ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.101
Committed: Wed Jul 17 16:40:57 2013 UTC (10 years, 10 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.100: +11 -4 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.98 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48 root 1.98 #include "hkdf.h"
49 pcg 1.1
50 pcg 1.20 #include "netcompat.h"
51 pcg 1.19
52 root 1.98 #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53 root 1.101 #define MAGIC "PORN\xbd\xc6\xdb\x82" // 8 bytes of magic//D
54 pcg 1.30
55     #define ULTRA_FAST 1
56     #define HLOG 15
57     #include "lzf/lzf.h"
58     #include "lzf/lzf_c.c"
59     #include "lzf/lzf_d.c"
60 pcg 1.1
61 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
62    
63     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
64     static ev::child rs_child_ev;
65    
66 root 1.90 namespace
67 pcg 1.70 {
68 root 1.90 void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72 pcg 1.70
73 root 1.90 if (rs_queue.empty ())
74     return;
75 pcg 1.70
76 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84 pcg 1.70
85 root 1.90 delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88     };
89 pcg 1.70
90     // despite the fancy name, this is quite a hack
91     static void
92     run_script_queued (run_script_cb *cb, const char *warnmsg)
93     {
94     rs_queue.push (std::make_pair (cb, warnmsg));
95    
96     if (!rs_child_ev.is_active ())
97     {
98     rs_child_ev.set<rs_child_cb> ();
99     rs_child_ev ();
100     }
101     }
102    
103     //////////////////////////////////////////////////////////////////////////////
104    
105 pcg 1.1 struct crypto_ctx
106     {
107     EVP_CIPHER_CTX cctx;
108     HMAC_CTX hctx;
109    
110 root 1.98 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
111 pcg 1.1 ~crypto_ctx ();
112     };
113    
114 root 1.98 crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
115 pcg 1.1 {
116 root 1.98 ecdh_key s;
117    
118     curve25519_combine (a, b, s);
119    
120     {
121     u8 mac_key[MAC_KEYSIZE];
122     static const unsigned char mac_info[] = "gvpe mac key";
123    
124 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
125 root 1.98 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
126     kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
127     kdf.extract (s, sizeof (s));
128 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
129 root 1.98 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
130    
131     HMAC_CTX_init (&hctx);
132     require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
133     }
134    
135     {
136     u8 cipher_key[CIPHER_KEYSIZE];
137     static const unsigned char cipher_info[] = "gvpe cipher key";
138    
139 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
140 root 1.98 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
141     kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
142     kdf.extract (s, sizeof (s));
143 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
144 root 1.98 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
145    
146     EVP_CIPHER_CTX_init (&cctx);
147     require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
148     }
149 pcg 1.1 }
150    
151     crypto_ctx::~crypto_ctx ()
152     {
153 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
154 pcg 1.1 HMAC_CTX_cleanup (&hctx);
155     }
156    
157 root 1.98 static inline void
158     auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
159 pcg 1.1 {
160 root 1.98 if (RSA_public_encrypt (sizeof (auth.rsa),
161     (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
162     key, RSA_PKCS1_OAEP_PADDING) < 0)
163     fatal ("RSA_public_encrypt error");
164 root 1.100
165     memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh));
166 pcg 1.1 }
167    
168 root 1.98 static inline bool
169     auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
170 pcg 1.63 {
171 root 1.98 u8 rsa_decrypt[RSA_KEYLEN];
172 pcg 1.1
173 root 1.98 if (RSA_private_decrypt (sizeof (encr.rsa),
174     (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
175     key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
176     return 0;
177 pcg 1.1
178 root 1.98 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
179 root 1.100 memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh));
180 pcg 1.1
181 root 1.98 return 1;
182     }
183 pcg 1.1
184 root 1.98 static void
185     auth_hash (const auth_data &auth, auth_mac &mac)
186     {
187     HMAC_CTX ctx;
188 pcg 1.1
189 root 1.98 HMAC_CTX_init (&ctx);
190     require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
191     require (HMAC_Update (&ctx, (const unsigned char *)&auth, sizeof auth));
192     require (HMAC_Final (&ctx, (unsigned char *)&mac, 0));
193     HMAC_CTX_cleanup (&ctx);
194     }
195 pcg 1.1
196 root 1.90 void
197 root 1.98 connection::generate_auth_data ()
198 pcg 1.1 {
199 root 1.98 if (auth_expire < ev_now ())
200 pcg 1.1 {
201 root 1.98 // request data
202 root 1.101 rand_fill (snd_auth.rsa);
203 root 1.98 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
204     auth_hash (snd_auth, snd_auth_mac);
205    
206     // eventual response data
207     curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
208 pcg 1.1 }
209 root 1.98
210     // every use prolongs the expiry
211     auth_expire = ev_now () + AUTH_TTL;
212 pcg 1.1 }
213    
214     //////////////////////////////////////////////////////////////////////////////
215    
216 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
217     : max_ttl (max_ttl), max_queue (max_queue)
218 pcg 1.1 {
219 pcg 1.67 queue = new pkt [max_queue];
220    
221     i = 0;
222     j = 0;
223    
224     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
225     }
226 pcg 1.1
227 pcg 1.67 pkt_queue::~pkt_queue ()
228     {
229     while (net_packet *p = get ())
230     delete p;
231 pcg 1.1
232 pcg 1.67 delete [] queue;
233 pcg 1.1 }
234    
235 root 1.90 void
236     pkt_queue::expire_cb (ev::timer &w, int revents)
237 pcg 1.1 {
238 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
239 pcg 1.1
240 pcg 1.67 for (;;)
241 pcg 1.1 {
242 pcg 1.67 if (empty ())
243     break;
244    
245     double diff = queue[j].tstamp - expire;
246    
247     if (diff >= 0.)
