ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/vpn.C
(Generate patch)

Comparing gvpe/src/vpn.C (file contents):
Revision 1.54 by pcg, Mon Mar 23 15:22:00 2009 UTC vs.
Revision 1.68 by root, Wed Jul 15 23:04:06 2015 UTC

1/* 1/*
2 vpn.C -- handle the protocol, encryption, handshaking etc. 2 vpn.C -- handle the protocol, encryption, handshaking etc.
3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify it 7 GVPE is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by the 8 under the terms of the GNU General Public License as published by the
38#include <cstdlib> 38#include <cstdlib>
39 39
40#include <sys/types.h> 40#include <sys/types.h>
41#include <sys/socket.h> 41#include <sys/socket.h>
42#include <sys/wait.h> 42#include <sys/wait.h>
43#include <sys/stat.h>
43#include <errno.h> 44#include <errno.h>
44#include <time.h> 45#include <time.h>
45#include <unistd.h> 46#include <unistd.h>
46#include <fcntl.h> 47#include <fcntl.h>
47#include <sys/socket.h> 48#include <sys/socket.h>
52 53
53#include "connection.h" 54#include "connection.h"
54#include "util.h" 55#include "util.h"
55#include "vpn.h" 56#include "vpn.h"
56 57
58using namespace std;
59
57vpn network; // THE vpn (bad design...) 60vpn network; // THE vpn (bad design...)
58 61
59///////////////////////////////////////////////////////////////////////////// 62/////////////////////////////////////////////////////////////////////////////
60 63
61static void inline 64static void inline
75{ 78{
76 // the tunnel device mtu should be the physical mtu - overhead 79 // the tunnel device mtu should be the physical mtu - overhead
77 // the tricky part is rounding to the cipher key blocksize 80 // the tricky part is rounding to the cipher key blocksize
78 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD; 81 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
79 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 82 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
80 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 83 mtu -= mtu % BLOCK_SIZE (CIPHER); // round
81 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 84 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
82 85
83 char *env; 86 char *env;
84 asprintf (&env, "CONFBASE=%s", confbase); putenv (env); 87 asprintf (&env, "CONFBASE=%s", confbase); putenv (env);
85 asprintf (&env, "IFNAME=%s", tap->interface ()); putenv (env); 88 asprintf (&env, "IFNAME=%s", tap->interface ()); putenv (env);
110inline const char * 113inline const char *
111vpn::script_if_up () 114vpn::script_if_up ()
112{ 115{
113 script_init_env (); 116 script_init_env ();
114 117
115 char *filename; 118 return conf.config_filename (::conf.script_if_up, "if-up");
116 asprintf (&filename,
117 "%s/%s",
118 confbase,
119 ::conf.script_if_up ? ::conf.script_if_up : "if-up");
120
121 return filename;
122} 119}
123 120
124int 121int
125vpn::setup_socket (u8 prot, int family, int type, int proto) 122vpn::setup_socket (u8 prot, int family, int type, int proto)
126{ 123{
135 fcntl (fd, F_SETFL, O_NONBLOCK); 132 fcntl (fd, F_SETFL, O_NONBLOCK);
136 fcntl (fd, F_SETFD, FD_CLOEXEC); 133 fcntl (fd, F_SETFD, FD_CLOEXEC);
137 134
138#ifdef SO_MARK 135#ifdef SO_MARK
139 if (::conf.nfmark) 136 if (::conf.nfmark)
140 setsockopt (ipv4_fd, SOL_SOCKET, SO_MARK, &::conf.nfmark, sizeof ::conf.nfmark); 137 if (setsockopt (fd, SOL_SOCKET, SO_MARK, &::conf.nfmark, sizeof ::conf.nfmark))
138 slog (L_WARN, _("unable to set nfmark on %s socket: %s"), strprotocol (prot), strerror (errno));
141#endif 139#endif
142 140
143 return fd; 141 return fd;
144} 142}
145 143
388 } 386 }
389 387
390 tap_ev_watcher.start (tap->fd, EV_READ); 388 tap_ev_watcher.start (tap->fd, EV_READ);
391 389
392 return 0; 390 return 0;
391}
392
393bool
394vpn::drop_privileges ()
395{
396 if (::conf.change_root)
397 {
398 if (!strcmp (::conf.change_root, "/"))
399 {
400 char dir [L_tmpnam];
401 if (!tmpnam (dir))
402 {
403 slog (L_CRIT, _("unable to create anonymous root path."));
404 return false;
405 }
406
407 if (mkdir (dir, 0700))
408 {
409 slog (L_CRIT, _("unable to create anonymous root directory."));
410 return false;
411 }
412
413 if (chdir (dir))
414 {
415 slog (L_CRIT, _("unable to change to anonymous root directory."));
416 return false;
417 }
418
419 if (rmdir (dir))
420 slog (L_ERR, _("unable to remove anonymous root directory, continuing."));
421 }
422 else
423 {
424 if (chdir (::conf.change_root))
425 {
426 slog (L_CRIT, _("%s: unable to change to specified root directory."), ::conf.change_root);
427 return false;
428 }
429 }
430
431 if (chroot ("."))
