X-Git-Url: http://git.meshlink.io/?p=meshlink;a=blobdiff_plain;f=src%2Fnet_setup.c;h=3285a32981805815ac9effd1b8323eae270ab397;hp=eec438a80879831b1a2416fbdeefa0a9cebf6328;hb=19be9cf7150858311f7898fa3fb525d692d02f64;hpb=00e71ece25070dc919f9bc0696e4ff3a387360d0

diff --git a/src/net_setup.c b/src/net_setup.c
index eec438a8..3285a329 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -22,17 +22,14 @@
 
 #include "system.h"
 
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-#include "avl_tree.h"
+#include "splay_tree.h"
+#include "cipher.h"
 #include "conf.h"
 #include "connection.h"
+#include "control.h"
 #include "device.h"
-#include "event.h"
+#include "digest.h"
+#include "ecdsa.h"
 #include "graph.h"
 #include "logger.h"
 #include "net.h"
@@ -40,11 +37,13 @@
 #include "process.h"
 #include "protocol.h"
 #include "route.h"
+#include "rsa.h"
 #include "subnet.h"
 #include "utils.h"
 #include "xalloc.h"
 
 char *myport;
+static struct event device_ev;
 devops_t devops;
 
 char *proxyhost;
@@ -53,166 +52,238 @@ char *proxyuser;
 char *proxypass;
 proxytype_t proxytype;
 
-bool read_rsa_public_key(connection_t *c) {
+bool node_read_ecdsa_public_key(node_t *n) {
+	if(ecdsa_active(&n->ecdsa))
+		return true;
+
+	splay_tree_t *config_tree;
 	FILE *fp;
 	char *fname;
-	char *key;
+	char *p;
+	bool result = false;
 
-	if(!c->rsa_key) {
-		c->rsa_key = RSA_new();
-//		RSA_blinding_on(c->rsa_key, NULL);
-	}
+	xasprintf(&fname, "%s/hosts/%s", confbase, n->name);
 
-	/* First, check for simple PublicKey statement */
+	init_configuration(&config_tree);
+	if(!read_config_file(config_tree, fname))
+		goto exit;
 
-	if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
-		BN_hex2bn(&c->rsa_key->n, key);
-		BN_hex2bn(&c->rsa_key->e, "FFFF");
-		free(key);
-		return true;
+	/* First, check for simple ECDSAPublicKey statement */
+
+	if(get_config_string(lookup_config(config_tree, "ECDSAPublicKey"), &p)) {
+		result = ecdsa_set_base64_public_key(&n->ecdsa, p);
+		free(p);
+		goto exit;
 	}
 
-	/* Else, check for PublicKeyFile statement and read it */
+	/* Else, check for ECDSAPublicKeyFile statement and read it */
 
-	if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
-		fp = fopen(fname, "r");
+	free(fname);
 
-		if(!fp) {
-			logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
-				   fname, strerror(errno));
-			free(fname);
-			return false;
-		}
+	if(!get_config_string(lookup_config(config_tree, "ECDSAPublicKeyFile"), &fname))
+		xasprintf(&fname, "%s/hosts/%s", confbase, n->name);
 
-		free(fname);
-		c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
-		fclose(fp);
+	fp = fopen(fname, "r");
 
-		if(c->rsa_key)
-			return true;		/* Woohoo. */
+	if(!fp) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA public key file `%s': %s", fname, strerror(errno));
+		goto exit;
+	}
 
-		/* If it fails, try PEM_read_RSA_PUBKEY. */
-		fp = fopen(fname, "r");
+	result = ecdsa_read_pem_public_key(&n->ecdsa, fp);
+	fclose(fp);
 
-		if(!fp) {
-			logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
-				   fname, strerror(errno));
-			free(fname);
-			return false;
-		}
+exit:
+	exit_configuration(&config_tree);
+	free(fname);
+	return result;
+}
 
-		free(fname);
-		c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
-		fclose(fp);
+bool read_ecdsa_public_key(connection_t *c) {
+	FILE *fp;
+	char *fname;
+	char *p;
+	bool result;
 
-		if(c->rsa_key) {
-//				RSA_blinding_on(c->rsa_key, NULL);
-			return true;
-		}
+	/* First, check for simple ECDSAPublicKey statement */
 