248     {
249     w.start (diff > 0.5 ? diff : 0.5);
250     break;
251     }
252    
253     delete get ();
254 pcg 1.1 }
255     }
256    
257 root 1.90 void
258     pkt_queue::put (net_packet *p)
259 pcg 1.1 {
260 pcg 1.67 ev_tstamp now = ev_now ();
261    
262     // start expiry timer
263     if (empty ())
264     expire.start (max_ttl);
265    
266     int ni = i + 1 == max_queue ? 0 : i + 1;
267    
268     if (ni == j)
269     delete get ();
270    
271     queue[i].pkt = p;
272     queue[i].tstamp = now;
273    
274     i = ni;
275 pcg 1.1 }
276    
277 root 1.90 net_packet *
278     pkt_queue::get ()
279 pcg 1.1 {
280 pcg 1.67 if (empty ())
281     return 0;
282    
283     net_packet *p = queue[j].pkt;
284     queue[j].pkt = 0;
285    
286     j = j + 1 == max_queue ? 0 : j + 1;
287    
288     return p;
289 pcg 1.1 }
290    
291 pcg 1.63 struct net_rateinfo
292     {
293 pcg 1.1 u32 host;
294     double pcnt, diff;
295     tstamp last;
296     };
297    
298     // only do action once every x seconds per host whole allowing bursts.
299     // this implementation ("splay list" ;) is inefficient,
300     // but low on resources.
301     struct net_rate_limiter : list<net_rateinfo>
302     {
303 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
304     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
305     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
306     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
307 pcg 1.1
308 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
309 pcg 1.1 bool can (u32 host);
310     };
311    
312 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
313 pcg 1.1
314 root 1.90 bool
315     net_rate_limiter::can (u32 host)
316 pcg 1.1 {
317     iterator i;
318    
319     for (i = begin (); i != end (); )
320     if (i->host == host)
321     break;
322 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
323 pcg 1.1 i = erase (i);
324     else
325     i++;
326    
327     if (i == end ())
328     {
329     net_rateinfo ri;
330    
331     ri.host = host;
332     ri.pcnt = 1.;
333 pcg 1.34 ri.diff = NRL_MAXDIF;
334 pcg 1.62 ri.last = ev_now ();
335 pcg 1.1
336     push_front (ri);
337    
338     return true;
339     }
340     else
341     {
342     net_rateinfo ri (*i);
343     erase (i);
344    
345 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
346 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
347 pcg 1.1
348 pcg 1.62 ri.last = ev_now ();
349 pcg 1.1
350 pcg 1.10 double dif = ri.diff / ri.pcnt;
351 pcg 1.1
352 pcg 1.34 bool send = dif > NRL_CUTOFF;
353 pcg 1.10
354 pcg 1.34 if (dif > NRL_MAXDIF)
355 pcg 1.10 {
356     ri.pcnt = 1.;
357 pcg 1.34 ri.diff = NRL_MAXDIF;
358 pcg 1.10 }
359     else if (send)
360 pcg 1.1 ri.pcnt++;
361    
362     push_front (ri);
363    
364     return send;
365     }
366     }
367    
368     /////////////////////////////////////////////////////////////////////////////
369    
370     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
371    
372 root 1.90 void
373     hmac_packet::hmac_gen (crypto_ctx *ctx)
374 pcg 1.1 {
375     unsigned int xlen;
376    
377     HMAC_CTX *hctx = &ctx->hctx;
378    
379 root 1.98 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
380     require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
381     len - sizeof (hmac_packet)));
382     require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
383 pcg 1.1 }
384    
385     void
386     hmac_packet::hmac_set (crypto_ctx *ctx)
387     {
388     hmac_gen (ctx);
389    
390     memcpy (hmac, hmac_digest, HMACLENGTH);
391     }
392    
393     bool
394     hmac_packet::hmac_chk (crypto_ctx *ctx)
395     {
396     hmac_gen (ctx);
397    
398     return !memcmp (hmac, hmac_digest, HMACLENGTH);
399     }
400    
401 root 1.90 void
402     vpn_packet::set_hdr (ptype type_, unsigned int dst)
403 pcg 1.1 {
404 pcg 1.6 type = type_;
405 pcg 1.1
406     int src = THISNODE->id;
407    
408     src1 = src;
409     srcdst = ((src >> 8) << 4) | (dst >> 8);
410     dst1 = dst;
411     }
412    
413     #define MAXVPNDATA (MAX_MTU - 6 - 6)
414     #define DATAHDR (sizeof (u32) + RAND_SIZE)
415    
416 pcg 1.28 struct vpndata_packet : vpn_packet
417 root 1.90 {
418     u8 data[MAXVPNDATA + DATAHDR]; // seqno
419    
420     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
421     tap_packet *unpack (connection *conn, u32 &seqno);
422 pcg 1.1
423     private:
424 root 1.90 const u32 data_hdr_size () const
425     {
426     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
427     }
428     };
429 pcg 1.1
430     void
431     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
432     {
433     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
434     int outl = 0, outl2;
435     ptype type = PT_DATA_UNCOMPRESSED;
436    
437     #if ENABLE_COMPRESSION
438     u8 cdata[MAX_MTU];
439    
440 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
441 pcg 1.1 {
442 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