432 {
433 slog (L_CRIT, _("unable to set new root directory."));
434 return false;
435 }
436
437 if (chdir ("/"))
438 {
439 slog (L_CRIT, _("unable to set cwd to new root directory."));
440 return false;
441 }
442 }
443
444 if (::conf.change_gid)
445 if (setgid (::conf.change_gid))
446 {
447 slog (L_CRIT, _("unable to change group id to %d."), ::conf.change_gid);
448 return false;
449 }
450
451 if (::conf.change_uid)
452 if (setuid (::conf.change_uid))
453 {
454 slog (L_CRIT, _("unable to change user id to %d."), ::conf.change_uid);
455 return false;
456 }
457
458 return true;
393} 459}
394 460
395bool 461bool
396vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) 462vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
397{ 463{
481 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len); 547 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
482 548
483 if (src == 0 || src > conns.size () 549 if (src == 0 || src > conns.size ()
484 || dst > conns.size () 550 || dst > conns.size ()
485 || pkt->typ () >= vpn_packet::PT_MAX) 551 || pkt->typ () >= vpn_packet::PT_MAX)
486 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)."),
487 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
488 else if (dst > conns.size ())
489 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)."), 552 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)."),
490 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ()); 553 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
491 else 554 else
492 { 555 {
493 connection *c = conns[src - 1]; 556 connection *c = conns[src - 1];
515vpn::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) 578vpn::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
516{ 579{
517 switch (si.prot) 580 switch (si.prot)
518 { 581 {
519 case PROT_IPv4: 582 case PROT_IPv4:
520 return send_ipv4_packet (pkt, si, tos); 583 return send_ipv4_packet (pkt, si, tos);
521 584
522 case PROT_UDPv4: 585 case PROT_UDPv4:
523 return send_udpv4_packet (pkt, si, tos); 586 return send_udpv4_packet (pkt, si, tos);
524 587
525#if ENABLE_TCP 588#if ENABLE_TCP
526 case PROT_TCPv4: 589 case PROT_TCPv4:
527 return send_tcpv4_packet (pkt, si, tos); 590 return send_tcpv4_packet (pkt, si, tos);
528#endif 591#endif
529#if ENABLE_ICMP 592#if ENABLE_ICMP
530 case PROT_ICMPv4: 593 case PROT_ICMPv4:
531 return send_icmpv4_packet (pkt, si, tos); 594 return send_icmpv4_packet (pkt, si, tos);
532#endif 595#endif
533#if ENABLE_DNS 596#if ENABLE_DNS
534 case PROT_DNSv4: 597 case PROT_DNSv4:
535 return send_dnsv4_packet (pkt, si, tos); 598 return send_dnsv4_packet (pkt, si, tos);
536#endif 599#endif
537 default: 600 default:
538 slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol."), (const char *)si); 601 slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol."), (const char *)si);
539 } 602 }
540 603
558 if (len > 0) 621 if (len > 0)
559 { 622 {
560 pkt->len = len; 623 pkt->len = len;
561 624
562 // raw sockets deliver the ipv4 header, but don't expect it on sends 625 // raw sockets deliver the ipv4 header, but don't expect it on sends
563 pkt->skip_hdr (IP_OVERHEAD); 626 pkt->skip_hdr (pkt->ipv4_hdr_len ());
564 627
565 recv_vpn_packet (pkt, si); 628 recv_vpn_packet (pkt, si);
566 } 629 }
567 else 630 else
568 { 631 {
605 if (hdr->type == ::conf.icmp_type 668 if (hdr->type == ::conf.icmp_type
606 && hdr->code == 255) 669 && hdr->code == 255)
607 { 670 {
608 // raw sockets deliver the ipv4, but don't expect it on sends 671 // raw sockets deliver the ipv4, but don't expect it on sends
609 // this is slow, but... 672 // this is slow, but...