-		logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s",
-			   fname, strerror(errno));
-		return false;
+	if(get_config_string(lookup_config(c->config_tree, "ECDSAPublicKey"), &p)) {
+		result = ecdsa_set_base64_public_key(&c->ecdsa, p);
+		free(p);
+		return result;
 	}
 
-	/* Else, check if a harnessed public key is in the config file */
+	/* Else, check for ECDSAPublicKeyFile statement and read it */
+
+	if(!get_config_string(lookup_config(c->config_tree, "ECDSAPublicKeyFile"), &fname))
+		xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
 
-	xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
 	fp = fopen(fname, "r");
 
 	if(!fp) {
-		logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA public key file `%s': %s",
+			   fname, strerror(errno));
 		free(fname);
 		return false;
 	}
 
-	c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
+	result = ecdsa_read_pem_public_key(&c->ecdsa, fp);
 	fclose(fp);
+
+	if(!result)
+		logger(DEBUG_ALWAYS, LOG_ERR, "Parsing ECDSA public key file `%s' failed.", fname);
 	free(fname);
+	return result;
+}
 
-	if(c->rsa_key)
-		return true;
+bool read_rsa_public_key(connection_t *c) {
+	FILE *fp;
+	char *fname;
+	char *n;
+	bool result;
 
-	/* Try again with PEM_read_RSA_PUBKEY. */
+	/* First, check for simple PublicKey statement */
+
+	if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
+		result = rsa_set_hex_public_key(&c->rsa, n, "FFFF");
+		free(n);
+		return result;
+	}
+
+	/* Else, check for PublicKeyFile statement and read it */
+
+	if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
+		xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
 
-	xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
 	fp = fopen(fname, "r");
 
 	if(!fp) {
-		logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
 		free(fname);
 		return false;
 	}
 
-	c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
-//	RSA_blinding_on(c->rsa_key, NULL);
+	result = rsa_read_pem_public_key(&c->rsa, fp);
 	fclose(fp);
+
+	if(!result) 
+		logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
 	free(fname);
+	return result;
+}
 
-	if(c->rsa_key)
-		return true;
+static bool read_ecdsa_private_key(void) {
+	FILE *fp;
+	char *fname;
+	bool result;
+
+	/* Check for PrivateKeyFile statement and read it */
 
-	logger(LOG_ERR, "No public key for %s specified!", c->name);
+	if(!get_config_string(lookup_config(config_tree, "ECDSAPrivateKeyFile"), &fname))
+		xasprintf(&fname, "%s/ecdsa_key.priv", confbase);
+
+	fp = fopen(fname, "r");
+
+	if(!fp) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA private key file `%s': %s", fname, strerror(errno));
+		free(fname);
+		return false;
+	}
+
+#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+	struct stat s;
+
+	if(fstat(fileno(fp), &s)) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat ECDSA private key file `%s': %s'", fname, strerror(errno));
+		free(fname);
+		return false;
+	}
+
+	if(s.st_mode & ~0100700)
+		logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for ECDSA private key file `%s'!", fname);
+#endif
+
+	result = ecdsa_read_pem_private_key(&myself->connection->ecdsa, fp);
+	fclose(fp);
 
-	return false;
+	if(!result) 
+		logger(DEBUG_ALWAYS, LOG_ERR, "Reading ECDSA private key file `%s' failed: %s", fname, strerror(errno));
+	free(fname);
+	return result;
 }
 
 static bool read_rsa_private_key(void) {
 	FILE *fp;
-	char *fname, *key, *pubkey;
-	struct stat s;
+	char *fname;
+	char *n, *d;
+	bool result;
 
-	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
-		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
-			logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
+	/* First, check for simple PrivateKey statement */
+
+	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
+		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
+			logger(DEBUG_ALWAYS, LOG_ERR, "PrivateKey used but no PublicKey found!");
+			free(d);
 			return false;
 		}
-		myself->connection->rsa_key = RSA_new();
-//		RSA_blinding_on(myself->connection->rsa_key, NULL);
-		BN_hex2bn(&myself->connection->rsa_key->d, key);
-		BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
-		BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
-		free(key);
-		free(pubkey);
+		result = rsa_set_hex_private_key(&myself->connection->rsa, n, "FFFF", d);
+		free(n);
+		free(d);
 		return true;
 	}
 