443 pcg 1.1
444 pcg 1.31 if (cl)
445     {
446     type = PT_DATA_COMPRESSED;
447     d = cdata;
448     l = cl + 2;
449    
450     d[0] = cl >> 8;
451     d[1] = cl;
452     }
453 pcg 1.1 }
454     #endif
455    
456 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
457 pcg 1.1
458     struct {
459     #if RAND_SIZE
460     u8 rnd[RAND_SIZE];
461     #endif
462     u32 seqno;
463     } datahdr;
464    
465     datahdr.seqno = ntohl (seqno);
466     #if RAND_SIZE
467 root 1.101 require (RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE) >= 0);
468 pcg 1.1 #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508 root 1.101 d = &(*p)[6 + 6] - DATAHDR;
509 pcg 1.1
510 root 1.101 // we play do evil games with the struct layout atm.
511     // pending better solutions, we at least do some verification.
512     // this is fine, as we left ISO territory long ago.
513     require (DATAHDR <= 16);
514     require ((u8 *)(&p->len + 1) == &(*p)[0]);
515    
516     // this can overwrite the len/dst/src fields
517 pcg 1.29 require (EVP_DecryptUpdate (cctx,
518 pcg 1.1 d, &outl2,
519 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
520 pcg 1.1 outl += outl2;
521    
522 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
523 pcg 1.1 outl += outl2;
524    
525     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
526    
527     id2mac (dst () ? dst() : THISNODE->id, p->dst);
528     id2mac (src (), p->src);
529    
530     #if ENABLE_COMPRESSION
531     if (type == PT_DATA_COMPRESSED)
532     {
533     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
534    
535     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
536     &(*p)[6 + 6], MAX_MTU)
537     + 6 + 6;
538     }
539     else
540     p->len = outl + (6 + 6 - DATAHDR);
541     #endif
542    
543     return p;
544     }
545    
546     struct ping_packet : vpn_packet
547     {
548     void setup (int dst, ptype type)
549     {
550     set_hdr (type, dst);
551     len = sizeof (*this) - sizeof (net_packet);
552     }
553     };
554    
555     struct config_packet : vpn_packet
556     {
557 root 1.98 u8 prot_major, prot_minor, randsize;
558     u8 flags, features, pad6, pad7, pad8;
559     u32 cipher_nid, mac_nid, auth_nid;
560 pcg 1.1
561     void setup (ptype type, int dst);
562     bool chk_config () const;
563 pcg 1.32
564     static u8 get_features ()
565     {
566     u8 f = 0;
567     #if ENABLE_COMPRESSION
568     f |= FEATURE_COMPRESSION;
569     #endif
570     #if ENABLE_ROHC
571     f |= FEATURE_ROHC;
572     #endif
573 pcg 1.59 #if ENABLE_BRIDGING
574     f |= FEATURE_BRIDGING;
575     #endif
576 pcg 1.32 return f;
577     }
578 pcg 1.1 };
579    
580 root 1.90 void
581     config_packet::setup (ptype type, int dst)
582 pcg 1.1 {
583     prot_major = PROTOCOL_MAJOR;
584     prot_minor = PROTOCOL_MINOR;
585     randsize = RAND_SIZE;
586 pcg 1.48 flags = 0;
587 pcg 1.32 features = get_features ();
588 pcg 1.1
589 root 1.98 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
590     mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
591     auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
592 pcg 1.1
593     len = sizeof (*this) - sizeof (net_packet);
594     set_hdr (type, dst);
595     }
596    
597 root 1.90 bool
598     config_packet::chk_config () const
599 pcg 1.1 {
600 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
601 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
602 pcg 1.15 else if (randsize != RAND_SIZE)
603 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
604 root 1.98 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
605     slog (L_WARN, _("cipher algo mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
606     else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
607     slog (L_WARN, _("mac algo mismatch (remote %x <=> local %x)"), ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
608     else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
609     slog (L_WARN, _("auth algo mismatch (remote %x <=> local %x)"), ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
610 pcg 1.15 else
611     return true;
612    
613     return false;
614 pcg 1.1 }
615    
616 root 1.98 struct auth_req_packet : config_packet // UNPROTECTED
617 pcg 1.1 {
618     char magic[8];
619     u8 initiate; // false if this is just an automatic reply
620 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
621 pcg 1.1 u8 pad2, pad3;
622 root 1.98 auth_encr encr;
623 pcg 1.1
624     auth_req_packet (int dst, bool initiate_, u8 protocols_)
625     {
626     config_packet::setup (PT_AUTH_REQ, dst);
627 root 1.98 memcpy (magic, MAGIC, 8);
628 pcg 1.1 initiate = !!initiate_;
629     protocols = protocols_;
630    
631     len = sizeof (*this) - sizeof (net_packet);
632     }
633     };
634    
635 root 1.98 struct auth_res_packet : config_packet // UNPROTECTED
636 pcg 1.1 {
637 root 1.98 auth_response response;
638 pcg 1.1
639     auth_res_packet (int dst)
640     {