610 pkt->skip_hdr (ICMP_OVERHEAD); 673 pkt->skip_hdr (pkt->ipv4_hdr_len () + (ICMP_OVERHEAD - IP_OVERHEAD));
611 674
612 recv_vpn_packet (pkt, si); 675 recv_vpn_packet (pkt, si);
613 } 676 }
614 } 677 }
615 else 678 else
757 820
758 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 821 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
759 (*c)->establish_connection (); 822 (*c)->establish_connection ();
760} 823}
761 824
825bool
762bool vpn::can_direct (conf_node *src, conf_node *dst) const 826vpn::can_direct (conf_node *src, conf_node *dst) const
763{ 827{
764 return src != dst 828 return src != dst
765 && src->may_direct (dst) 829 && src->may_direct (dst)
766 && dst->may_direct (src) 830 && dst->may_direct (src)
767 && (((src->protocols & dst->protocols) && src->connectmode == conf_node::C_ALWAYS) 831 && (((src->protocols & dst->protocols) && src->connectmode == conf_node::C_ALWAYS)
768 || (src->protocols & dst->connectable_protocols ())); 832 || (src->protocols & dst->connectable_protocols ()));
769} 833}
770 834
771// only works for indirect and routed connections: find a router 835// only works for indirect and routed connections: find a router
772// from THISNODE to dst 836// from THISNODE to dst
837connection *
773connection *vpn::find_router_for (const connection *dst) 838vpn::find_router_for (const connection *dst)
774{ 839{
775 connection *router = 0; 840 connection *router = 0;
776 841
777 // first try to find a router with a direct connection, route there 842 // first try to find a router with a direct connection, route there
778 // regardless of any other considerations. 843 // regardless of any other considerations.
817 } 882 }
818 883
819 return router; 884 return router;
820} 885}
821 886
887void
822void vpn::connection_established (connection *c) 888vpn::connection_established (connection *c)
823{ 889{
824 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 890 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
825 { 891 {
826 connection *o = *i; 892 connection *o = *i;
827 893
828 if (!o->is_direct
829 && o->si.valid () 894 if (o->si.valid ()
830 && c->si != o->si 895 && c->si != o->si
831 && c == find_router_for (o)) 896 && c == find_router_for (o)
897 && !can_direct (THISNODE, o->conf))
832 { 898 {
833 slog (L_DEBUG, _("%s: can now route packets via %s, re-keying connection."), 899 slog (L_DEBUG, _("%s: can now route packets via %s, re-keying connection."),
834 o->conf->nodename, c->conf->nodename); 900 o->conf->nodename, c->conf->nodename);
835 o->rekey (); 901 o->rekey ();
836 } 902 }
837 } 903 }
838} 904}
839 905
906void
840void vpn::send_connect_request (connection *c) 907vpn::send_connect_request (connection *c)
841{ 908{
842 connection *r = find_router_for (c); 909 connection *r = find_router_for (c);
843 910
844 if (r) 911 if (r)
845 { 912 {

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines