[ViewVC] Diff of: cvs/gvpe/src/vpn.C

Comparing gvpe/src/vpn.C (file contents):
Revision 1.54 by pcg, Mon Mar 23 15:22:00 2009 UTC vs.
Revision 1.65 by root, Tue Jul 16 16:44:37 2013 UTC

 /*
     vpn.C -- handle the protocol, encryption, handshaking etc.
-    Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
+    Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
     This file is part of GVPE.
     GVPE is free software; you can redistribute it and/or modify it
     under the terms of the GNU General Public License as published by the
 #include <cstdlib>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
+#include <sys/stat.h>
 #include <errno.h>
 #include <time.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include "connection.h"
 #include "util.h"
 #include "vpn.h"
+using namespace std;
 vpn network; // THE vpn (bad design...)
 /////////////////////////////////////////////////////////////////////////////
 static void inline
 {
   // the tunnel device mtu should be the physical mtu - overhead
   // the tricky part is rounding to the cipher key blocksize
   int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
   mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
-  mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
+  mtu -= mtu % BLOCK_SIZE (CIPHER); // round
   mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
   char *env;
   asprintf (&env, "CONFBASE=%s", confbase); putenv (env);
   asprintf (&env, "IFNAME=%s", tap->interface ()); putenv (env);
   fcntl (fd, F_SETFL, O_NONBLOCK);
   fcntl (fd, F_SETFD, FD_CLOEXEC);
 #ifdef SO_MARK
   if (::conf.nfmark)
-    setsockopt (ipv4_fd, SOL_SOCKET, SO_MARK, &::conf.nfmark, sizeof ::conf.nfmark);
+    if (setsockopt (fd, SOL_SOCKET, SO_MARK, &::conf.nfmark, sizeof ::conf.nfmark))
+      slog (L_WARN, _("unable to set nfmark on %s socket: %s"), strprotocol (prot), strerror (errno));
 #endif
   return fd;
 }
     }
   tap_ev_watcher.start (tap->fd, EV_READ);
   return 0;
+}
+bool
+vpn::drop_privileges ()
+{
+  if (::conf.change_root)
+    {
+      if (!strcmp (::conf.change_root, "/"))
+        {
+          char dir [L_tmpnam];
+          if (!tmpnam (dir))
+            {
+              slog (L_CRIT, _("unable to create anonymous root path."));
+              return false;
+            }
+          if (mkdir (dir, 0700))
+            {
+              slog (L_CRIT, _("unable to crate anonymous root directory."));
+              return false;
+            }
+          if (chdir (dir))
+            {
+              slog (L_CRIT, _("unable to change to anonymous root directory."));
+              return false;
+            }
+          if (rmdir (dir))
+            slog (L_ERR, _("unable to remove anonymous root directory, continuing."));
+        }
+      else
+        {
+          if (chdir (::conf.change_root))
+            {
+              slog (L_CRIT, _("%s: unable to change to specified root directory."), ::conf.change_root);
+              return false;
+            }
+        }
+      if (chroot ("."))
+        {
+          slog (L_CRIT, _("unable to set new root directory."));
+          return false;
+        }
+      if (chdir ("/"))
+        {
+          slog (L_CRIT, _("unable to set cwd to new root directory."));
+          return false;
+        }
+    }
+  if (::conf.change_gid)
+    if (setgid (::conf.change_gid))
+      {
+        slog (L_CRIT, _("unable to change group id to %d."), ::conf.change_gid);
+        return false;
+      }
+  if (::conf.change_uid)
+    if (setuid (::conf.change_uid))
+      {
+        slog (L_CRIT, _("unable to change user id to %d."), ::conf.change_uid);
+        return false;
+      }
+  return true;
 }
 bool
 vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
 {
         (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
   if (src == 0 || src > conns.size ()
       || dst > conns.size ()
       || pkt->typ () >= vpn_packet::PT_MAX)
-    slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)."),
-          (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
-  else if (dst > conns.size ())
     slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)."),
           (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
   else
     {
       connection *c = conns[src - 1];
 vpn::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
 {
   switch (si.prot)
     {
       case PROT_IPv4:
-        return send_ipv4_packet (pkt, si, tos);
+        return send_ipv4_packet   (pkt, si, tos);
       case PROT_UDPv4:
-        return send_udpv4_packet (pkt, si, tos);
+        return send_udpv4_packet  (pkt, si, tos);
 #if ENABLE_TCP
       case PROT_TCPv4:
-        return send_tcpv4_packet (pkt, si, tos);
+        return send_tcpv4_packet  (pkt, si, tos);
 #endif
 #if ENABLE_ICMP
       case PROT_ICMPv4:
         return send_icmpv4_packet (pkt, si, tos);
 #endif
 #if ENABLE_DNS
       case PROT_DNSv4:
-        return send_dnsv4_packet (pkt, si, tos);
+        return send_dnsv4_packet  (pkt, si, tos);
 #endif
       default:
         slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol."), (const char *)si);
     }
       if (len > 0)
         {
           pkt->len = len;
           // raw sockets deliver the ipv4 header, but don't expect it on sends
-          pkt->skip_hdr (IP_OVERHEAD);
+          pkt->skip_hdr (pkt->ipv4_hdr_len ());
           recv_vpn_packet (pkt, si);
         }
       else
         {
           if (hdr->type == ::conf.icmp_type
               && hdr->code == 255)
             {
               // raw sockets deliver the ipv4, but don't expect it on sends
               // this is slow, but...
-              pkt->skip_hdr (ICMP_OVERHEAD);
+              pkt->skip_hdr (pkt->ipv4_hdr_len () + (ICMP_OVERHEAD - IP_OVERHEAD));
               recv_vpn_packet (pkt, si);
             }
         }
       else
   for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
     (*c)->establish_connection ();
 }
+bool
-bool vpn::can_direct (conf_node *src, conf_node *dst) const
+vpn::can_direct (conf_node *src, conf_node *dst) const
 {
   return src != dst
       && src->may_direct (dst)
       && dst->may_direct (src)
       && (((src->protocols & dst->protocols) && src->connectmode == conf_node::C_ALWAYS)
           || (src->protocols & dst->connectable_protocols ()));
 }
 // only works for indirect and routed connections: find a router
 // from THISNODE to dst
+connection *
-connection *vpn::find_router_for (const connection *dst)
+vpn::find_router_for (const connection *dst)
 {
   connection *router = 0;
   // first try to find a router with a direct connection, route there
   // regardless of any other considerations.
   }
   return router;
 }
+void
-void vpn::connection_established (connection *c)
+vpn::connection_established (connection *c)
 {
   for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
     {
       connection *o = *i;
           o->rekey ();
         }
     }
 }
+void
-void vpn::send_connect_request (connection *c)
+vpn::send_connect_request (connection *c)
 {
   connection *r = find_router_for (c);
   if (r)
     {

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/vpn.C (file contents): Revision 1.54 by pcg, Mon Mar 23 15:22:00 2009 UTC vs. Revision 1.65 by root, Tue Jul 16 16:44:37 2013 UTC

Diff Legend

Comparing gvpe/src/vpn.C (file contents):
Revision 1.54 by pcg, Mon Mar 23 15:22:00 2009 UTC vs.
Revision 1.65 by root, Tue Jul 16 16:44:37 2013 UTC