641     config_packet::setup (PT_AUTH_RES, dst);
642    
643     len = sizeof (*this) - sizeof (net_packet);
644     }
645     };
646    
647     struct connect_req_packet : vpn_packet
648     {
649     u8 id, protocols;
650     u8 pad1, pad2;
651    
652     connect_req_packet (int dst, int id_, u8 protocols_)
653     : id(id_)
654     , protocols(protocols_)
655     {
656     set_hdr (PT_CONNECT_REQ, dst);
657     len = sizeof (*this) - sizeof (net_packet);
658     }
659     };
660    
661     struct connect_info_packet : vpn_packet
662     {
663     u8 id, protocols;
664     u8 pad1, pad2;
665     sockinfo si;
666    
667     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
668     : id(id_)
669     , protocols(protocols_)
670     , si(si_)
671     {
672     set_hdr (PT_CONNECT_INFO, dst);
673    
674     len = sizeof (*this) - sizeof (net_packet);
675     }
676     };
677    
678     /////////////////////////////////////////////////////////////////////////////
679    
680     void
681 root 1.98 connection::connection_established (const sockinfo &rsi)
682 pcg 1.10 {
683 root 1.98 if (!have_snd_auth || !have_rcv_auth)
684     return;
685    
686     si = rsi;
687     protocol = rsi.prot;
688    
689     slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
690     conf->nodename, (const char *)rsi,
691     is_direct ? "direct" : "forwarded",
692     PROTOCOL_MAJOR, prot_minor);
693    
694     if (::conf.script_node_up)
695     {
696     run_script_cb *cb = new run_script_cb;
697     cb->set<connection, &connection::script_node_up> (this);
698     run_script_queued (cb, _("node-up command execution failed, continuing."));
699     }
700    
701     delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
702     iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
703    
704     delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
705     oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
706 pcg 1.61
707 pcg 1.10 if (ictx && octx)
708     {
709 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
710 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
711     rekey.start (rekey_interval, rekey_interval);
712 root 1.97
713 pcg 1.60 keepalive.start (::conf.keepalive);
714 pcg 1.10
715     // send queued packets
716     if (ictx && octx)
717 pcg 1.12 {
718     while (tap_packet *p = (tap_packet *)data_queue.get ())
719     {
720 pcg 1.67 if (p->len) send_data_packet (p);
721 pcg 1.12 delete p;
722     }
723    
724     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
725     {
726 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
727 pcg 1.12 delete p;
728     }
729     }
730 pcg 1.73
731     vpn->connection_established (this);
732 pcg 1.10 }
733 root 1.98 #if 0
734 pcg 1.10 else
735     {
736     retry_cnt = 0;
737 pcg 1.60 establish_connection.start (5);
738 pcg 1.25 keepalive.stop ();
739     rekey.stop ();
740 pcg 1.10 }
741 root 1.98 #endif
742 pcg 1.10 }
743    
744     void
745 pcg 1.8 connection::reset_si ()
746 pcg 1.1 {
747 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
748     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
749     else
750 pcg 1.59 {
751 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
752 pcg 1.59 protocol = 0;
753     }
754 pcg 1.6
755     si.set (conf, protocol);
756 pcg 1.73
757     is_direct = si.valid ();
758 pcg 1.1 }
759    
760 pcg 1.8 // ensure sockinfo is valid, forward if necessary
761     const sockinfo &
762     connection::forward_si (const sockinfo &si) const
763     {
764     if (!si.valid ())
765     {
766 pcg 1.73 connection *r = vpn->find_router_for (this);
767 pcg 1.8
768     if (r)
769     {
770 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
771     conf->nodename, r->conf->nodename);
772 pcg 1.8 return r->si;
773     }
774     else
775 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
776 pcg 1.8 conf->nodename);
777     }
778    
779     return si;
780     }
781    
782 pcg 1.1 void
783 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
784     {
785 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
786 pcg 1.10 reset_connection ();
787     }
788    
789     void
790 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
791     {
792     ping_packet *pkt = new ping_packet;
793    
794     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
795 pcg 1.73
796 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
797 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
798 pcg 1.1
799     delete pkt;
800     }
801    
802     void
803     connection::send_reset (const sockinfo &si)
804     {
805     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
806     {
807     config_packet *pkt = new config_packet;
808    
809     pkt->setup (vpn_packet::PT_RESET, conf->id);
810 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
811 pcg 1.1
812     delete pkt;
813     }
814     }
815    
816     void
817     connection::send_auth_request (const sockinfo &si, bool initiate)
818     {
