_WARNING, "Timeout from %s (%s) during authentication", c->name, c->hostname);
terminate_connection(c, false);
+ continue;
}
}
}
-
- if(c->outbuflen > 0 && c->last_flushed_time + pingtimeout < now) {
- if(c->status.active) {
- ifdebug(CONNECTIONS) logger(LOG_INFO,
- "%s (%s) could not flush for %ld seconds (%d bytes remaining)",
- c->name, c->hostname, now - c->last_flushed_time, c->outbuflen);
- c->status.timeout = true;
- terminate_connection(c, true);
- }
- }
- }
-}
-
-/*
- check all connections to see if anything
- happened on their sockets
-*/
-static void check_network_activity(fd_set * readset, fd_set * writeset) {
- connection_t *c;
- avl_node_t *node;
- int result, i;
- socklen_t len = sizeof(result);
- vpn_packet_t packet;
- static int errors = 0;
-
- /* check input from kernel */
- if(device_fd >= 0 && FD_ISSET(device_fd, readset)) {
- if(read_packet(&packet)) {
- errors = 0;
- packet.priority = 0;
- route(myself, &packet);
- } else {
- usleep(errors * 50000);
- errors++;
- if(errors > 10) {
- logger(LOG_ERR, "Too many errors from %s, exiting!", device);
- running = false;
- }
- }
}
- /* check meta connections */
- for(node = connection_tree->head; node; node = node->next) {
- c = node->data;
++ if(contradicting_del_edge && contradicting_add_edge) {
++ logger(LOG_WARNING, "Possible node with same Name as us!");
+
- if(c->status.remove)
- continue;
-
- if(FD_ISSET(c->socket, readset)) {
- if(c->status.connecting) {
- c->status.connecting = false;
- getsockopt(c->socket, SOL_SOCKET, SO_ERROR, (void *)&result, &len);
++ if(rand() % 3 == 0) {
++ logger(LOG_ERR, "Shutting down, check configuration of all nodes for duplicate Names!");
++ event_loopexit(NULL);
++ return;
++ }
+
- if(!result)
- finish_connecting(c);
- else {
- ifdebug(CONNECTIONS) logger(LOG_DEBUG,
- "Error while connecting to %s (%s): %s",
- c->name, c->hostname, sockstrerror(result));
- closesocket(c->socket);
- do_outgoing_connection(c);
- continue;
- }
- }
++ contradicting_add_edge = 0;
++ contradicting_del_edge = 0;
++ }
+
- if(!receive_meta(c)) {
- terminate_connection(c, c->status.active);
- continue;
- }
- }
+ event_add(event, &(struct timeval){pingtimeout, 0});
+}
- if(FD_ISSET(c->socket, writeset)) {
- if(!flush_meta(c)) {
- terminate_connection(c, c->status.active);
- continue;
- }
+void handle_meta_connection_data(int fd, short events, void *data) {
+ connection_t *c = data;
+ int result;
+ socklen_t len = sizeof result;
+
+ if(c->status.connecting) {
+ c->status.connecting = false;
+
+ getsockopt(c->socket, SOL_SOCKET, SO_ERROR, &result, &len);
+
+ if(!result)
+ finish_connecting(c);
+ else {
+ ifdebug(CONNECTIONS) logger(LOG_DEBUG,
+ "Error while connecting to %s (%s): %s",
+ c->name, c->hostname, sockstrerror(result));
+ closesocket(c->socket);
+ do_outgoing_connection(c);
+ return;
}
}
- for(i = 0; i < listen_sockets; i++) {
- if(FD_ISSET(listen_socket[i].udp, readset))
- handle_incoming_vpn_data(listen_socket[i].udp);
-
- if(FD_ISSET(listen_socket[i].tcp, readset))
- handle_new_meta_connection(listen_socket[i].tcp);
+ if (!receive_meta(c)) {
+ terminate_connection(c, c->status.active);
+ return;
}
}
-/*
- this is where it all happens...
-*/
-int main_loop(void) {
- fd_set readset, writeset;
- struct timeval tv;
- int r, maxfd;
- time_t last_ping_check, last_config_check, last_graph_dump;
- event_t *event;
-
- last_ping_check = now;
- last_config_check = now;
- last_graph_dump = now;
-
- srand(now);
-
- running = true;
+static void sigterm_handler(int signal, short events, void *data) {
+ logger(LOG_NOTICE, "Got %s signal", strsignal(signal));
+ event_loopexit(NULL);
+}
- while(running) {
- now = time(NULL);
+static void sighup_handler(int signal, short events, void *data) {
+ logger(LOG_NOTICE, "Got %s signal", strsignal(signal));
+ reload_configuration();
+}
- // tv.tv_sec = 1 + (rand() & 7); /* Approx. 5 seconds, randomized to prevent global synchronisation effects */
- tv.tv_sec = 1;
- tv.tv_usec = 0;
+int reload_configuration(void) {
+ connection_t *c;
+ splay_node_t *node, *next;
+ char *fname;
+ struct stat s;
+ static time_t last_config_check = 0;
- maxfd = build_fdset(&readset, &writeset);
+ /* Reread our own configuration file */
-#ifdef HAVE_MINGW
- LeaveCriticalSection(&mutex);
-#endif
- r = select(maxfd + 1, &readset, &writeset, NULL, &tv);
-#ifdef HAVE_MINGW
- EnterCriticalSection(&mutex);
-#endif
+ exit_configuration(&config_tree);
+ init_configuration(&config_tree);
- if(r < 0) {
- if(!sockwouldblock(sockerrno)) {
- logger(LOG_ERR, "Error while waiting for input: %s", sockstrerror(sockerrno));
- dump_connections();
- return 1;
- }
- }
-
- if(r > 0)
- check_network_activity(&readset, &writeset);
+ if(!read_server_config()) {
+ logger(LOG_ERR, "Unable to reread configuration file, exitting.");
+ event_loopexit(NULL);
+ return EINVAL;
+ }
- if(do_purge) {
- purge();
- do_purge = false;
+ /* Close connections to hosts that have a changed or deleted host config file */
+
+ for(node = connection_tree->head; node; node = next) {
+ c = node->data;
+ next = node->next;
+
+ if(c->outgoing) {
+ free(c->outgoing->name);
+ if(c->outgoing->ai)
+ freeaddrinfo(c->outgoing->ai);
+ free(c->outgoing);
+ c->outgoing = NULL;
}
+
+ xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
+ if(stat(fname, &s) || s.st_mtime > last_config_check)
+ terminate_connection(c, c->status.active);
+ free(fname);
+ }
- /* Let's check if everybody is still alive */
-
- if(last_ping_check + pingtimeout < now) {
- check_dead_connections();
- last_ping_check = now;
-
- if(routing_mode == RMODE_SWITCH)
- age_subnets();
-
- age_past_requests();
-
- /* Should we regenerate our key? */
-
- if(keyexpires < now) {
- avl_node_t *node;
- node_t *n;
+ last_config_check = time(NULL);
- ifdebug(STATUS) logger(LOG_INFO, "Expiring symmetric keys");
+ /* If StrictSubnet is set, expire deleted Subnets and read new ones in */
- for(node = node_tree->head; node; node = node->next) {
- n = node->data;
- if(n->inkey) {
- free(n->inkey);
- n->inkey = NULL;
- }
- }
+ if(strictsubnets) {
+ subnet_t *subnet;
- send_key_changed(broadcast, myself);
- keyexpires = now + keylifetime;
- }
+
- if(contradicting_del_edge && contradicting_add_edge) {
- logger(LOG_WARNING, "Possible node with same Name as us!");
-
- if(rand() % 3 == 0) {
- logger(LOG_ERR, "Shutting down, check configuration of all nodes for duplicate Names!");
- running = false;
- break;
- }
-
- contradicting_add_edge = 0;
- contradicting_del_edge = 0;
- }
+ for(node = subnet_tree->head; node; node = node->next) {
+ subnet = node->data;
+ subnet->expires = 1;
}
- if(sigalrm) {
- avl_node_t *node;
- logger(LOG_INFO, "Flushing event queue");
- expire_events();
- for(node = connection_tree->head; node; node = node->next) {
- connection_t *c = node->data;
- send_ping(c);
+ load_all_subnets();
+
+ for(node = subnet_tree->head; node; node = next) {
+ next = node->next;
+ subnet = node->data;
+ if(subnet->expires == 1) {
+ send_del_subnet(broadcast, subnet);
+ if(subnet->owner->status.reachable)
+ subnet_update(subnet->owner, subnet, false);
+ subnet_del(subnet->owner, subnet);
+ } else if(subnet->expires == -1) {
+ subnet->expires = 0;
+ } else {
+ send_add_subnet(broadcast, subnet);
+ if(subnet->owner->status.reachable)
+ subnet_update(subnet->owner, subnet, true);
}
- sigalrm = false;
- }
-
- while((event = get_expired_event())) {
- event->handler(event->data);
- free_event(event);
}
+ }
- if(sighup) {
- connection_t *c;
- avl_node_t *node, *next;
- char *fname;
- struct stat s;
-
- sighup = false;
-
- /* Reread our own configuration file */
-
- exit_configuration(&config_tree);
- init_configuration(&config_tree);
-
- if(!read_server_config()) {
- logger(LOG_ERR, "Unable to reread configuration file, exitting.");
- return 1;
- }
-
- /* Cancel non-active outgoing connections */
-
- for(node = connection_tree->head; node; node = next) {
- next = node->next;
- c = node->data;
-
- c->outgoing = NULL;
-
- if(c->status.connecting) {
- terminate_connection(c, false);
- connection_del(c);
- }
- }
-
- /* Wipe list of outgoing connections */
-
- for(list_node_t *node = outgoing_list->head; node; node = node->next) {
- outgoing_t *outgoing = node->data;
-
- if(outgoing->event)
- event_del(outgoing->event);
- }
-
- list_delete_list(outgoing_list);
-
- /* Close connections to hosts that have a changed or deleted host config file */
-
- for(node = connection_tree->head; node; node = node->next) {
- c = node->data;
-
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- if(stat(fname, &s) || s.st_mtime > last_config_check)
- terminate_connection(c, c->status.active);
- free(fname);
- }
+ /* Try to make outgoing connections */
+
+ try_outgoing_connections();
- last_config_check = now;
+ return 0;
+}
- /* If StrictSubnet is set, expire deleted Subnets and read new ones in */
+void retry(void) {
+ connection_t *c;
+ splay_node_t *node;
- if(strictsubnets) {
- subnet_t *subnet;
+ for(node = connection_tree->head; node; node = node->next) {
+ c = node->data;
+
+ if(c->outgoing && !c->node) {
+ if(timeout_initialized(&c->outgoing->ev))
+ event_del(&c->outgoing->ev);
+ if(c->status.connecting)
+ close(c->socket);
+ c->outgoing->timeout = 0;
+ do_outgoing_connection(c);
+ }
+ }
+}
- for(node = subnet_tree->head; node; node = node->next) {
- subnet = node->data;
- subnet->expires = 1;
- }
+/*
+ this is where it all happens...
+*/
+int main_loop(void) {
+ struct event timeout_event;
+ struct event sighup_event;
+ struct event sigterm_event;
+ struct event sigquit_event;
- load_all_subnets();
-
- for(node = subnet_tree->head; node; node = next) {
- next = node->next;
- subnet = node->data;
- if(subnet->expires == 1) {
- send_del_subnet(broadcast, subnet);
- if(subnet->owner->status.reachable)
- subnet_update(subnet->owner, subnet, false);
- subnet_del(subnet->owner, subnet);
- } else if(subnet->expires == -1) {
- subnet->expires = 0;
- } else {
- send_add_subnet(broadcast, subnet);
- if(subnet->owner->status.reachable)
- subnet_update(subnet->owner, subnet, true);
- }
- }
- }
+ timeout_set(&timeout_event, timeout_handler, &timeout_event);
+ event_add(&timeout_event, &(struct timeval){pingtimeout, 0});
- /* Try to make outgoing connections */
-
- try_outgoing_connections();
- }
-
- /* Dump graph if wanted every 60 seconds*/
+#ifdef SIGHUP
+ signal_set(&sighup_event, SIGHUP, sighup_handler, NULL);
+ signal_add(&sighup_event, NULL);
+#endif
+#ifdef SIGTERM
+ signal_set(&sigterm_event, SIGTERM, sigterm_handler, NULL);
+ signal_add(&sigterm_event, NULL);
+#endif
+#ifdef SIGQUIT
+ signal_set(&sigquit_event, SIGQUIT, sigterm_handler, NULL);
+ signal_add(&sigquit_event, NULL);
+#endif
- if(last_graph_dump + 60 < now) {
- dump_graph();
- last_graph_dump = now;
- }
+ if(event_loop(0) < 0) {
+ logger(LOG_ERR, "Error while waiting for input: %s", strerror(errno));
+ return 1;
}
+ signal_del(&sighup_event);
+ signal_del(&sigterm_event);
+ signal_del(&sigquit_event);
+ event_del(&timeout_event);
+
return 0;
}
#ifndef __TINC_NET_H__
#define __TINC_NET_H__
-#include <openssl/evp.h>
-
#include "ipv6.h"
+#include "cipher.h"
+#include "digest.h"
#ifdef ENABLE_JUMBOGRAMS
#define MTU 9018 /* 9000 bytes payload + 14 bytes ethernet header + 4 bytes VLAN tag */
#define MTU 1518 /* 1500 bytes payload + 14 bytes ethernet header + 4 bytes VLAN tag */
#endif
-#define MAXSIZE (MTU + 4 + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
+#define MAXSIZE (MTU + 4 + CIPHER_MAX_BLOCK_SIZE + DIGEST_MAX_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
#define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128) /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
-#define MAXSOCKETS 128 /* Overkill... */
+#define MAXSOCKETS 8 /* Probably overkill... */
typedef struct mac_t {
uint8_t x[6];
} vpn_packet_t;
typedef struct listen_socket_t {
+ struct event ev_tcp;
+ struct event ev_udp;
int tcp;
int udp;
sockaddr_t sa;
struct config_t *cfg;
struct addrinfo *ai;
struct addrinfo *aip;
- struct event *event;
+ struct event ev;
} outgoing_t;
extern list_t *outgoing_list;
extern listen_socket_t listen_socket[MAXSOCKETS];
extern int listen_sockets;
-extern int keyexpires;
extern int keylifetime;
extern bool do_prune;
-extern bool do_purge;
extern char *myport;
-extern time_t now;
+ extern int contradicting_add_edge;
+ extern int contradicting_del_edge;
/* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
#include "connection.h"
#include "node.h"
extern void retry_outgoing(outgoing_t *);
-extern void handle_incoming_vpn_data(int);
+extern void handle_incoming_vpn_data(int, short, void *);
extern void finish_connecting(struct connection_t *);
extern void do_outgoing_connection(struct connection_t *);
-extern bool handle_new_meta_connection(int);
+extern void handle_new_meta_connection(int, short, void *);
extern int setup_listen_socket(const sockaddr_t *);
extern int setup_vpn_in_socket(const sockaddr_t *);
extern void send_packet(const struct node_t *, vpn_packet_t *);
extern void flush_queue(struct node_t *);
extern bool read_rsa_public_key(struct connection_t *);
extern void send_mtu_probe(struct node_t *);
+extern void handle_device_data(int, short, void *);
+extern void handle_meta_connection_data(int, short, void *);
+extern void regenerate_key();
+extern void purge(void);
+extern void retry(void);
+extern int reload_configuration(void);
extern void load_all_subnets();
#ifndef HAVE_MINGW
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2010 Guus Sliepen <guus@tinc-vpn.org>
+ 2010 Timothy Redaelli <timothy@redaelli.eu>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include LZO1X_H
#endif
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
#include "conf.h"
#include "connection.h"
+#include "crypto.h"
+#include "digest.h"
#include "device.h"
#include "ethernet.h"
-#include "event.h"
#include "graph.h"
#include "list.h"
#include "logger.h"
// mtuprobes == 32: send 1 burst, sleep pingtimeout second
// mtuprobes == 33: no response from other side, restart PMTU discovery process
-void send_mtu_probe(node_t *n) {
+static void send_mtu_probe_handler(int fd, short events, void *data) {
+ node_t *n = data;
vpn_packet_t packet;
int len, i;
int timeout = 1;
n->mtuprobes++;
- n->mtuevent = NULL;
if(!n->status.reachable || !n->status.validkey) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
len = 64;
memset(packet.data, 0, 14);
- RAND_pseudo_bytes(packet.data + 14, len - 14);
+ randomize(packet.data + 14, len - 14);
packet.len = len;
packet.priority = 0;
}
end:
- n->mtuevent = new_event();
- n->mtuevent->handler = (event_handler_t)send_mtu_probe;
- n->mtuevent->data = n;
- n->mtuevent->time = now + timeout;
- event_add(n->mtuevent);
+ event_add(&n->mtuevent, &(struct timeval){timeout, 0});
+}
+
+void send_mtu_probe(node_t *n) {
+ if(!timeout_initialized(&n->mtuevent))
+ timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
+ send_mtu_probe_handler(0, 0, n);
}
void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
route(n, packet);
}
-static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
- unsigned char hmac[EVP_MAX_MD_SIZE];
-
- if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
+static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
+ if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
return false;
- HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
-
- return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+ return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
}
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
vpn_packet_t *outpkt = pkt[0];
- int outlen, outpad;
- unsigned char hmac[EVP_MAX_MD_SIZE];
+ size_t outlen;
int i;
- if(!n->inkey) {
+ if(!cipher_active(&n->incipher)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
n->name, n->hostname);
return;
/* Check packet length */
- if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
+ if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
n->name, n->hostname);
return;
/* Check the message authentication code */
- if(n->indigest && n->inmaclength) {
- inpkt->len -= n->inmaclength;
- HMAC(n->indigest, n->inkey, n->inkeylength,
- (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
-
- if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
- ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
- n->name, n->hostname);
+ if(digest_active(&n->indigest)) {
+ inpkt->len -= n->indigest.maclength;
+ if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
return;
}
}
-
/* Decrypt the packet */
- if(n->incipher) {
+ if(cipher_active(&n->incipher)) {
outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
- if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
- (unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
- ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
return;
}
- outpkt->len = outlen + outpad;
+ outpkt->len = outlen;
inpkt = outpkt;
}
/* Check the sequence number */
- inpkt->len -= sizeof(inpkt->seqno);
+ inpkt->len -= sizeof inpkt->seqno;
inpkt->seqno = ntohl(inpkt->seqno);
if(inpkt->seqno != n->received_seqno + 1) {
- if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) {
+ if(inpkt->seqno >= n->received_seqno + sizeof n->late * 8) {
logger(LOG_WARNING, "Lost %d packets from %s (%s)",
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
- memset(n->late, 0, sizeof(n->late));
+ memset(n->late, 0, sizeof n->late);
} else if (inpkt->seqno <= n->received_seqno) {
- if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
+ if((n->received_seqno >= sizeof n->late * 8 && inpkt->seqno <= n->received_seqno - sizeof n->late * 8) || !(n->late[(inpkt->seqno / 8) % sizeof n->late] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, inpkt->seqno, n->received_seqno);
return;
}
} else {
for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
- n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
+ n->late[(i / 8) % sizeof n->late] |= 1 << i % 8;
}
}
- n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
+ n->late[(inpkt->seqno / 8) % sizeof n->late] &= ~(1 << inpkt->seqno % 8);
if(inpkt->seqno > n->received_seqno)
n->received_seqno = inpkt->seqno;
if(n->received_seqno > MAX_SEQNO)
- keyexpires = 0;
+ regenerate_key();
/* Decompress the packet */
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen;
- int outlen, outpad;
+ size_t outlen;
+ #if defined(SOL_IP) && defined(IP_TOS)
static int priority = 0;
+ #endif
int origpriority;
int sock;
/* Make sure we have a valid key */
if(!n->status.validkey) {
+ time_t now = time(NULL);
+
ifdebug(TRAFFIC) logger(LOG_INFO,
"No valid key known yet for %s (%s), forwarding via TCP",
n->name, n->hostname);
/* Add sequence number */
inpkt->seqno = htonl(++(n->sent_seqno));
- inpkt->len += sizeof(inpkt->seqno);
+ inpkt->len += sizeof inpkt->seqno;
/* Encrypt the packet */
- if(n->outcipher) {
+ if(cipher_active(&n->outcipher)) {
outpkt = pkt[nextpkt++];
+ outlen = MAXSIZE;
- if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
- (unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
- ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
- n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
goto end;
}
- outpkt->len = outlen + outpad;
+ outpkt->len = outlen;
inpkt = outpkt;
}
/* Add the message authentication code */
- if(n->outdigest && n->outmaclength) {
- HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
- inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
- inpkt->len += n->outmaclength;
+ if(digest_active(&n->outdigest)) {
+ digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
+ inpkt->len += digest_length(&n->outdigest);
}
/* Determine which socket we have to use */
&& listen_socket[sock].sa.sa.sa_family == AF_INET) {
priority = origpriority;
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
- if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
+ if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof priority)) /* SO_PRIORITY doesn't seem to work */
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
}
#endif
/* Broadcast a packet using the minimum spanning tree */
void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
- avl_node_t *node;
+ splay_node_t *node;
connection_t *c;
ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
}
static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
- avl_node_t *node;
- edge_t *e;
- node_t *n = NULL;
+ splay_node_t *node;
+ node_t *n, *found = NULL;
static time_t last_hard_try = 0;
+ time_t now = time(NULL);
- for(node = edge_weight_tree->head; node; node = node->next) {
- e = node->data;
-
- if(sockaddrcmp_noport(from, &e->address)) {
- if(last_hard_try == now)
- continue;
- last_hard_try = now;
- }
+ if(last_hard_try == now)
+ return NULL;
+ else
+ last_hard_try = now;
- if(!n)
- n = e->to;
+ for(node = node_tree->head; node; node = node->next) {
+ n = node->data;
- if(!try_mac(e->to, pkt))
+ if(n == myself || !n->status.reachable || !digest_active(&n->indigest))
continue;
- n = e->to;
- break;
+ if(try_mac(n, pkt)) {
+ found = n;
+ break;
+ }
}
- return n;
+ return found;
}
-void handle_incoming_vpn_data(int sock) {
+void handle_incoming_vpn_data(int sock, short events, void *data) {
vpn_packet_t pkt;
char *hostname;
sockaddr_t from;
- socklen_t fromlen = sizeof(from);
+ socklen_t fromlen = sizeof from;
node_t *n;
+ int len;
- pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
+ len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
- if(pkt.len < 0) {
+ if(len <= 0 || len > MAXSIZE) {
if(!sockwouldblock(sockerrno))
logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
return;
}
+ pkt.len = len;
+
sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
n = lookup_node_udp(&from);
receive_udppacket(n, &pkt);
}
+
+void handle_device_data(int sock, short events, void *data) {
+ vpn_packet_t packet;
+
+ if(read_packet(&packet))
+ route(myself, &packet);
+}
#include "system.h"
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
#include "conf.h"
#include "connection.h"
+#include "control.h"
#include "device.h"
-#include "event.h"
+#include "digest.h"
#include "graph.h"
#include "logger.h"
#include "net.h"
#include "process.h"
#include "protocol.h"
#include "route.h"
+#include "rsa.h"
#include "subnet.h"
#include "utils.h"
#include "xalloc.h"
char *myport;
+static struct event device_ev;
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *fname;
- char *key;
-
- if(!c->rsa_key) {
- c->rsa_key = RSA_new();
-// RSA_blinding_on(c->rsa_key, NULL);
- }
+ char *n;
+ bool result;
/* First, check for simple PublicKey statement */
- if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
- BN_hex2bn(&c->rsa_key->n, key);
- BN_hex2bn(&c->rsa_key->e, "FFFF");
- free(key);
- return true;
+ if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
+ result = rsa_set_hex_public_key(&c->rsa, n, "FFFF");
+ free(n);
+ return result;
}
/* Else, check for PublicKeyFile statement and read it */
- if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
- fp = fopen(fname, "r");
-
- if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
- fname, strerror(errno));
- free(fname);
- return false;
- }
-
- free(fname);
- c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
- fclose(fp);
-
- if(c->rsa_key)
- return true; /* Woohoo. */
-
- /* If it fails, try PEM_read_RSA_PUBKEY. */
- fp = fopen(fname, "r");
+ if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
+ xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
- fname, strerror(errno));
- free(fname);
- return false;
- }
-
- free(fname);
- c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
- fclose(fp);
-
- if(c->rsa_key) {
-// RSA_blinding_on(c->rsa_key, NULL);
- return true;
- }
+ fp = fopen(fname, "r");
- logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s",
+ if(!fp) {
+ logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
fname, strerror(errno));
+ free(fname);
return false;
}
- /* Else, check if a harnessed public key is in the config file */
-
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- fp = fopen(fname, "r");
-
- if(fp) {
- c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
- fclose(fp);
- }
-
- free(fname);
-
- if(c->rsa_key)
- return true;
-
- /* Try again with PEM_read_RSA_PUBKEY. */
-
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- fp = fopen(fname, "r");
-
- if(fp) {
- c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
-// RSA_blinding_on(c->rsa_key, NULL);
- fclose(fp);
- }
+ result = rsa_read_pem_public_key(&c->rsa, fp);
+ fclose(fp);
+ if(!result)
+ logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
free(fname);
-
- if(c->rsa_key)
- return true;
-
- logger(LOG_ERR, "No public key for %s specified!", c->name);
-
- return false;
+ return result;
}
-bool read_rsa_private_key(void) {
+bool read_rsa_private_key() {
FILE *fp;
- char *fname, *key, *pubkey;
- struct stat s;
+ char *fname;
+ char *n, *d;
+ bool result;
- if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
- if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
+ /* First, check for simple PrivateKey statement */
+
+ if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
- if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &n)) {
++ if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
+ free(d);
return false;
}
- myself->connection->rsa_key = RSA_new();
-// RSA_blinding_on(myself->connection->rsa_key, NULL);
- BN_hex2bn(&myself->connection->rsa_key->d, key);
- BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
- free(key);
- free(pubkey);
+ result = rsa_set_hex_private_key(&myself->connection->rsa, n, "FFFF", d);
+ free(n);
+ free(d);
return true;
}
+ /* Else, check for PrivateKeyFile statement and read it */
+
if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
xasprintf(&fname, "%s/rsa_key.priv", confbase);
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+ struct stat s;
+
if(fstat(fileno(fp), &s)) {
- logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
- fname, strerror(errno));
+ logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
free(fname);
return false;
}
logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
#endif
- myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
+ result = rsa_read_pem_private_key(&myself->connection->rsa, fp);
fclose(fp);
- if(!myself->connection->rsa_key) {
- logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s",
- fname, strerror(errno));
- free(fname);
- return false;
+ if(!result)
+ logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
+ free(fname);
+ return result;
+}
+
+static struct event keyexpire_event;
+
+static void keyexpire_handler(int fd, short events, void *data) {
+ regenerate_key();
+}
+
+void regenerate_key() {
+ if(timeout_initialized(&keyexpire_event)) {
+ ifdebug(STATUS) logger(LOG_INFO, "Expiring symmetric keys");
+ event_del(&keyexpire_event);
+ send_key_changed(broadcast, myself);
+ } else {
+ timeout_set(&keyexpire_event, keyexpire_handler, NULL);
}
- free(fname);
- return true;
+ event_add(&keyexpire_event, &(struct timeval){keylifetime, 0});
}
/*
struct dirent *ent;
char *dname;
char *fname;
- avl_tree_t *config_tree;
+ splay_tree_t *config_tree;
config_t *cfg;
subnet_t *s, *s2;
node_t *n;
config_t *cfg;
subnet_t *subnet;
char *name, *hostname, *mode, *afname, *cipher, *digest;
+ char *fname = NULL;
char *address = NULL;
char *envp[5];
struct addrinfo *ai, *aip, hint = {0};
myself = new_node();
myself->connection = new_connection();
- init_configuration(&myself->connection->config_tree);
myself->hostname = xstrdup("MYSELF");
myself->connection->hostname = xstrdup("MYSELF");
myself->name = name;
myself->connection->name = xstrdup(name);
-
- if(!read_connection_config(myself->connection)) {
- logger(LOG_ERR, "Cannot open host configuration file for myself!");
- return false;
- }
+ xasprintf(&fname, "%s/hosts/%s", confbase, name);
+ read_config_options(config_tree, name);
+ read_config_file(config_tree, fname);
+ free(fname);
if(!read_rsa_private_key())
return false;
- if(!get_config_string(lookup_config(config_tree, "Port"), &myport)
- && !get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
+ if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
myport = xstrdup("655");
if(!atoi(myport)) {
/* Read in all the subnets specified in the host configuration file */
- cfg = lookup_config(myself->connection->config_tree, "Subnet");
+ cfg = lookup_config(config_tree, "Subnet");
while(cfg) {
if(!get_config_subnet(cfg, &subnet))
subnet_add(myself, subnet);
- cfg = lookup_config_next(myself->connection->config_tree, cfg);
+ cfg = lookup_config_next(config_tree, cfg);
}
/* Check some options */
if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
myself->options |= OPTION_TCPONLY;
- if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
- myself->options |= OPTION_INDIRECT;
-
- if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
- myself->options |= OPTION_TCPONLY;
-
if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT;
}
choice = true;
- get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
if(choice)
myself->options |= OPTION_PMTU_DISCOVERY;
choice = true;
get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
- get_config_bool(lookup_config(myself->connection->config_tree, "ClampMSS"), &choice);
if(choice)
myself->options |= OPTION_CLAMP_MSS;
/* Generate packet encryption key */
- if(!get_config_string(lookup_config(myself->connection->config_tree, "Cipher"), &cipher))
- if(get_config_string
- (lookup_config(config_tree, "Cipher"), &cipher)) {
- if(!strcasecmp(cipher, "none")) {
- myself->incipher = NULL;
- } else {
- myself->incipher = EVP_get_cipherbyname(cipher);
++ if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
+ cipher = xstrdup("blowfish");
- if(!myself->incipher) {
- logger(LOG_ERR, "Unrecognized cipher type!");
- return false;
- }
- }
- } else
- myself->incipher = EVP_bf_cbc();
-
- if(myself->incipher)
- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
- else
- myself->inkeylength = 1;
-
- myself->connection->outcipher = EVP_bf_ofb();
+ if(!cipher_open_by_name(&myself->incipher, cipher)) {
+ logger(LOG_ERR, "Unrecognized cipher type!");
+ return false;
+ }
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
- keyexpires = now + keylifetime;