+	/* Else, check for PrivateKeyFile statement and read it */
+
 	if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
 		xasprintf(&fname, "%s/rsa_key.priv", confbase);
 
 	fp = fopen(fname, "r");
 
 	if(!fp) {
-		logger(LOG_ERR, "Error reading RSA private key file `%s': %s",
+		logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA private key file `%s': %s",
 			   fname, strerror(errno));
 		free(fname);
 		return false;
 	}
 
 #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+	struct stat s;
+
 	if(fstat(fileno(fp), &s)) {
-		logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
-				fname, strerror(errno));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
 		free(fname);
 		return false;
 	}
 
 	if(s.st_mode & ~0100700)
-		logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
+		logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
 #endif
 
-	myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
+	result = rsa_read_pem_private_key(&myself->connection->rsa, fp);
 	fclose(fp);
 
-	if(!myself->connection->rsa_key) {
-		logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s",
-			   fname, strerror(errno));
-		free(fname);
-		return false;
+	if(!result) 
+		logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
+	free(fname);
+	return result;
+}
+
+static struct event keyexpire_event;
+
+static void keyexpire_handler(int fd, short events, void *data) {
+	regenerate_key();
+}
+
+void regenerate_key(void) {
+	if(timeout_initialized(&keyexpire_event)) {
+		logger(DEBUG_STATUS, LOG_INFO, "Expiring symmetric keys");
+		event_del(&keyexpire_event);
+		send_key_changed();
+	} else {
+		timeout_set(&keyexpire_event, keyexpire_handler, NULL);
 	}
 
-	free(fname);
-	return true;
+	event_add(&keyexpire_event, &(struct timeval){keylifetime, 0});
 }
 
 /*
@@ -223,7 +294,7 @@ void load_all_subnets(void) {
 	struct dirent *ent;
 	char *dname;
 	char *fname;
-	avl_tree_t *config_tree;
+	splay_tree_t *config_tree;
 	config_t *cfg;
 	subnet_t *s, *s2;
 	node_t *n;
@@ -231,7 +302,7 @@ void load_all_subnets(void) {
 	xasprintf(&dname, "%s/hosts", confbase);
 	dir = opendir(dname);
 	if(!dir) {
-		logger(LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
+		logger(DEBUG_ALWAYS, LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
 		free(dname);
 		return;
 	}
@@ -305,7 +376,7 @@ char *get_name(void) {
 	}
 
 	if(!check_id(name)) {
-		logger(LOG_ERR, "Invalid name for myself!");
+		logger(DEBUG_ALWAYS, LOG_ERR, "Invalid name for myself!");
 		free(name);
 		return false;
 	}
@@ -337,10 +408,11 @@ static bool setup_myself(void) {
 	myself->connection->hostname = xstrdup("MYSELF");
 
 	myself->connection->options = 0;
-	myself->connection->protocol_version = PROT_CURRENT;
+	myself->connection->protocol_major = PROT_MAJOR;
+	myself->connection->protocol_minor = PROT_MINOR;
 
 	if(!(name = get_name())) {
-		logger(LOG_ERR, "Name for tinc daemon required!");
+		logger(DEBUG_ALWAYS, LOG_ERR, "Name for tinc daemon required!");
 		return false;
 	}
 
@@ -351,6 +423,11 @@ static bool setup_myself(void) {
 	read_config_file(config_tree, fname);
 	free(fname);
 
+	get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental);
+
+	if(experimental && !read_ecdsa_private_key())
+		return false;
+
 	if(!read_rsa_private_key())
 		return false;
 
@@ -385,7 +462,7 @@ static bool setup_myself(void) {
 		} else if(!strcasecmp(proxy, "exec")) {
 			proxytype = PROXY_EXEC;
 		} else {
-			logger(LOG_ERR, "Unknown proxy type %s!", proxy);
+			logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type %s!", proxy);
 			return false;
 		}
 
@@ -396,7 +473,7 @@ static bool setup_myself(void) {
 
 			case PROXY_EXEC:
 				if(!space || !*space) {
-					logger(LOG_ERR, "Argument expected for proxy type exec!");
+					logger(DEBUG_ALWAYS, LOG_ERR, "Argument expected for proxy type exec!");
 					return false;
 				}
 				proxyhost =  xstrdup(space);
@@ -414,7 +491,7 @@ static bool setup_myself(void) {
 				if(space && (space = strchr(space, ' ')))
 					*space++ = 0, proxypass = space;
 				if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
-					logger(LOG_ERR, "Host and port argument expected for proxy!");
+					logger(DEBUG_ALWAYS, LOG_ERR, "Host and port argument expected for proxy!");
 					return false;
 				}
 				proxyhost = xstrdup(proxyhost);
@@ -467,7 +544,7 @@ static bool setup_myself(void) {
 		else if(!strcasecmp(mode, "hub"))
 			routing_mode = RMODE_HUB;
 		else {
-			logger(LOG_ERR, "Invalid routing mode!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Invalid routing mode!");
 			return false;
 		}
 		free(mode);
@@ -481,7 +558,7 @@ static bool setup_myself(void) {
 		else if(!strcasecmp(mode, "kernel"))
 			forwarding_mode = FMODE_KERNEL;
 		else {
-			logger(LOG_ERR, "Invalid forwarding mode!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Invalid forwarding mode!");
 			return false;
 		}
 		free(mode);
@@ -507,7 +584,7 @@ static bool setup_myself(void) {
 		else if(!strcasecmp(mode, "direct"))
 			broadcast_mode = BMODE_DIRECT;
 		else {
-			logger(LOG_ERR, "Invalid broadcast mode!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Invalid broadcast mode!");
 			return false;
 		}
 		free(mode);
@@ -515,7 +592,7 @@ static bool setup_myself(void) {
 
 #if !defined(SOL_IP) || !defined(IP_TOS)
 	if(priorityinheritance)
-		logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
+		logger(DEBUG_ALWAYS, LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
 #endif
 
 	if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
@@ -523,7 +600,7 @@ static bool setup_myself(void) {
 
 	if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
 		if(maxtimeout <= 0) {
-			logger(LOG_ERR, "Bogus maximum timeout!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Bogus maximum timeout!");
 			return false;
 		}
 	} else
@@ -531,21 +608,21 @@ static bool setup_myself(void) {
 
 	if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
 		if(udp_rcvbuf <= 0) {
-			logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "UDPRcvBuf cannot be negative!");
 			return false;
 		}
 	}
 
 	if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
 		if(udp_sndbuf <= 0) {
-			logger(LOG_ERR, "UDPSndBuf cannot be negative!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "UDPSndBuf cannot be negative!");
 			return false;
 		}
 	}
 
 	if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
 		if(replaywin_int < 0) {
-			logger(LOG_ERR, "ReplayWindow cannot be negative!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "ReplayWindow cannot be negative!");
 			return false;
 		}
 		replaywin = (unsigned)replaywin_int;
@@ -559,7 +636,7 @@ static bool setup_myself(void) {
 		else if(!strcasecmp(afname, "any"))
 			addressfamily = AF_UNSPEC;
 		else {
-			logger(LOG_ERR, "Invalid address family!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Invalid address family!");
 			return false;
 		}
 		free(afname);
@@ -569,71 +646,42 @@ static bool setup_myself(void) {
 
 	/* Generate packet encryption key */
 
-	if(get_config_string
-	   (lookup_config(config_tree, "Cipher"), &cipher)) {
-		if(!strcasecmp(cipher, "none")) {
-			myself->incipher = NULL;
-		} else {
-			myself->incipher = EVP_get_cipherbyname(cipher);
-
-			if(!myself->incipher) {
-				logger(LOG_ERR, "Unrecognized cipher type!");
-				return false;
-			}
-		}
-	} else
-		myself->incipher = EVP_bf_cbc();
-
-	if(myself->incipher)
-		myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
-	else
-		myself->inkeylength = 1;
+	if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
+		cipher = xstrdup("blowfish");
 
-	myself->connection->outcipher = EVP_bf_ofb();
+	if(!cipher_open_by_name(&myself->incipher, cipher)) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized cipher type!");
+		return false;
+	}
 
 	if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
 		keylifetime = 3600;
 
-	keyexpires = now + keylifetime;
-	
-	/* Check if we want to use message authentication codes... */
+	regenerate_key();
 