819     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
820    
821 root 1.98 generate_auth_data ();
822     auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
823 pcg 1.1
824 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
825 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
826 pcg 1.1
827 pcg 1.6 delete pkt;
828 pcg 1.1 }
829    
830     void
831 root 1.98 connection::send_auth_response (const sockinfo &si)
832 pcg 1.1 {
833     auth_res_packet *pkt = new auth_res_packet (conf->id);
834    
835 root 1.98 auth_hash (rcv_auth, pkt->response.mac);
836     memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
837 pcg 1.1
838 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
839 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
840 pcg 1.1
841     delete pkt;
842     }
843    
844     void
845     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
846     {
847 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
848     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
849     conf->protocols);
850 pcg 1.1
851     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
852    
853     r->hmac_set (octx);
854 pcg 1.10 send_vpn_packet (r, si);
855 pcg 1.1
856     delete r;
857     }
858    
859 pcg 1.66 inline void
860 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
861 pcg 1.1 {
862 root 1.92 if (!(ictx && octx)
863 pcg 1.25 && conf != THISNODE
864     && connectmode != conf_node::C_NEVER
865     && connectmode != conf_node::C_DISABLED
866 pcg 1.60 && !w.is_active ())
867 pcg 1.1 {
868 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
869     // and stop trying. should probably be handled by a per-connection expire handler.
870     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
871     {
872     reset_connection ();
873     return;
874     }
875    
876 pcg 1.68 last_establish_attempt = ev_now ();
877    
878 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
879     ? (retry_cnt & 3) + 1
880     : 1 << (retry_cnt >> 2));
881 pcg 1.1
882 pcg 1.47 reset_si ();
883 pcg 1.1
884 pcg 1.47 bool slow = si.prot & PROT_SLOW;
885 pcg 1.8
886 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
887 pcg 1.60 {
888     /*TODO*/ /* start the timer so we don't recurse endlessly */
889     w.start (1);
890 pcg 1.74 vpn->send_connect_request (this);
891 pcg 1.60 }
892 pcg 1.8 else
893 pcg 1.1 {
894 pcg 1.73 if (si.valid ())
895     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
896     conf->nodename, (const char *)si);
897 pcg 1.61
898 pcg 1.8 const sockinfo &dsi = forward_si (si);
899 pcg 1.6
900 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
901    
902 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
903     {
904     if (retry_cnt < 4)
905     send_auth_request (dsi, true);
906     else
907     send_ping (dsi, 0);
908     }
909 pcg 1.1 }
910 pcg 1.47
911 pcg 1.68 retry_int *= slow ? 8. : 0.9;
912 pcg 1.47
913     if (retry_int < conf->max_retry)
914     retry_cnt++;
915     else
916     retry_int = conf->max_retry;
917    
918 pcg 1.60 w.start (retry_int);
919 pcg 1.1 }
920     }
921    
922     void
923     connection::reset_connection ()
924     {
925     if (ictx && octx)
926     {
927     slog (L_INFO, _("%s(%s): connection lost"),
928     conf->nodename, (const char *)si);
929    
930     if (::conf.script_node_down)
931 pcg 1.64 {
932 pcg 1.70 run_script_cb *cb = new run_script_cb;
933     cb->set<connection, &connection::script_node_down> (this);
934     run_script_queued (cb, _("node-down command execution failed, continuing."));
935 pcg 1.64 }
936 pcg 1.1 }
937    
938     delete ictx; ictx = 0;
939     delete octx; octx = 0;
940    
941 pcg 1.38 si.host = 0;
942 pcg 1.1
943 root 1.98 have_snd_auth = false;
944     have_rcv_auth = false;
945     auth_expire = 0.;
946    
947 pcg 1.73 last_activity = 0.;
948     //last_si_change = 0.;
949 pcg 1.1 retry_cnt = 0;
950    
951 pcg 1.25 rekey.stop ();
952     keepalive.stop ();
953     establish_connection.stop ();
954 pcg 1.1 }
955    
956     void
957     connection::shutdown ()
958     {
959     if (ictx && octx)
960     send_reset (si);
961    
962     reset_connection ();
963     }
964    
965 pcg 1.73 // poor-man's rekeying
966 pcg 1.66 inline void
967 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
968 pcg 1.1 {
969     reset_connection ();
970     establish_connection ();
971     }
972    
973     void
974 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
975 pcg 1.1 {
976     vpndata_packet *p = new vpndata_packet;
977     int tos = 0;
978    
979 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
980 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
981 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
982    
983 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
984 pcg 1.10 send_vpn_packet (p, si, tos);
985 pcg 1.1
986     delete p;
987    
988     if (oseqno > MAX_SEQNO)
989     rekey ();
990     }
991    
992     void
993 pcg 1.68 connection::post_inject_queue ()