-
+ regenerate_key();
+
/* Check if we want to use message authentication codes... */
- if(get_config_string(lookup_config(config_tree, "Digest"), &digest)) {
- if(!strcasecmp(digest, "none")) {
- myself->indigest = NULL;
- } else {
- myself->indigest = EVP_get_digestbyname(digest);
+ if(!get_config_string(lookup_config(myself->connection->config_tree, "Digest"), &digest))
+ digest = xstrdup("sha1");
- if(!myself->indigest) {
- logger(LOG_ERR, "Unrecognized digest type!");
- return false;
- }
- }
- } else
- myself->indigest = EVP_sha1();
-
- myself->connection->outdigest = EVP_sha1();
-
- if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
- if(myself->indigest) {
- if(myself->inmaclength > myself->indigest->md_size) {
- logger(LOG_ERR, "MAC length exceeds size of digest!");
- return false;
- } else if(myself->inmaclength < 0) {
- logger(LOG_ERR, "Bogus MAC length!");
- return false;
- }
- }
- } else
- myself->inmaclength = 4;
+ int maclength = 4;
- get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &maclength);
++ get_config_int(lookup_config(config_tree, "MACLength"), &maclength);
+
+ if(maclength < 0) {
+ logger(LOG_ERR, "Bogus MAC length!");
+ return false;
+ }
- myself->connection->outmaclength = 0;
+ if(!digest_open_by_name(&myself->indigest, digest, maclength)) {
+ logger(LOG_ERR, "Unrecognized digest type!");
+ return false;
+ }
/* Compression */
- if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), &myself->incompression)) {
+ if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
if(myself->incompression < 0 || myself->incompression > 11) {
logger(LOG_ERR, "Bogus compression level!");
return false;
if(!setup_device())
return false;
+ if(device_fd >= 0) {
+ event_set(&device_ev, device_fd, EV_READ|EV_PERSIST, handle_device_data, NULL);
+
+ if (event_add(&device_ev, NULL) < 0) {
+ logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+ close_device();
+ return false;
+ }
+ }
+
/* Run tinc-up script to further initialize the tap interface */
xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
xasprintf(&envp[1], "DEVICE=%s", device ? : "");
execute_script("tinc-up", envp);
- for(i = 0; i < 5; i++)
+ for(i = 0; i < 4; i++)
free(envp[i]);
/* Run subnet-up scripts for our own subnets */
listen_socket[listen_sockets].udp =
setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
- if(listen_socket[listen_sockets].udp < 0)
+ if(listen_socket[listen_sockets].udp < 0) {
+ close(listen_socket[listen_sockets].tcp);
continue;
+ }
+
+ event_set(&listen_socket[listen_sockets].ev_tcp,
+ listen_socket[listen_sockets].tcp,
+ EV_READ|EV_PERSIST,
+ handle_new_meta_connection, NULL);
+ if(event_add(&listen_socket[listen_sockets].ev_tcp, NULL) < 0) {
+ logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+ abort();
+ }
+
+ event_set(&listen_socket[listen_sockets].ev_udp,
+ listen_socket[listen_sockets].udp,
+ EV_READ|EV_PERSIST,
+ handle_incoming_vpn_data, NULL);
+ if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
+ logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+ abort();
+ }
ifdebug(CONNECTIONS) {
hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
listen_sockets++;
+
+ if(listen_sockets >= MAXSOCKETS) {
+ logger(LOG_WARNING, "Maximum of %d listening sockets reached", MAXSOCKETS);
+ break;
+ }
}
freeaddrinfo(ai);
initialize network
*/
bool setup_network(void) {
- now = time(NULL);
-
- init_events();
init_connections();
init_subnets();
init_nodes();
close all open network connections
*/
void close_network_connections(void) {
- avl_node_t *node, *next;
+ splay_node_t *node, *next;
connection_t *c;
char *envp[5];
int i;
for(node = connection_tree->head; node; node = next) {
next = node->next;
c = node->data;
- c->outgoing = NULL;
+ c->outgoing = false;
terminate_connection(c, false);
}
- for(list_node_t *node = outgoing_list->head; node; node = node->next) {
- outgoing_t *outgoing = node->data;
-
- if(outgoing->event)
- event_del(outgoing->event);
- }
-
list_delete_list(outgoing_list);
if(myself && myself->connection) {
}
for(i = 0; i < listen_sockets; i++) {
+ event_del(&listen_socket[i].ev_tcp);
+ event_del(&listen_socket[i].ev_udp);
close(listen_socket[i].tcp);
close(listen_socket[i].udp);
}
exit_subnets();
exit_nodes();
exit_connections();
- exit_events();
execute_script("tinc-down", envp);
#include "system.h"
-#include "avl_tree.h"
+#include "splay_tree.h"
#include "conf.h"
#include "connection.h"
-#include "event.h"
#include "logger.h"
#include "meta.h"
#include "net.h"
#if defined(SOL_TCP) && defined(TCP_NODELAY)
option = 1;
- setsockopt(c->socket, SOL_TCP, TCP_NODELAY, &option, sizeof option);
- setsockopt(c->socket, SOL_TCP, TCP_NODELAY, (void *)&option, sizeof(option));
++ setsockopt(c->socket, SOL_TCP, TCP_NODELAY, (void *)&option, sizeof option);
#endif
#if defined(SOL_IP) && defined(IP_TOS) && defined(IPTOS_LOWDELAY)
option = IPTOS_LOWDELAY;
- setsockopt(c->socket, SOL_IP, IP_TOS, &option, sizeof option);
- setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option));
++ setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof option);
#endif
}
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
- status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr));
+ status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr));
if(status) {
logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(errno));
/* Optimize TCP settings */
option = 1;
- setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof option);
- setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof(option));
++ setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof option);
#if defined(SOL_IPV6) && defined(IPV6_V6ONLY)
if(sa->sa.sa_family == AF_INET6)
- setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, &option, sizeof option);
+ setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif
if(get_config_string
#if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
struct ifreq ifr;
- memset(&ifr, 0, sizeof(ifr));
+ memset(&ifr, 0, sizeof ifr);
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
- if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof ifr)) {
- if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) {
++ if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof ifr)) {
closesocket(nfd);
logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(sockerrno));
#endif
option = 1;
- setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof option);
- setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof(option));
++ setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof option);
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
if(sa->sa.sa_family == AF_INET6)
- setsockopt(nfd, IPPROTO_IPV6, IPV6_V6ONLY, &option, sizeof option);
+ setsockopt(nfd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif
#if defined(IP_DONTFRAG) && !defined(IP_DONTFRAGMENT)
#if defined(SOL_IP) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
if(myself->options & OPTION_PMTU_DISCOVERY) {
option = IP_PMTUDISC_DO;
- setsockopt(nfd, SOL_IP, IP_MTU_DISCOVER, &option, sizeof(option));
+ setsockopt(nfd, SOL_IP, IP_MTU_DISCOVER, (void *)&option, sizeof(option));
}
#elif defined(IPPROTO_IP) && defined(IP_DONTFRAGMENT)
if(myself->options & OPTION_PMTU_DISCOVERY) {
option = 1;
- setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, &option, sizeof(option));
+ setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option));
}
#else
#warning No way to disable IPv4 fragmentation
#if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
if(myself->options & OPTION_PMTU_DISCOVERY) {
option = IPV6_PMTUDISC_DO;
- setsockopt(nfd, SOL_IPV6, IPV6_MTU_DISCOVER, &option, sizeof(option));
+ setsockopt(nfd, SOL_IPV6, IPV6_MTU_DISCOVER, (void *)&option, sizeof(option));
}
#elif defined(IPPROTO_IPV6) && defined(IPV6_DONTFRAG)
if(myself->options & OPTION_PMTU_DISCOVERY) {
option = 1;
- setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, &option, sizeof(option));
+ setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
}
#else
#warning No way to disable IPv6 fragmentation
return nfd;
} /* int setup_vpn_in_socket */
+static void retry_outgoing_handler(int fd, short events, void *data) {
+ setup_outgoing_connection(data);
+}
+
void retry_outgoing(outgoing_t *outgoing) {
outgoing->timeout += 5;
if(outgoing->timeout > maxtimeout)
outgoing->timeout = maxtimeout;
- if(outgoing->event)
- event_del(outgoing->event);
- outgoing->event = new_event();
- outgoing->event->handler = (event_handler_t) setup_outgoing_connection;
- outgoing->event->time = now + outgoing->timeout;
- outgoing->event->data = outgoing;
- event_add(outgoing->event);
+ timeout_set(&outgoing->ev, retry_outgoing_handler, outgoing);
+ event_add(&outgoing->ev, &(struct timeval){outgoing->timeout, 0});
ifdebug(CONNECTIONS) logger(LOG_NOTICE,
"Trying to re-establish outgoing connection in %d seconds",
configure_tcp(c);
- c->last_ping_time = now;
+ c->last_ping_time = time(NULL);
+ c->status.connecting = false;
send_id(c);
}
if(!c->outgoing->cfg) {
ifdebug(CONNECTIONS) logger(LOG_ERR, "Could not set up a meta connection to %s",
c->name);
- c->status.remove = true;
retry_outgoing(c->outgoing);
c->outgoing = NULL;
+ connection_del(c);
return;
}
#if defined(SOL_IPV6) && defined(IPV6_V6ONLY)
int option = 1;
if(c->address.sa.sa_family == AF_INET6)
- setsockopt(c->socket, SOL_IPV6, IPV6_V6ONLY, &option, sizeof option);
+ setsockopt(c->socket, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif
bind_to_interface(c->socket);
return;
}
+void handle_meta_read(struct bufferevent *event, void *data) {
+ logger(LOG_ERR, "handle_meta_read() called");
+ abort();
+}
+
+void handle_meta_write(struct bufferevent *event, void *data) {
+ ifdebug(META) logger(LOG_DEBUG, "handle_meta_write() called");
+}
+
+void handle_meta_connection_error(struct bufferevent *event, short what, void *data) {
+ connection_t *c = data;
+ logger(LOG_ERR, "handle_meta_connection_error() called: %d: %s", what, strerror(errno));
+ terminate_connection(c, c->status.active);
+}
+
void setup_outgoing_connection(outgoing_t *outgoing) {
connection_t *c;
node_t *n;
- outgoing->event = NULL;
+ event_del(&outgoing->ev);
n = lookup_node(outgoing->name);
}
c->outgoing = outgoing;
- c->last_ping_time = now;
+ c->last_ping_time = time(NULL);
connection_add(c);
do_outgoing_connection(c);
+
+ event_set(&c->inevent, c->socket, EV_READ | EV_PERSIST, handle_meta_connection_data, c);
+ event_add(&c->inevent, NULL);
+ c->buffer = bufferevent_new(c->socket, handle_meta_read, handle_meta_write, handle_meta_connection_error, c);
+ if(!c->buffer) {
+ logger(LOG_ERR, "bufferevent_new() failed: %s", strerror(errno));
+ abort();
+ }
+ bufferevent_disable(c->buffer, EV_READ);
}
/*
accept a new tcp connect and create a
new connection
*/
-bool handle_new_meta_connection(int sock) {
+void handle_new_meta_connection(int sock, short events, void *data) {
connection_t *c;
sockaddr_t sa;
int fd;
- socklen_t len = sizeof(sa);
+ socklen_t len = sizeof sa;
fd = accept(sock, &sa.sa, &len);
if(fd < 0) {
logger(LOG_ERR, "Accepting a new connection failed: %s", sockstrerror(sockerrno));
- return false;
+ return;
}
sockaddrunmap(&sa);
c->address = sa;
c->hostname = sockaddr2hostname(&sa);
c->socket = fd;
- c->last_ping_time = now;
+ c->last_ping_time = time(NULL);
ifdebug(CONNECTIONS) logger(LOG_NOTICE, "Connection from %s", c->hostname);
+ event_set(&c->inevent, c->socket, EV_READ | EV_PERSIST, handle_meta_connection_data, c);
+ event_add(&c->inevent, NULL);
+ c->buffer = bufferevent_new(c->socket, NULL, handle_meta_write, handle_meta_connection_error, c);
+ if(!c->buffer) {
+ logger(LOG_ERR, "bufferevent_new() failed: %s", strerror(errno));
+ abort();
+ }
+ bufferevent_disable(c->buffer, EV_READ);
+
configure_tcp(c);
connection_add(c);
c->allow_request = ID;
send_id(c);
-
- return true;
}
void free_outgoing(outgoing_t *outgoing) {
continue;
}
- outgoing = xmalloc_and_zero(sizeof(*outgoing));
+ outgoing = xmalloc_and_zero(sizeof *outgoing);
outgoing->name = name;
list_insert_tail(outgoing_list, outgoing);
setup_outgoing_connection(outgoing);
#include "conf.h"
#include "connection.h"
+#include "control.h"
#include "device.h"
#include "edge.h"
#include "logger.h"
#include "node.h"
-#include "pidfile.h"
#include "process.h"
#include "subnet.h"
#include "utils.h"
/* If zero, don't detach from the terminal. */
bool do_detach = true;
-bool sighup = false;
bool sigalrm = false;
extern char *identname;
-extern char *pidfilename;
extern char **g_argv;
extern bool use_logfile;
-extern volatile bool running;
+ #ifndef HAVE_MINGW
sigset_t emptysigset;
+ #endif
-static int saved_debug_level = -1;
-
static void memory_full(int size) {
logger(LOG_ERR, "Memory exhausted (couldn't allocate %d bytes), exitting.", size);
exit(1);
return ERROR_CALL_NOT_IMPLEMENTED;
}
- if(running) {
- running = false;
- status.dwWaitHint = 30000;
- status.dwCurrentState = SERVICE_STOP_PENDING;
- SetServiceStatus(statushandle, &status);
- return NO_ERROR;
- } else {
- status.dwWaitHint = 0;
- status.dwCurrentState = SERVICE_STOPPED;
- SetServiceStatus(statushandle, &status);
- exit(1);
- }
-
+ event_loopexit(NULL);
+ status.dwWaitHint = 30000;
+ status.dwCurrentState = SERVICE_STOP_PENDING;
+ SetServiceStatus(statushandle, &status);
+ return NO_ERROR;
}
VOID WINAPI run_service(DWORD argc, LPTSTR* argv) {
}
#endif
-#ifndef HAVE_MINGW
-/*
- check for an existing tinc for this net, and write pid to pidfile
-*/
-static bool write_pidfile(void) {
- pid_t pid;
-
- pid = check_pid(pidfilename);
-
- if(pid) {
- if(netname)
- fprintf(stderr, "A tincd is already running for net `%s' with pid %ld.\n",
- netname, (long)pid);
- else
- fprintf(stderr, "A tincd is already running with pid %ld.\n", (long)pid);
- return false;
- }
-
- /* if it's locked, write-protected, or whatever */
- if(!write_pid(pidfilename)) {
- fprintf(stderr, "Could write pid file %s: %s\n", pidfilename, strerror(errno));
- return false;
- }
-
- return true;
-}
-#endif
-
-/*
- kill older tincd for this net
-*/
-bool kill_other(int signal) {
-#ifndef HAVE_MINGW
- pid_t pid;
-
- pid = read_pid(pidfilename);
-
- if(!pid) {
- if(netname)
- fprintf(stderr, "No other tincd is running for net `%s'.\n",
- netname);
- else
- fprintf(stderr, "No other tincd is running.\n");
- return false;
- }
-
- errno = 0; /* No error, sometimes errno is only changed on error */
-
- /* ESRCH is returned when no process with that pid is found */
- if(kill(pid, signal) && errno == ESRCH) {
- if(netname)
- fprintf(stderr, "The tincd for net `%s' is no longer running. ",
- netname);
- else
- fprintf(stderr, "The tincd is no longer running. ");
-
- fprintf(stderr, "Removing stale lock file.\n");
- remove_pid(pidfilename);
- }
-
- return true;
-#else
- return remove_service();
-#endif
-}
-
/*
- Detach from current terminal, write pidfile, kill parent
+ Detach from current terminal
*/
bool detach(void) {
setup_signals();
- /* First check if we can open a fresh new pidfile */
-
#ifndef HAVE_MINGW
- if(!write_pidfile())
- return false;
-
- /* If we succeeded in doing that, detach */
-
closelogger();
#endif
strerror(errno));
return false;
}
-
- /* Now UPDATE the pid in the pidfile, because we changed it... */
-
- if(!write_pid(pidfilename)) {
- fprintf(stderr, "Could not write pid file %s: %s\n", pidfilename, strerror(errno));
- return false;
- }
#else
if(!statushandle)
exit(install_service());
*/
#ifndef HAVE_MINGW
-static RETSIGTYPE sigterm_handler(int a) {
- logger(LOG_NOTICE, "Got %s signal", "TERM");
- if(running)
- running = false;
- else
- exit(1);
-}
-
-static RETSIGTYPE sigquit_handler(int a) {
- logger(LOG_NOTICE, "Got %s signal", "QUIT");
- if(running)
- running = false;
- else
- exit(1);
-}
-
static RETSIGTYPE fatal_signal_square(int a) {
logger(LOG_ERR, "Got another fatal signal %d (%s): not restarting.", a,
strsignal(a));
close_network_connections();
sleep(5);
- remove_pid(pidfilename);
+ exit_control();
execvp(g_argv[0], g_argv);
} else {
logger(LOG_NOTICE, "Not restarting.");
}
}
-static RETSIGTYPE sighup_handler(int a) {
- logger(LOG_NOTICE, "Got %s signal", "HUP");
- sighup = true;
-}
-
-static RETSIGTYPE sigint_handler(int a) {
- logger(LOG_NOTICE, "Got %s signal", "INT");
-
- if(saved_debug_level != -1) {
- logger(LOG_NOTICE, "Reverting to old debug level (%d)",
- saved_debug_level);
- debug_level = saved_debug_level;
- saved_debug_level = -1;
- } else {
- logger(LOG_NOTICE,
- "Temporarily setting debug level to 5. Kill me with SIGINT again to go back to level %d.",
- debug_level);
- saved_debug_level = debug_level;
- debug_level = 5;
- }
-}
-
-static RETSIGTYPE sigalrm_handler(int a) {
- logger(LOG_NOTICE, "Got %s signal", "ALRM");
- sigalrm = true;
-}
-
-static RETSIGTYPE sigusr1_handler(int a) {
- dump_connections();
-}
-
-static RETSIGTYPE sigusr2_handler(int a) {
- dump_device_stats();
- dump_nodes();
- dump_edges();
- dump_subnets();
-}
-
-static RETSIGTYPE sigwinch_handler(int a) {
- do_purge = true;
-}
-
static RETSIGTYPE unexpected_signal_handler(int a) {
logger(LOG_WARNING, "Got unexpected signal %d (%s)", a, strsignal(a));
}
int signal;
void (*handler)(int);
} sighandlers[] = {
- {SIGHUP, sighup_handler},
- {SIGTERM, sigterm_handler},
- {SIGQUIT, sigquit_handler},
{SIGSEGV, fatal_signal_handler},
{SIGBUS, fatal_signal_handler},
{SIGILL, fatal_signal_handler},
{SIGPIPE, ignore_signal_handler},
- {SIGINT, sigint_handler},
- {SIGUSR1, sigusr1_handler},
- {SIGUSR2, sigusr2_handler},
{SIGCHLD, ignore_signal_handler},
- {SIGALRM, sigalrm_handler},
- {SIGWINCH, sigwinch_handler},
{0, NULL}
};
#endif
/* If we didn't detach, allow coredumps */
if(!do_detach)
- sighandlers[3].handler = SIG_DFL;
+ sighandlers[0].handler = SIG_DFL;
/* Then, for each known signal that we want to catch, assign a
handler to the signal, with error checking this time. */
#define __TINC_PROCESS_H__
extern bool do_detach;
-extern bool sighup;
extern bool sigalrm;
extern void setup_signals(void);
extern bool detach(void);
extern bool kill_other(int);
+ #ifdef HAVE_MINGW
+ extern bool init_service(void);
+ #endif
+
#endif /* __TINC_PROCESS_H__ */
#include "system.h"
-#include <openssl/sha.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-#include "avl_tree.h"
+#include "splay_tree.h"
#include "conf.h"
#include "connection.h"
+#include "control.h"
+#include "control_common.h"
+#include "crypto.h"
#include "edge.h"
#include "graph.h"
#include "logger.h"
#include "netutl.h"
#include "node.h"
#include "protocol.h"
+#include "rsa.h"
#include "utils.h"
#include "xalloc.h"
bool send_id(connection_t *c) {
+ gettimeofday(&c->start, NULL);
+
return send_request(c, "%d %s %d", ID, myself->connection->name,
myself->connection->protocol_version);
}
-bool id_h(connection_t *c) {
+bool id_h(connection_t *c, char *request) {
char name[MAX_STRING_SIZE];
- if(sscanf(c->buffer, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) {
+ if(sscanf(request, "%*d " MAX_STRING " %d", name, &c->protocol_version) != 2) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "ID", c->name,
c->hostname);
return false;
}
+ /* Check if this is a control connection */
+
+ if(name[0] == '^' && !strcmp(name + 1, controlcookie)) {
+ c->status.control = true;
+ c->allow_request = CONTROL;
+ c->last_ping_time = time(NULL) + 3600;
+ return send_request(c, "%d %d %d", ACK, TINC_CTL_VERSION_CURRENT, getpid());
+ }
+
/* Check if identity is a valid name */
if(!check_id(name)) {
}
bool send_metakey(connection_t *c) {
- char *buffer;
- int len;
- bool x;
+ size_t len = rsa_size(&c->rsa);
+ char key[len];
+ char enckey[len];
+ char hexkey[2 * len + 1];
- len = RSA_size(c->rsa_key);
-
- /* Allocate buffers for the meta key */
-
- buffer = alloca(2 * len + 1);
+ if(!cipher_open_blowfish_ofb(&c->outcipher))
+ return false;
- c->outkey = xrealloc(c->outkey, len);
-
- if(!c->outctx)
- c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
+ if(!digest_open_sha1(&c->outdigest, -1))
+ return false;
- /* Copy random data to the buffer */
+ /* Create a random key */
- RAND_pseudo_bytes((unsigned char *)c->outkey, len);
+ randomize(key, len);
/* The message we send must be smaller than the modulus of the RSA key.
By definition, for a key of k bits, the following formula holds:
This can be done by setting the most significant bit to zero.
*/
- c->outkey[0] &= 0x7F;
+ key[0] &= 0x7F;
+
+ cipher_set_key_from_rsa(&c->outcipher, key, len, true);
ifdebug(SCARY_THINGS) {
- bin2hex(c->outkey, buffer, len);
- buffer[len * 2] = '\0';
- logger(LOG_DEBUG, "Generated random meta key (unencrypted): %s",
- buffer);
+ bin2hex(key, hexkey, len);
+ hexkey[len * 2] = '\0';
+ logger(LOG_DEBUG, "Generated random meta key (unencrypted): %s", hexkey);
}
/* Encrypt the random data
with a length equal to that of the modulus of the RSA key.
*/
- if(RSA_public_encrypt(len, (unsigned char *)c->outkey, (unsigned char *)buffer, c->rsa_key, RSA_NO_PADDING) != len) {
- logger(LOG_ERR, "Error during encryption of meta key for %s (%s)",
- c->name, c->hostname);
+ if(!rsa_public_encrypt(&c->rsa, key, len, enckey)) {
+ logger(LOG_ERR, "Error during encryption of meta key for %s (%s)", c->name, c->hostname);
return false;
}
/* Convert the encrypted random data to a hexadecimal formatted string */
- bin2hex(buffer, buffer, len);
- buffer[len * 2] = '\0';
+ bin2hex(enckey, hexkey, len);
+ hexkey[len * 2] = '\0';
/* Send the meta key */
- x = send_request(c, "%d %d %d %d %d %s", METAKEY,
- c->outcipher ? c->outcipher->nid : 0,
- c->outdigest ? c->outdigest->type : 0, c->outmaclength,
- c->outcompression, buffer);
-
- /* Further outgoing requests are encrypted with the key we just generated */
-
- if(c->outcipher) {
- if(!EVP_EncryptInit(c->outctx, c->outcipher,
- (unsigned char *)c->outkey + len - c->outcipher->key_len,
- (unsigned char *)c->outkey + len - c->outcipher->key_len -
- c->outcipher->iv_len)) {
- logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- c->status.encryptout = true;
- }
-
- return x;
+ bool result = send_request(c, "%d %d %d %d %d %s", METAKEY,
+ cipher_get_nid(&c->outcipher),
+ digest_get_nid(&c->outdigest), c->outmaclength,
+ c->outcompression, hexkey);
+
+ c->status.encryptout = true;
+ return result;
}
-bool metakey_h(connection_t *c) {
- char buffer[MAX_STRING_SIZE];
+bool metakey_h(connection_t *c, char *request) {
+ char hexkey[MAX_STRING_SIZE];
int cipher, digest, maclength, compression;
- int len;
+ size_t len = rsa_size(&myself->connection->rsa);
+ char enckey[len];
+ char key[len];
- if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) {
- logger(LOG_ERR, "Got bad %s from %s (%s)", "METAKEY", c->name,
- c->hostname);
+ if(sscanf(request, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, hexkey) != 5) {
+ logger(LOG_ERR, "Got bad %s from %s (%s)", "METAKEY", c->name, c->hostname);
return false;
}
- len = RSA_size(myself->connection->rsa_key);
-
/* Check if the length of the meta key is all right */
- if(strlen(buffer) != len * 2) {
+ if(strlen(hexkey) != len * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong keylength");
return false;
}
- /* Allocate buffers for the meta key */
-
- c->inkey = xrealloc(c->inkey, len);
-
- if(!c->inctx)
- c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
-
/* Convert the challenge from hexadecimal back to binary */
- hex2bin(buffer, buffer, len);
+ hex2bin(hexkey, enckey, len);
/* Decrypt the meta key */
- if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */
- logger(LOG_ERR, "Error during decryption of meta key for %s (%s)",
- c->name, c->hostname);
+ if(!rsa_private_decrypt(&myself->connection->rsa, enckey, len, key)) {
+ logger(LOG_ERR, "Error during decryption of meta key for %s (%s)", c->name, c->hostname);
return false;
}
ifdebug(SCARY_THINGS) {
- bin2hex(c->inkey, buffer, len);
- buffer[len * 2] = '\0';
- logger(LOG_DEBUG, "Received random meta key (unencrypted): %s", buffer);
+ bin2hex(key, hexkey, len);
+ hexkey[len * 2] = '\0';
+ logger(LOG_DEBUG, "Received random meta key (unencrypted): %s", hexkey);
}
- /* All incoming requests will now be encrypted. */
-
/* Check and lookup cipher and digest algorithms */
- if(cipher) {
- c->incipher = EVP_get_cipherbynid(cipher);
-
- if(!c->incipher) {
- logger(LOG_ERR, "%s (%s) uses unknown cipher!", c->name, c->hostname);
- return false;
- }
-
- if(!EVP_DecryptInit(c->inctx, c->incipher,
- (unsigned char *)c->inkey + len - c->incipher->key_len,
- (unsigned char *)c->inkey + len - c->incipher->key_len -
- c->incipher->iv_len)) {
- logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- c->status.decryptin = true;
- } else {
- c->incipher = NULL;
+ if(!cipher_open_by_nid(&c->incipher, cipher) || !cipher_set_key_from_rsa(&c->incipher, key, len, false)) {
+ logger(LOG_ERR, "Error during initialisation of cipher from %s (%s)", c->name, c->hostname);
+ return false;
}
- c->inmaclength = maclength;
-
- if(digest) {
- c->indigest = EVP_get_digestbynid(digest);
-
- if(!c->indigest) {
- logger(LOG_ERR, "Node %s (%s) uses unknown digest!", c->name, c->hostname);
- return false;
- }
-
- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
- logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
- return false;
- }
- } else {
- c->indigest = NULL;
+ if(!digest_open_by_nid(&c->indigest, digest, -1)) {
+ logger(LOG_ERR, "Error during initialisation of digest from %s (%s)", c->name, c->hostname);
+ return false;
}
- c->incompression = compression;
+ c->status.decryptin = true;
c->allow_request = CHALLENGE;
}
bool send_challenge(connection_t *c) {
- char *buffer;
- int len;
-
- /* CHECKME: what is most reasonable value for len? */
-
- len = RSA_size(c->rsa_key);
-
- /* Allocate buffers for the challenge */
+ size_t len = rsa_size(&c->rsa);
+ char buffer[len * 2 + 1];
- buffer = alloca(2 * len + 1);
-
- c->hischallenge = xrealloc(c->hischallenge, len);
+ if(!c->hischallenge)
+ c->hischallenge = xrealloc(c->hischallenge, len);
/* Copy random data to the buffer */
- RAND_pseudo_bytes((unsigned char *)c->hischallenge, len);
+ randomize(c->hischallenge, len);
/* Convert to hex */
return send_request(c, "%d %s", CHALLENGE, buffer);
}
-bool challenge_h(connection_t *c) {
+bool challenge_h(connection_t *c, char *request) {
char buffer[MAX_STRING_SIZE];
- int len;
+ size_t len = rsa_size(&myself->connection->rsa);
+ size_t digestlen = digest_length(&c->indigest);
+ char digest[digestlen];
- if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) {
- logger(LOG_ERR, "Got bad %s from %s (%s)", "CHALLENGE", c->name,
- c->hostname);
+ if(sscanf(request, "%*d " MAX_STRING, buffer) != 1) {
+ logger(LOG_ERR, "Got bad %s from %s (%s)", "CHALLENGE", c->name, c->hostname);
return false;
}
- len = RSA_size(myself->connection->rsa_key);
-
/* Check if the length of the challenge is all right */
if(strlen(buffer) != len * 2) {
- logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
- c->hostname, "wrong challenge length");
+ logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge length");
return false;
}
- /* Allocate buffers for the challenge */
-
- c->mychallenge = xrealloc(c->mychallenge, len);
-
/* Convert the challenge from hexadecimal back to binary */
- hex2bin(buffer, c->mychallenge, len);
+ hex2bin(buffer, buffer, len);
c->allow_request = CHAL_REPLY;
- /* Rest is done by send_chal_reply() */
-
- return send_chal_reply(c);
-}
-
-bool send_chal_reply(connection_t *c) {
- char hash[EVP_MAX_MD_SIZE * 2 + 1];
- EVP_MD_CTX ctx;
-
/* Calculate the hash from the challenge we received */
- if(!EVP_DigestInit(&ctx, c->indigest)
- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
- logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
+ digest_create(&c->indigest, buffer, len, digest);
/* Convert the hash to a hexadecimal formatted string */
- bin2hex(hash, hash, c->indigest->md_size);
- hash[c->indigest->md_size * 2] = '\0';
+ bin2hex(digest, buffer, digestlen);
+ buffer[digestlen * 2] = '\0';
/* Send the reply */
- return send_request(c, "%d %s", CHAL_REPLY, hash);
+ return send_request(c, "%d %s", CHAL_REPLY, buffer);
}
-bool chal_reply_h(connection_t *c) {
+bool chal_reply_h(connection_t *c, char *request) {
char hishash[MAX_STRING_SIZE];
- char myhash[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
- if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
+ if(sscanf(request, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
c->hostname);
return false;
/* Check if the length of the hash is all right */
- if(strlen(hishash) != c->outdigest->md_size * 2) {
- logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
- c->hostname, "wrong challenge reply length");
+ if(strlen(hishash) != digest_length(&c->outdigest) * 2) {
+ logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply length");
return false;
}
/* Convert the hash to binary format */
- hex2bin(hishash, hishash, c->outdigest->md_size);
-
- /* Calculate the hash from the challenge we sent */
+ hex2bin(hishash, hishash, digest_length(&c->outdigest));
- if(!EVP_DigestInit(&ctx, c->outdigest)
- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
- logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
- c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
- return false;
- }
-
- /* Verify the incoming hash with the calculated hash */
-
- if(memcmp(hishash, myhash, c->outdigest->md_size)) {
- logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
- c->hostname, "wrong challenge reply");
-
- ifdebug(SCARY_THINGS) {
- bin2hex(myhash, hishash, SHA_DIGEST_LENGTH);
- hishash[SHA_DIGEST_LENGTH * 2] = '\0';
- logger(LOG_DEBUG, "Expected challenge reply: %s", hishash);
- }
+ /* Verify the hash */
+ if(!digest_verify(&c->outdigest, c->hischallenge, rsa_size(&c->rsa), hishash)) {
+ logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply");
return false;
}
Send an acknowledgement with the rest of the information needed.
*/
+ free(c->hischallenge);
+ c->hischallenge = NULL;
c->allow_request = ACK;
return send_ack(c);
}
static void send_everything(connection_t *c) {
- avl_node_t *node, *node2;
+ splay_node_t *node, *node2;
node_t *n;
subnet_t *s;
edge_t *e;
}
}
-bool ack_h(connection_t *c) {
+bool ack_h(connection_t *c, char *request) {
char hisport[MAX_STRING_SIZE];
char *hisaddress;
int weight, mtu;
node_t *n;
bool choice;
- if(sscanf(c->buffer, "%*d " MAX_STRING " %d %x", hisport, &weight, &options) != 3) {
+ if(sscanf(request, "%*d " MAX_STRING " %d %x", hisport, &weight, &options) != 3) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "ACK", c->name,
c->hostname);
return false;
} else {
if(n->connection) {
/* Oh dear, we already have a connection to this node. */
- ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Established a second connection with %s (%s), closing old connection",
- n->name, n->hostname);
+ ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Established a second connection with %s (%s), closing old connection", n->connection->name, n->connection->hostname);
+
+ if(n->connection->outgoing) {
+ if(c->outgoing)
+ logger(LOG_WARNING, "Two outgoing connections to the same node!");
+ else
+ c->outgoing = n->connection->outgoing;
+
+ n->connection->outgoing = NULL;
+ }
+
terminate_connection(n->connection, false);
/* Run graph algorithm to purge key and make sure up/down scripts are rerun with new IP addresses and stuff */
graph();
if(get_config_int(lookup_config(c->config_tree, "PMTU"), &mtu) && mtu < n->mtu)
n->mtu = mtu;
- if(get_config_int(lookup_config(myself->connection->config_tree, "PMTU"), &mtu) && mtu < n->mtu)
+ if(get_config_int(lookup_config(config_tree, "PMTU"), &mtu) && mtu < n->mtu)
n->mtu = mtu;
if(get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice)) {
#include "system.h"
-#include "avl_tree.h"
+#include "splay_tree.h"
#include "conf.h"
#include "connection.h"
#include "edge.h"
return x;
}
-bool add_edge_h(connection_t *c) {
+bool add_edge_h(connection_t *c, char *request) {
edge_t *e;
node_t *from, *to;
char from_name[MAX_STRING_SIZE];
uint32_t options;
int weight;
- if(sscanf(c->buffer, "%*d %*x "MAX_STRING" "MAX_STRING" "MAX_STRING" "MAX_STRING" %x %d",
+ if(sscanf(request, "%*d %*x "MAX_STRING" "MAX_STRING" "MAX_STRING" "MAX_STRING" %x %d",
from_name, to_name, to_address, to_port, &options, &weight) != 6) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "ADD_EDGE", c->name,
c->hostname);
return false;
}
- if(seen_request(c->buffer))
+ if(seen_request(request))
return true;
/* Lookup nodes */
} else if(from == myself) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself which does not exist",
"ADD_EDGE", c->name, c->hostname);
+ contradicting_add_edge++;
e = new_edge();
e->from = from;
e->to = to;
/* Tell the rest about the new edge */
if(!tunnelserver)
- forward_request(c);
+ forward_request(c, request);
/* Run MST before or after we tell the rest? */
e->from->name, e->to->name);
}
-bool del_edge_h(connection_t *c) {
+bool del_edge_h(connection_t *c, char *request) {
edge_t *e;
char from_name[MAX_STRING_SIZE];
char to_name[MAX_STRING_SIZE];
node_t *from, *to;
- if(sscanf(c->buffer, "%*d %*x "MAX_STRING" "MAX_STRING, from_name, to_name) != 2) {
+ if(sscanf(request, "%*d %*x "MAX_STRING" "MAX_STRING, from_name, to_name) != 2) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "DEL_EDGE", c->name,
c->hostname);
return false;
return false;
}
- if(seen_request(c->buffer))
+ if(seen_request(request))
return true;
/* Lookup nodes */
if(e->from == myself) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself",
"DEL_EDGE", c->name, c->hostname);
+ contradicting_del_edge++;
send_add_edge(c, e); /* Send back a correction */
return true;
}
/* Tell the rest about the deleted edge */
if(!tunnelserver)
- forward_request(c);
+ forward_request(c, request);
/* Delete the edge */
#include "system.h"
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
#include "connection.h"
+#include "crypto.h"
#include "logger.h"
#include "net.h"
#include "netutl.h"
#include "utils.h"
#include "xalloc.h"
-bool mykeyused = false;
+static bool mykeyused = false;
void send_key_changed() {
- avl_node_t *node;
+ splay_node_t *node;
connection_t *c;
send_request(broadcast, "%d %x %s", KEY_CHANGED, rand(), myself->name);
}
}
-bool key_changed_h(connection_t *c) {
+bool key_changed_h(connection_t *c, char *request) {
char name[MAX_STRING_SIZE];
node_t *n;
- if(sscanf(c->buffer, "%*d %*x " MAX_STRING, name) != 1) {
+ if(sscanf(request, "%*d %*x " MAX_STRING, name) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "KEY_CHANGED",
c->name, c->hostname);
return false;
}
- if(!check_id(name)) {
- logger(LOG_ERR, "Got bad %s from %s (%s): %s", "KEY_CHANGED", c->name, c->hostname, "invalid name");
- return false;
- }
-
- if(seen_request(c->buffer))
+ if(seen_request(request))
return true;
n = lookup_node(name);
/* Tell the others */
if(!tunnelserver)
- forward_request(c);
+ forward_request(c, request);
return true;
}
return send_request(to->nexthop->connection, "%d %s %s", REQ_KEY, myself->name, to->name);
}
-bool req_key_h(connection_t *c) {
+bool req_key_h(connection_t *c, char *request) {
char from_name[MAX_STRING_SIZE];
char to_name[MAX_STRING_SIZE];
node_t *from, *to;
- if(sscanf(c->buffer, "%*d " MAX_STRING " " MAX_STRING, from_name, to_name) != 2) {
+ if(sscanf(request, "%*d " MAX_STRING " " MAX_STRING, from_name, to_name) != 2) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "REQ_KEY", c->name,
c->hostname);
return false;
/* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */
+
send_ans_key(from);
} else {
if(tunnelserver)
return true;
}
- send_request(to->nexthop->connection, "%s", c->buffer);
+ send_request(to->nexthop->connection, "%s", request);
}
return true;
}
bool send_ans_key(node_t *to) {
- char *key;
+ size_t keylen = cipher_keylength(&myself->incipher);
+ char key[keylen * 2 + 1];
- // Set key parameters
- to->incipher = myself->incipher;
- to->inkeylength = myself->inkeylength;
- to->indigest = myself->indigest;
- to->inmaclength = myself->inmaclength;
+ cipher_open_by_nid(&to->incipher, cipher_get_nid(&myself->incipher));
+ digest_open_by_nid(&to->indigest, digest_get_nid(&myself->indigest), digest_length(&myself->indigest));
to->incompression = myself->incompression;
- // Allocate memory for key
- to->inkey = xrealloc(to->inkey, to->inkeylength);
+ randomize(key, keylen);
+ cipher_set_key(&to->incipher, key, true);
+ digest_set_key(&to->indigest, key, keylen);
- // Create a new key
- RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
- if(to->incipher)
- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
+ bin2hex(key, key, keylen);
+ key[keylen * 2] = '\0';
// Reset sequence number and late packet window
mykeyused = true;
to->received_seqno = 0;
memset(to->late, 0, sizeof(to->late));
- // Convert to hexadecimal and send
- key = alloca(2 * to->inkeylength + 1);
- bin2hex(to->inkey, key, to->inkeylength);
- key[to->inkeylength * 2] = '\0';
-
- return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
- myself->name, to->name, key,
- to->incipher ? to->incipher->nid : 0,
- to->indigest ? to->indigest->type : 0, to->inmaclength,
- to->incompression);
+ return send_request(to->nexthop->connection, "%d %s %s %s %d %d %zu %d", ANS_KEY,
+ myself->name, to->name, key,
+ cipher_get_nid(&to->incipher),
+ digest_get_nid(&to->indigest),
+ digest_length(&to->indigest),
+ to->incompression);
}
-bool ans_key_h(connection_t *c) {
+bool ans_key_h(connection_t *c, char *request) {
char from_name[MAX_STRING_SIZE];
char to_name[MAX_STRING_SIZE];
char key[MAX_STRING_SIZE];
- char address[MAX_STRING_SIZE] = "";
- char port[MAX_STRING_SIZE] = "";
- int cipher, digest, maclength, compression;
+ char address[MAX_STRING_SIZE] = "";
+ char port[MAX_STRING_SIZE] = "";
+ int cipher, digest, maclength, compression, keylen;
node_t *from, *to;
- if(sscanf(c->buffer, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d "MAX_STRING" "MAX_STRING,
+ if(sscanf(request, "%*d "MAX_STRING" "MAX_STRING" "MAX_STRING" %d %d %d %d "MAX_STRING" "MAX_STRING,
from_name, to_name, key, &cipher, &digest, &maclength,
&compression, address, port) < 7) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "ANS_KEY", c->name,
if(!to->status.reachable) {
logger(LOG_WARNING, "Got %s from %s (%s) destination %s which is not reachable",
- "ANS_KEY", c->name, c->hostname, to_name);
+ "ANS_KEY", c->name, c->hostname, to_name);
return true;
}
- if(!*address) {
+ if(!*address && from->address.sa.sa_family != AF_UNSPEC) {
char *address, *port;
ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name);
sockaddr2str(&from->address, &address, &port);
- send_request(to->nexthop->connection, "%s %s %s", c->buffer, address, port);
+ send_request(to->nexthop->connection, "%s %s %s", request, address, port);
free(address);
free(port);
return true;
}
- return send_request(to->nexthop->connection, "%s", c->buffer);
+ return send_request(to->nexthop->connection, "%s", request);
}
- /* Update our copy of the origin's packet key */
- from->outkey = xrealloc(from->outkey, strlen(key) / 2);
-
- from->outkey = xstrdup(key);
- from->outkeylength = strlen(key) / 2;
- hex2bin(key, from->outkey, from->outkeylength);
-
/* Check and lookup cipher and digest algorithms */
- if(cipher) {
- from->outcipher = EVP_get_cipherbynid(cipher);
-
- if(!from->outcipher) {
- logger(LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name,
- from->hostname);
- return true;
- }
-
- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
- logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
- from->hostname);
- return true;
- }
- } else {
- from->outcipher = NULL;
+ if(!cipher_open_by_nid(&from->outcipher, cipher)) {
+ logger(LOG_ERR, "Node %s (%s) uses unknown cipher!", from->name, from->hostname);
+ return false;
}
- from->outmaclength = maclength;
+ keylen = strlen(key) / 2;
- if(digest) {
- from->outdigest = EVP_get_digestbynid(digest);
+ if(keylen != cipher_keylength(&from->outcipher)) {
+ logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
+ return false;
+ }
- if(!from->outdigest) {
- logger(LOG_ERR, "Node %s (%s) uses unknown digest!", from->name,
- from->hostname);
- return true;
- }
+ if(!digest_open_by_nid(&from->outdigest, digest, maclength)) {
+ logger(LOG_ERR, "Node %s (%s) uses unknown digest!", from->name, from->hostname);
+ return false;
+ }
- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
- logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
- from->name, from->hostname);
- return true;
- }
- } else {
- from->outdigest = NULL;
+ if(maclength != digest_length(&from->outdigest)) {
+ logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", from->name, from->hostname);
+ return false;
}
if(compression < 0 || compression > 11) {
from->outcompression = compression;
- if(from->outcipher)
- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
- logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
- from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
- return true;
- }
+ /* Update our copy of the origin's packet key */
+
+ hex2bin(key, key, keylen);
+ cipher_set_key(&from->outcipher, key, false);
+ digest_set_key(&from->outdigest, key, keylen);
from->status.validkey = true;
from->sent_seqno = 0;
static char ifrname[IFNAMSIZ];
static char *device_info;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
bool setup_device(void) {
struct ifreq ifr;
return false;
}
- memset(&ifr, 0, sizeof(ifr));
+ memset(&ifr, 0, sizeof ifr);
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) {
close(device_fd);
return false;
}
- memset(&sa, '0', sizeof(sa));
+ memset(&sa, '0', sizeof sa);
sa.sll_family = AF_PACKET;
sa.sll_protocol = htons(ETH_P_ALL);
sa.sll_ifindex = ifr.ifr_ifindex;
- if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) {
+ if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof sa)) {
logger(LOG_ERR, "Could not bind %s to %s: %s", device, iface, strerror(errno));
return false;
}
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
- if((lenin = read(device_fd, packet->data, MTU)) <= 0) {
+ if((inlen = read(device_fd, packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
}
- packet->len = lenin;
+ packet->len = inlen;
device_total_in += packet->len;
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
char *iface = NULL;
static char *device_info = NULL;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
bool setup_device(void) {
int ip_fd = -1, if_fd = -1;
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
- if((lenin = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
+ if((inlen = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
return false;
}
- packet->len = lenin + 14;
+ packet->len = inlen + 14;
device_total_in += packet->len;
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
2000-2010 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru>
+ 2010 Julien Muchembled <jm@jmuchemb.eu>
+ 2010 Timothy Redaelli <timothy@redaelli.eu>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#endif
#include <getopt.h>
-#include "pidfile.h"
#include "conf.h"
+#include "control.h"
+#include "crypto.h"
#include "device.h"
#include "logger.h"
#include "net.h"
/* If nonzero, print the version on standard output and exit. */
bool show_version = false;
-/* If nonzero, it will attempt to kill a running tincd and exit. */
-int kill_tincd = 0;
-
-/* If nonzero, generate public/private keypair for this host/net. */
-int generate_keys = 0;
-
/* If nonzero, use null ciphers and skip all key exchanges. */
bool bypass_security = false;
bool use_logfile = false;
char *identname = NULL; /* program name for syslog */
-char *pidfilename = NULL; /* pid file location */
char *logfilename = NULL; /* log file location */
+char *controlcookiename = NULL;
char **g_argv; /* a copy of the cmdline arguments */
static int status;
static struct option const long_options[] = {
{"config", required_argument, NULL, 'c'},
- {"kill", optional_argument, NULL, 'k'},
{"net", required_argument, NULL, 'n'},
{"help", no_argument, NULL, 1},
{"version", no_argument, NULL, 2},
{"no-detach", no_argument, NULL, 'D'},
- {"generate-keys", optional_argument, NULL, 'K'},
{"debug", optional_argument, NULL, 'd'},
{"bypass-security", no_argument, NULL, 3},
{"mlock", no_argument, NULL, 'L'},
{"chroot", no_argument, NULL, 'R'},
{"user", required_argument, NULL, 'U'},
{"logfile", optional_argument, NULL, 4},
- {"pidfile", required_argument, NULL, 5},
+ {"controlcookie", required_argument, NULL, 5},
{NULL, 0, NULL, 0}
};
#ifdef HAVE_MINGW
static struct WSAData wsa_state;
CRITICAL_SECTION mutex;
+ int main2(int argc, char **argv);
#endif
static void usage(bool status) {
program_name);
else {
printf("Usage: %s [option]...\n\n", program_name);
- printf(" -c, --config=DIR Read configuration options from DIR.\n"
- " -D, --no-detach Don't fork and detach.\n"
- " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n"
- " -k, --kill[=SIGNAL] Attempt to kill a running tincd and exit.\n"
- " -n, --net=NETNAME Connect to net NETNAME.\n"
- " -K, --generate-keys[=BITS] Generate public/private RSA keypair.\n"
- " -L, --mlock Lock tinc into main memory.\n"
- " --logfile[=FILENAME] Write log entries to a logfile.\n"
- " --pidfile=FILENAME Write PID to FILENAME.\n"
- " -o [HOST.]KEY=VALUE Set global/host configuration value.\n"
- " -R, --chroot chroot to NET dir at startup.\n"
- " -U, --user=USER setuid to given USER at startup.\n"
- " --help Display this help and exit.\n"
- " --version Output version information and exit.\n\n");
+ printf( " -c, --config=DIR Read configuration options from DIR.\n"
+ " -D, --no-detach Don't fork and detach.\n"
+ " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n"
+ " -n, --net=NETNAME Connect to net NETNAME.\n"
+ " -L, --mlock Lock tinc into main memory.\n"
+ " --logfile[=FILENAME] Write log entries to a logfile.\n"
+ " --controlcookie=FILENAME Write control socket cookie to FILENAME.\n"
+ " --bypass-security Disables meta protocol security, for debugging.\n"
++ " -o [HOST.]KEY=VALUE Set global/host configuration value.\n"
+ " -R, --chroot chroot to NET dir at startup.\n"
+ " -U, --user=USER setuid to given USER at startup.\n" " --help Display this help and exit.\n"
+ " --version Output version information and exit.\n\n");
printf("Report bugs to tinc@tinc-vpn.org.\n");
}
}
static bool parse_options(int argc, char **argv) {
+ config_t *cfg;
int r;
int option_index = 0;
+ int lineno = 0;
- while((r = getopt_long(argc, argv, "c:DLd::n:RU:", long_options, &option_index)) != EOF) {
+ cmdline_conf = list_alloc((list_action_t)free_config);
+
- while((r = getopt_long(argc, argv, "c:DLd::k::n:o:K::RU:", long_options, &option_index)) != EOF) {
++ while((r = getopt_long(argc, argv, "c:DLd::n:o:RU:", long_options, &option_index)) != EOF) {
switch (r) {
case 0: /* long option */
break;
debug_level++;
break;
- case 'k': /* kill old tincds */
-#ifndef HAVE_MINGW
- if(optarg) {
- if(!strcasecmp(optarg, "HUP"))
- kill_tincd = SIGHUP;
- else if(!strcasecmp(optarg, "TERM"))
- kill_tincd = SIGTERM;
- else if(!strcasecmp(optarg, "KILL"))
- kill_tincd = SIGKILL;
- else if(!strcasecmp(optarg, "USR1"))
- kill_tincd = SIGUSR1;
- else if(!strcasecmp(optarg, "USR2"))
- kill_tincd = SIGUSR2;
- else if(!strcasecmp(optarg, "WINCH"))
- kill_tincd = SIGWINCH;
- else if(!strcasecmp(optarg, "INT"))
- kill_tincd = SIGINT;
- else if(!strcasecmp(optarg, "ALRM"))
- kill_tincd = SIGALRM;
- else {
- kill_tincd = atoi(optarg);
-
- if(!kill_tincd) {
- fprintf(stderr, "Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, USR1, USR2, WINCH, INT or ALRM.\n",
- optarg);
- usage(true);
- return false;
- }
- }
- } else
- kill_tincd = SIGTERM;
-#else
- kill_tincd = 1;
-#endif
- break;
-
case 'n': /* net name given */
- netname = xstrdup(optarg);
+ /* netname "." is special: a "top-level name" */
+ netname = strcmp(optarg, ".") != 0 ?
+ xstrdup(optarg) : NULL;
+ break;
+
+ case 'o': /* option */
+ cfg = parse_config_line(optarg, NULL, ++lineno);
+ if (!cfg)
+ return false;
+ list_insert_tail(cmdline_conf, cfg);
break;
- case 'K': /* generate public/private keypair */
- if(optarg) {
- generate_keys = atoi(optarg);
-
- if(generate_keys < 512) {
- fprintf(stderr, "Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n",
- optarg);
- usage(true);
- return false;
- }
-
- generate_keys &= ~7; /* Round it to bytes */
- } else
- generate_keys = 2048;
- break;
-
case 'R': /* chroot to NETNAME dir */
do_chroot = true;
break;
logfilename = xstrdup(optarg);
break;
- case 5: /* write PID to a file */
- pidfilename = xstrdup(optarg);
+ case 5: /* open control socket here */
+ controlcookiename = xstrdup(optarg);
break;
case '?':
return true;
}
-/* This function prettyprints the key generation process */
-
-static void indicator(int a, int b, void *p) {
- switch (a) {
- case 0:
- fprintf(stderr, ".");
- break;
-
- case 1:
- fprintf(stderr, "+");
- break;
-
- case 2:
- fprintf(stderr, "-");
- break;
-
- case 3:
- switch (b) {
- case 0:
- fprintf(stderr, " p\n");
- break;
-
- case 1:
- fprintf(stderr, " q\n");
- break;
-
- default:
- fprintf(stderr, "?");
- }
- break;
-
- default:
- fprintf(stderr, "?");
- }
-}
-
-/*
- Generate a public/private RSA keypair, and ask for a file to store
- them in.
-*/
-static bool keygen(int bits) {
- RSA *rsa_key;
- FILE *f;
- char *name = NULL;
- char *filename;
-
- get_config_string(lookup_config(config_tree, "Name"), &name);
-
- if(name && !check_id(name)) {
- fprintf(stderr, "Invalid name for myself!\n");
- return false;
- }
-
- fprintf(stderr, "Generating %d bits keys:\n", bits);
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
-
- if(!rsa_key) {
- fprintf(stderr, "Error during key generation!\n");
- return false;
- } else
- fprintf(stderr, "Done.\n");
-
- xasprintf(&filename, "%s/rsa_key.priv", confbase);
- f = ask_and_open(filename, "private RSA key");
-
- if(!f)
- return false;
-
- if(disable_old_keys(f))
- fprintf(stderr, "Warning: old key(s) found and disabled.\n");
-
-#ifdef HAVE_FCHMOD
- /* Make it unreadable for others. */
- fchmod(fileno(f), 0600);
-#endif
-
- fputc('\n', f);
- PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
- fclose(f);
- free(filename);
-
- if(name)
- xasprintf(&filename, "%s/hosts/%s", confbase, name);
- else
- xasprintf(&filename, "%s/rsa_key.pub", confbase);
-
- f = ask_and_open(filename, "public RSA key");
-
- if(!f)
- return false;
-
- if(disable_old_keys(f))
- fprintf(stderr, "Warning: old key(s) found and disabled.\n");
-
- fputc('\n', f);
- PEM_write_RSAPublicKey(f, rsa_key);
- fclose(f);
- free(filename);
- if(name)
- free(name);
-
- return true;
-}
-
/*
Set all files and paths according to netname
*/
#ifdef HAVE_MINGW
HKEY key;
char installdir[1024] = "";
- long len = sizeof(installdir);
+ long len = sizeof installdir;
#endif
if(netname)
else
xasprintf(&confbase, "%s", installdir);
}
+ if(!controlcookiename)
+ xasprintf(&controlcookiename, "%s/cookie", confbase);
}
RegCloseKey(key);
if(*installdir)
}
#endif
- if(!pidfilename)
- xasprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname);
-
if(!logfilename)
xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname);
+ if(!controlcookiename)
+ xasprintf(&controlcookiename, LOCALSTATEDIR "/run/%s.cookie", identname);
+
if(netname) {
if(!confbase)
xasprintf(&confbase, CONFDIR "/tinc/%s", netname);
static void free_names() {
if (identname) free(identname);
if (netname) free(netname);
- if (pidfilename) free(pidfilename);
+ if (controlcookiename) free(controlcookiename);
if (logfilename) free(logfilename);
if (confbase) free(confbase);
}
return 0;
}
- if(kill_tincd)
- return !kill_other(kill_tincd);
+#ifdef HAVE_MINGW
+ if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) {
+ logger(LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError()));
+ return 1;
+ }
+#endif
openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR);
+ if(!event_init()) {
+ logger(LOG_ERR, "Error initializing libevent!");
+ return 1;
+ }
+
g_argv = argv;
init_configuration(&config_tree);
/* Slllluuuuuuurrrrp! */
- RAND_load_file("/dev/urandom", 1024);
-
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
-
- OpenSSL_add_all_algorithms();
-
- if(generate_keys) {
- read_server_config();
- return !keygen(generate_keys);
- }
+ srand(time(NULL));
+ crypto_init();
if(!read_server_config())
return 1;
#endif
#ifdef HAVE_MINGW
- if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) {
- logger(LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError()));
- return 1;
- }
-
if(!do_detach || !init_service())
return main2(argc, argv);
else
if(!setup_network())
goto end;
+ if(!init_control())
+ return 1;
+
/* Initiate all outgoing connections. */
try_outgoing_connections();
char *priority = 0;
if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
- if(!strcasecmp(priority, "Normal"))
- setpriority(NORMAL_PRIORITY_CLASS);
- else if(!strcasecmp(priority, "Low"))
- setpriority(BELOW_NORMAL_PRIORITY_CLASS);
- else if(!strcasecmp(priority, "High"))
- setpriority(HIGH_PRIORITY_CLASS);
- else {
+ if(!strcasecmp(priority, "Normal")) {
+ if (setpriority(NORMAL_PRIORITY_CLASS) != 0) {
+ logger(LOG_ERR, "System call `%s' failed: %s",
+ "setpriority", strerror(errno));
+ goto end;
+ }
+ } else if(!strcasecmp(priority, "Low")) {
+ if (setpriority(BELOW_NORMAL_PRIORITY_CLASS) != 0) {
+ logger(LOG_ERR, "System call `%s' failed: %s",
+ "setpriority", strerror(errno));
+ goto end;
+ }
+ } else if(!strcasecmp(priority, "High")) {
+ if (setpriority(HIGH_PRIORITY_CLASS) != 0) {
+ logger(LOG_ERR, "System call `%s' failed: %s",
+ "setpriority", strerror(errno));
+ goto end;
+ }
+ } else {
logger(LOG_ERR, "Invalid priority `%s`!", priority);
goto end;
}
end:
logger(LOG_NOTICE, "Terminating");
-#ifndef HAVE_MINGW
- remove_pid(pidfilename);
-#endif
+ exit_control();
- EVP_cleanup();
- ENGINE_cleanup();
- CRYPTO_cleanup_all_ex_data();
- ERR_remove_state(0);
- ERR_free_strings();
+ crypto_exit();
exit_configuration(&config_tree);
free_names();
extern char *identname;
extern bool running;
- static int device_total_in = 0;
- static int device_total_out = 0;
+ static uint64_t device_total_in = 0;
+ static uint64_t device_total_out = 0;
enum request_type { REQ_NEW_CONTROL };
}
bool read_packet(vpn_packet_t *packet) {
- int lenin;
+ int inlen;
switch(state) {
case 0: {
}
case 1: {
- if((lenin = read(request_fd, &request, sizeof request)) != sizeof request) {
+ if((inlen = read(request_fd, &request, sizeof request)) != sizeof request) {
logger(LOG_ERR, "Error while reading request from %s %s: %s", device_info,
device, strerror(errno));
running = false;
}
case 2: {
- if((lenin = read(data_fd, packet->data, MTU)) <= 0) {
+ if((inlen = read(data_fd, packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
running = false;
return false;
}
- packet->len = lenin;
+ packet->len = inlen;
device_total_in += packet->len;
void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
- logger(LOG_DEBUG, " total bytes in: %10d", device_total_in);
- logger(LOG_DEBUG, " total bytes out: %10d", device_total_out);
+ logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
+ logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
}
projects / tinc / commitdiff