-	if(get_config_string(lookup_config(config_tree, "Digest"), &digest)) {
-		if(!strcasecmp(digest, "none")) {
-			myself->indigest = NULL;
-		} else {
-			myself->indigest = EVP_get_digestbyname(digest);
+	/* Check if we want to use message authentication codes... */
 
-			if(!myself->indigest) {
-				logger(LOG_ERR, "Unrecognized digest type!");
-				return false;
-			}
-		}
-	} else
-		myself->indigest = EVP_sha1();
+	int maclength = 4;
+	get_config_int(lookup_config(config_tree, "MACLength"), &maclength);
 
-	myself->connection->outdigest = EVP_sha1();
+	if(maclength < 0) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Bogus MAC length!");
+		return false;
+	}
 
-	if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
-		if(myself->indigest) {
-			if(myself->inmaclength > myself->indigest->md_size) {
-				logger(LOG_ERR, "MAC length exceeds size of digest!");
-				return false;
-			} else if(myself->inmaclength < 0) {
-				logger(LOG_ERR, "Bogus MAC length!");
-				return false;
-			}
-		}
-	} else
-		myself->inmaclength = 4;
+	if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
+		digest = xstrdup("sha1");
 
-	myself->connection->outmaclength = 0;
+	if(!digest_open_by_name(&myself->indigest, digest, maclength)) {
+		logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized digest type!");
+		return false;
+	}
 
 	/* Compression */
 
 	if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
 		if(myself->incompression < 0 || myself->incompression > 11) {
-			logger(LOG_ERR, "Bogus compression level!");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Bogus compression level!");
 			return false;
 		}
 	} else
@@ -677,6 +725,16 @@ static bool setup_myself(void) {
 	if(!devops.setup())
 		return false;
 
+	if(device_fd >= 0) {
+		event_set(&device_ev, device_fd, EV_READ|EV_PERSIST, handle_device_data, NULL);
+
+		if (event_add(&device_ev, NULL) < 0) {
+			logger(DEBUG_ALWAYS, LOG_ERR, "event_add failed: %s", strerror(errno));
+			devops.close();
+			return false;
+		}
+	}
+
 	/* Run tinc-up script to further initialize the tap interface */
 	xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
 	xasprintf(&envp[1], "DEVICE=%s", device ? : "");
@@ -686,7 +744,7 @@ static bool setup_myself(void) {
 
 	execute_script("tinc-up", envp);
 
-	for(i = 0; i < 5; i++)
+	for(i = 0; i < 4; i++)
 		free(envp[i]);
 
 	/* Run subnet-up scripts for our own subnets */
@@ -705,14 +763,14 @@ static bool setup_myself(void) {
 #endif
 
 		if(listen_sockets > MAXSOCKETS) {
-			logger(LOG_ERR, "Too many listening sockets");
+			logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
 			return false;
 		}
 
 		for(i = 0; i < listen_sockets; i++) {
 			salen = sizeof sa;
 			if(getsockname(i + 3, &sa.sa, &salen) < 0) {
-				logger(LOG_ERR, "Could not get address of listen fd %d: %s", i + 3, sockstrerror(errno));
+				logger(DEBUG_ALWAYS, LOG_ERR, "Could not get address of listen fd %d: %s", i + 3, sockstrerror(errno));
 				return false;
 			}
 
@@ -726,9 +784,21 @@ static bool setup_myself(void) {
 			if(listen_socket[i].udp < 0)
 				return false;
 
-			ifdebug(CONNECTIONS) {
+			event_set(&listen_socket[i].ev_tcp, listen_socket[i].tcp, EV_READ|EV_PERSIST, handle_new_meta_connection, NULL);
+			if(event_add(&listen_socket[i].ev_tcp, NULL) < 0) {
+				logger(DEBUG_ALWAYS, LOG_ERR, "event_add failed: %s", strerror(errno));
+				abort();
+			}
+
+			event_set(&listen_socket[i].ev_udp, listen_socket[i].udp, EV_READ|EV_PERSIST, handle_incoming_vpn_data, (void *)(intptr_t)listen_sockets);
+			if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
+				logger(DEBUG_ALWAYS, LOG_ERR, "event_add failed: %s", strerror(errno));
+				abort();
+			}
+
+			if(debug_level >= DEBUG_CONNECTIONS) {
 				hostname = sockaddr2hostname(&sa);
-				logger(LOG_NOTICE, "Listening on %s", hostname);
+				logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Listening on %s", hostname);
 				free(hostname);
 			}
 
@@ -765,14 +835,14 @@ static bool setup_myself(void) {
 			free(address);
 
 			if(err || !ai) {
-				logger(LOG_ERR, "System call `%s' failed: %s", "getaddrinfo",
+				logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "getaddrinfo",
 					   gai_strerror(err));
 				return false;
 			}
 
 			for(aip = ai; aip; aip = aip->ai_next) {
 				if(listen_sockets >= MAXSOCKETS) {
-					logger(LOG_ERR, "Too many listening sockets");
+					logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
 					return false;
 				}
 
@@ -785,12 +855,32 @@ static bool setup_myself(void) {
 				listen_socket[listen_sockets].udp =
 					setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
 
-				if(listen_socket[listen_sockets].udp < 0)
+				if(listen_socket[listen_sockets].udp < 0) {
+					close(listen_socket[listen_sockets].tcp);
 					continue;
+				}
 
-				ifdebug(CONNECTIONS) {
+				event_set(&listen_socket[listen_sockets].ev_tcp,
+						  listen_socket[listen_sockets].tcp,
+						  EV_READ|EV_PERSIST,
+						  handle_new_meta_connection, NULL);
+				if(event_add(&listen_socket[listen_sockets].ev_tcp, NULL) < 0) {
+					logger(DEBUG_ALWAYS, LOG_ERR, "event_add failed: %s", strerror(errno));
+					abort();
+				}
+
+				event_set(&listen_socket[listen_sockets].ev_udp,
+						  listen_socket[listen_sockets].udp,
+						  EV_READ|EV_PERSIST,
+						  handle_incoming_vpn_data, (void *)(intptr_t)listen_sockets);
+				if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
+					logger(DEBUG_ALWAYS, LOG_ERR, "event_add failed: %s", strerror(errno));
+					abort();
+				}
+
+				if(debug_level >= DEBUG_CONNECTIONS) {
 					hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
-					logger(LOG_NOTICE, "Listening on %s", hostname);
+					logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Listening on %s", hostname);
 					free(hostname);
 				}
 
@@ -803,9 +893,9 @@ static bool setup_myself(void) {
 	}
 
 	if(listen_sockets)
-		logger(LOG_NOTICE, "Ready");
+		logger(DEBUG_ALWAYS, LOG_NOTICE, "Ready");
 	else {
-		logger(LOG_ERR, "Unable to create any listening socket!");
+		logger(DEBUG_ALWAYS, LOG_ERR, "Unable to create any listening socket!");
 		return false;
 	}
 
@@ -816,9 +906,6 @@ static bool setup_myself(void) {
   initialize network
 */
 bool setup_network(void) {
-	now = time(NULL);
-
-	init_events();
 	init_connections();
 	init_subnets();
 	init_nodes();
@@ -850,7 +937,7 @@ bool setup_network(void) {
   close all open network connections
 */
 void close_network_connections(void) {
-	avl_node_t *node, *next;
+	splay_node_t *node, *next;
 	connection_t *c;
 	char *envp[5];
 	int i;
@@ -862,13 +949,6 @@ void close_network_connections(void) {
 		terminate_connection(c, false);
 	}
 
-	for(list_node_t *node = outgoing_list->head; node; node = node->next) {
-		outgoing_t *outgoing = node->data;
-
-		if(outgoing->event)
-			event_del(outgoing->event);
-	}
-
 	list_delete_list(outgoing_list);
 
 	if(myself && myself->connection) {
@@ -878,6 +958,8 @@ void close_network_connections(void) {
 	}
 
 	for(i = 0; i < listen_sockets; i++) {
+		event_del(&listen_socket[i].ev_tcp);
+		event_del(&listen_socket[i].ev_udp);
 		close(listen_socket[i].tcp);
 		close(listen_socket[i].udp);
 	}
@@ -893,7 +975,6 @@ void close_network_connections(void) {
 	exit_subnets();
 	exit_nodes();
 	exit_connections();
-	exit_events();
 
 	execute_script("tinc-down", envp);