994     {
995     // force a connection every now and when when packets are sent (max 1/s)
996     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
997     establish_connection.stop ();
998    
999     establish_connection ();
1000     }
1001    
1002     void
1003     connection::inject_data_packet (tap_packet *pkt)
1004 pcg 1.1 {
1005     if (ictx && octx)
1006 pcg 1.21 send_data_packet (pkt);
1007 pcg 1.1 else
1008     {
1009 pcg 1.68 data_queue.put (new tap_packet (*pkt));
1010     post_inject_queue ();
1011 pcg 1.1 }
1012     }
1013    
1014 root 1.90 void
1015     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1016 pcg 1.8 {
1017     if (ictx && octx)
1018 pcg 1.10 send_vpn_packet (pkt, si, tos);
1019 pcg 1.8 else
1020 pcg 1.12 {
1021 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1022 pcg 1.68 post_inject_queue ();
1023 pcg 1.12 }
1024 pcg 1.8 }
1025    
1026 pcg 1.1 void
1027     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1028     {
1029 pcg 1.62 last_activity = ev_now ();
1030 pcg 1.1
1031 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1032 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1033 pcg 1.1
1034 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1035     return;
1036    
1037 pcg 1.1 switch (pkt->typ ())
1038     {
1039 pcg 1.3 case vpn_packet::PT_PING:
1040 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1041    
1042 pcg 1.3 // we send pings instead of auth packets after some retries,
1043     // so reset the retry counter and establish a connection
1044     // when we receive a ping.
1045 root 1.89 if (!ictx)
1046 pcg 1.3 {
1047     if (auth_rate_limiter.can (rsi))
1048     send_auth_request (rsi, true);
1049     }
1050     else
1051 root 1.89 // we would love to change the socket address here, but ping's aren't
1052 pcg 1.73 // authenticated, so we best ignore it.
1053 pcg 1.3 send_ping (rsi, 1); // pong
1054    
1055     break;
1056    
1057     case vpn_packet::PT_PONG:
1058 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1059 root 1.89
1060     // a PONG might mean that the other side doesn't really know
1061     // about our desire for communication.
1062     establish_connection ();
1063 pcg 1.3 break;
1064    
1065     case vpn_packet::PT_RESET:
1066 pcg 1.1 {
1067 pcg 1.3 reset_connection ();
1068    
1069     config_packet *p = (config_packet *) pkt;
1070    
1071     if (!p->chk_config ())
1072     {
1073 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1074 pcg 1.3 conf->nodename, (const char *)rsi);
1075     connectmode = conf_node::C_DISABLED;
1076     }
1077     else if (connectmode == conf_node::C_ALWAYS)
1078     establish_connection ();
1079 pcg 1.1 }
1080 pcg 1.3 break;
1081    
1082     case vpn_packet::PT_AUTH_REQ:
1083     if (auth_rate_limiter.can (rsi))
1084     {
1085 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1086 pcg 1.3
1087 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1088     conf->nodename, p->initiate ? "initiate" : "reply",
1089     p->protocols, p->features);
1090 pcg 1.1
1091 root 1.98 if (p->chk_config () && !memcmp (p->magic, MAGIC, 8))
1092 pcg 1.3 {
1093     if (p->prot_minor != PROTOCOL_MINOR)
1094     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1095     conf->nodename, (const char *)rsi,
1096     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1097    
1098     if (p->initiate)
1099     send_auth_request (rsi, false);
1100    
1101 root 1.98 auth_data auth;
1102 pcg 1.3
1103 root 1.98 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
1104 pcg 1.23 {
1105     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1106     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1107     }
1108 pcg 1.3 else
1109     {
1110 root 1.98 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
1111 pcg 1.1
1112 root 1.98 rcv_auth = auth;
1113     have_rcv_auth = true;
1114 pcg 1.1
1115 root 1.98 send_auth_response (rsi);
1116 pcg 1.10
1117 root 1.98 if (chg)
1118     {
1119     conf->protocols = p->protocols;
1120     features = p->features & config_packet::get_features ();
1121 pcg 1.3
1122 root 1.98 connection_established (rsi);
1123     }
1124     }
1125 pcg 1.10
1126 root 1.98 break;
1127 pcg 1.3 }
1128 pcg 1.15 else
1129 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1130 pcg 1.15 conf->nodename, (const char *)rsi);
1131 pcg 1.3
1132     send_reset (rsi);
1133 pcg 1.1 }
1134    
1135 pcg 1.3 break;
1136    
1137     case vpn_packet::PT_AUTH_RES:
1138 pcg 1.1 {
1139 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1140 pcg 1.1
1141 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1142 pcg 1.1
1143 pcg 1.3 if (p->chk_config ())
1144 pcg 1.1 {
1145 root 1.98 if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
1146 pcg 1.13 {
1147 root 1.98 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
1148 pcg 1.13 conf->nodename, (const char *)rsi);
1149     }
1150 root 1.98 else if (!have_snd_auth)
1151 pcg 1.1 {
1152 root 1.98 if (p->prot_minor != PROTOCOL_MINOR)
1153     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1154     conf->nodename, (const char *)rsi,
1155     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1156 pcg 1.3
1157 root 1.98 prot_minor = p->prot_minor;
1158     memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
1159 pcg 1.1
1160 root 1.98 have_snd_auth = true;
1161     connection_established (rsi);
1162 pcg 1.1 }
1163 root 1.98
1164     break;
1165 pcg 1.1 }
1166     }
1167    
1168 pcg 1.3 send_reset (rsi);
1169     break;
1170 pcg 1.1
1171 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1172     #if !ENABLE_COMPRESSION
1173     send_reset (rsi);
1174     break;
1175     #endif
1176 pcg 1.1
1177 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1178 pcg 1.1
1179 pcg 1.3 if (ictx && octx)
1180 pcg 1.1 {
1181 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1182 pcg 1.1
1183 pcg 1.10 if (!p->hmac_chk (ictx))
1184     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1185 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1186 pcg 1.10 conf->nodename, (const char *)rsi);
1187     else
1188 pcg 1.1 {
1189 pcg 1.10 u32 seqno;
1190     tap_packet *d = p->unpack (this, seqno);
1191 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1192 pcg 1.10
1193 pcg 1.73 if (seqclass == 0) // ok
1194 pcg 1.1 {
1195 pcg 1.10 vpn->tap->send (d);
1196 pcg 1.1
1197 pcg 1.10 if (si != rsi)
1198 pcg 1.1 {
1199 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1200 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1201     // {
1202 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1203     conf->nodename, (const char *)si, (const char *)rsi);
1204    
1205 pcg 1.73 si = rsi;
1206 pcg 1.84
1207     if (::conf.script_node_change)
1208     {
1209     run_script_cb *cb = new run_script_cb;
1210     cb->set<connection, &connection::script_node_change> (this);
1211     run_script_queued (cb, _("node-change command execution failed, continuing."));
1212     }
1213    
1214 pcg 1.73 // }
1215     //else
1216     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1217     // conf->nodename, (const char *)si, (const char *)rsi);
1218 pcg 1.10 }
1219 pcg 1.32 }
1220 pcg 1.75 else if (seqclass == 1) // far history
1221     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1222     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1223     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1224     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1225     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1226     else if (seqclass == 3) // reset
1227 pcg 1.73 {
1228 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1229     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1230 pcg 1.73 send_reset (rsi);
1231     }
1232 pcg 1.3
1233 pcg 1.32 delete d;
1234     break;
1235 pcg 1.1 }
1236     }
1237    
1238 pcg 1.3 send_reset (rsi);
1239     break;
1240 pcg 1.1
1241 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1242     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1243     {
1244 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1245 pcg 1.1
1246 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1247     {
1248     connection *c = vpn->conns[p->id - 1];
1249     conf->protocols = p->protocols;
1250 pcg 1.1
1251 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1252     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1253     p->protocols,
1254     c->ictx && c->octx);
1255 pcg 1.1
1256 pcg 1.57 if (c->ictx && c->octx)
1257     {
1258     // send connect_info packets to both sides, in case one is
1259     // behind a nat firewall (or both ;)
1260     c->send_connect_info (conf->id, si, conf->protocols);
1261     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1262     }
1263     else
1264     c->establish_connection ();
1265 pcg 1.3 }
1266 pcg 1.11 else
1267 pcg 1.57 slog (L_WARN,
1268     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269     p->id);
1270 pcg 1.3 }
1271 pcg 1.1
1272 pcg 1.3 break;
1273 pcg 1.1
1274 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1275     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1276     {
1277 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1278 pcg 1.1
1279 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1280 pcg 1.39 {
1281     connection *c = vpn->conns[p->id - 1];
1282 pcg 1.7
1283 pcg 1.39 c->conf->protocols = p->protocols;
1284     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1285     p->si.upgrade_protocol (protocol, c->conf);
1286 pcg 1.1
1287 root 1.96 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1288 root 1.93 conf->nodename,
1289     vpn->conns[p->id - 1]->conf->nodename,
1290     (const char *)p->si,
1291     p->protocols,
1292 root 1.96 protocol,
1293     p->si.supported_protocols (c->conf),
1294 root 1.93 !c->ictx && !c->octx);
1295 pcg 1.7
1296 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1297 pcg 1.1
1298 pcg 1.39 if (dsi.valid ())
1299     c->send_auth_request (dsi, true);
1300 root 1.96 else
1301     slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1302     vpn->conns[p->id - 1]->conf->nodename,
1303     (const char *)p->si);
1304 pcg 1.39 }
1305 pcg 1.57 else
1306     slog (L_WARN,
1307     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1308     p->id);
1309 pcg 1.3 }
1310 pcg 1.1
1311 pcg 1.3 break;
1312 pcg 1.1
1313 pcg 1.3 default:
1314     send_reset (rsi);
1315     break;
1316 pcg 1.1 }
1317     }
1318    
1319 pcg 1.66 inline void
1320     connection::keepalive_cb (ev::timer &w, int revents)
1321 pcg 1.1 {
1322 root 1.97 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1323    
1324     if (when >= 0)
1325     w.start (when);
1326     else if (when < -15)
1327 pcg 1.1 {
1328     reset_connection ();
1329     establish_connection ();
1330     }
1331     else if (conf->connectmode != conf_node::C_ONDEMAND
1332     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1333     {
1334 root 1.97 w.start (3);
1335 pcg 1.1 send_ping (si);
1336     }
1337 root 1.97 else if (when >= -10)
1338 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1339     // should delete octx, though, or something like that ;)
1340 root 1.97 w.start (when + 10);
1341 pcg 1.1 else
1342     reset_connection ();
1343     }
1344    
1345 root 1.90 void
1346     connection::send_connect_request (int id)
1347 pcg 1.1 {
1348 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1349 pcg 1.1
1350 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1351     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1352     THISNODE->protocols);
1353 pcg 1.1 p->hmac_set (octx);
1354 pcg 1.10 send_vpn_packet (p, si);
1355 pcg 1.1
1356     delete p;
1357     }
1358    
1359 root 1.90 void
1360     connection::script_init_env (const char *ext)
1361 pcg 1.53 {
1362     char *env;
1363     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1364 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1365 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1366     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1367 pcg 1.84 conf->id & 0xff); putenv (env);
1368 pcg 1.53 }
1369    
1370 root 1.90 void
1371     connection::script_init_connect_env ()
1372 pcg 1.1 {
1373 pcg 1.52 vpn->script_init_env ();
1374 pcg 1.1
1375     char *env;
1376 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1377     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1378     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1379     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1380     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1381 pcg 1.1 }
1382    
1383 pcg 1.66 inline const char *
1384     connection::script_node_up ()
1385 pcg 1.1 {
1386 pcg 1.53 script_init_connect_env ();
1387 pcg 1.1
1388 pcg 1.60 putenv ((char *)"STATE=up");
1389 pcg 1.1
1390 pcg 1.52 char *filename;
1391     asprintf (&filename,
1392     "%s/%s",
1393     confbase,
1394     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1395 pcg 1.54
1396     return filename;
1397 pcg 1.1 }
1398    
1399 pcg 1.66 inline const char *
1400 pcg 1.84 connection::script_node_change ()
1401     {
1402     script_init_connect_env ();
1403    
1404     putenv ((char *)"STATE=change");
1405    
1406     char *filename;
1407     asprintf (&filename,
1408     "%s/%s",
1409     confbase,
1410     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1411    
1412     return filename;
1413     }
1414    
1415     inline const char *
1416 pcg 1.66 connection::script_node_down ()
1417 pcg 1.1 {
1418 pcg 1.53 script_init_connect_env ();
1419 pcg 1.1
1420 pcg 1.60 putenv ((char *)"STATE=down");
1421 pcg 1.1
1422 pcg 1.52 char *filename;
1423     asprintf (&filename,
1424     "%s/%s",
1425     confbase,
1426     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1427 pcg 1.54
1428     return filename;
1429 pcg 1.1 }
1430    
1431 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1432 pcg 1.67 : vpn(vpn), conf(conf),
1433 pcg 1.40 #if ENABLE_DNS
1434 pcg 1.67 dns (0),
1435 pcg 1.40 #endif
1436 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1437     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1438 pcg 1.1 {
1439 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1440     keepalive .set<connection, &connection::keepalive_cb > (this);
1441     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1442    
1443 pcg 1.68 last_establish_attempt = 0.;
1444 pcg 1.1 octx = ictx = 0;
1445    
1446 pcg 1.67 connectmode = conf->connectmode;
1447    
1448     // queue a dummy packet to force an initial connection attempt
1449     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1450 pcg 1.68 vpn_queue.put (new net_packet);
1451 pcg 1.67
1452 pcg 1.1 reset_connection ();
1453     }
1454    
1455     connection::~connection ()
1456     {
1457     shutdown ();
1458     }
1459    
1460 root 1.90 void
1461     connection_init ()
1462 pcg 1.1 {
1463     auth_rate_limiter.clear ();
1464     reset_rate_limiter.clear ();
1465     }
1466