ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.102
Committed: Thu Jul 18 13:35:16 2013 UTC (10 years, 11 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.101: +23 -33 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.98 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48 root 1.98 #include "hkdf.h"
49 pcg 1.1
50 pcg 1.20 #include "netcompat.h"
51 pcg 1.19
52 root 1.98 #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53 root 1.102 #define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D
54 pcg 1.30
55     #define ULTRA_FAST 1
56     #define HLOG 15
57     #include "lzf/lzf.h"
58     #include "lzf/lzf_c.c"
59     #include "lzf/lzf_d.c"
60 pcg 1.1
61 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
62    
63     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
64     static ev::child rs_child_ev;
65    
66 root 1.90 namespace
67 pcg 1.70 {
68 root 1.90 void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72 pcg 1.70
73 root 1.90 if (rs_queue.empty ())
74     return;
75 pcg 1.70
76 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84 pcg 1.70
85 root 1.90 delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88     };
89 pcg 1.70
90     // despite the fancy name, this is quite a hack
91     static void
92     run_script_queued (run_script_cb *cb, const char *warnmsg)
93     {
94     rs_queue.push (std::make_pair (cb, warnmsg));
95    
96     if (!rs_child_ev.is_active ())
97     {
98     rs_child_ev.set<rs_child_cb> ();
99     rs_child_ev ();
100     }
101     }
102    
103     //////////////////////////////////////////////////////////////////////////////
104    
105 pcg 1.1 struct crypto_ctx
106     {
107     EVP_CIPHER_CTX cctx;
108     HMAC_CTX hctx;
109    
110 root 1.98 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
111 pcg 1.1 ~crypto_ctx ();
112     };
113    
114 root 1.98 crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
115 pcg 1.1 {
116 root 1.98 ecdh_key s;
117    
118     curve25519_combine (a, b, s);
119    
120     {
121     u8 mac_key[MAC_KEYSIZE];
122     static const unsigned char mac_info[] = "gvpe mac key";
123    
124 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
125 root 1.98 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
126     kdf.extract (s, sizeof (s));
127 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
128 root 1.98 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
129    
130     HMAC_CTX_init (&hctx);
131     require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
132     }
133    
134     {
135     u8 cipher_key[CIPHER_KEYSIZE];
136     static const unsigned char cipher_info[] = "gvpe cipher key";
137    
138 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
139 root 1.98 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
140     kdf.extract (s, sizeof (s));
141 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
142 root 1.98 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
143    
144     EVP_CIPHER_CTX_init (&cctx);
145     require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
146     }
147 pcg 1.1 }
148    
149     crypto_ctx::~crypto_ctx ()
150     {
151 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
152 pcg 1.1 HMAC_CTX_cleanup (&hctx);
153     }
154    
155 root 1.98 static inline void
156     auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
157 pcg 1.1 {
158 root 1.98 if (RSA_public_encrypt (sizeof (auth.rsa),
159     (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
160     key, RSA_PKCS1_OAEP_PADDING) < 0)
161     fatal ("RSA_public_encrypt error");
162 root 1.100
163     memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh));
164 pcg 1.1 }
165    
166 root 1.98 static inline bool
167     auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
168 pcg 1.63 {
169 root 1.98 u8 rsa_decrypt[RSA_KEYLEN];
170 pcg 1.1
171 root 1.98 if (RSA_private_decrypt (sizeof (encr.rsa),
172     (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
173     key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
174     return 0;
175 pcg 1.1
176 root 1.98 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
177 root 1.100 memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh));
178 pcg 1.1
179 root 1.98 return 1;
180     }
181 pcg 1.1
182 root 1.98 static void
183     auth_hash (const auth_data &auth, auth_mac &mac)
184     {
185     HMAC_CTX ctx;
186 pcg 1.1
187 root 1.98 HMAC_CTX_init (&ctx);
188     require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
189     require (HMAC_Update (&ctx, (const unsigned char *)&auth, sizeof auth));
190     require (HMAC_Final (&ctx, (unsigned char *)&mac, 0));
191     HMAC_CTX_cleanup (&ctx);
192     }
193 pcg 1.1
194 root 1.90 void
195 root 1.98 connection::generate_auth_data ()
196 pcg 1.1 {
197 root 1.98 if (auth_expire < ev_now ())
198 pcg 1.1 {
199 root 1.98 // request data
200 root 1.101 rand_fill (snd_auth.rsa);
201 root 1.98 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
202     auth_hash (snd_auth, snd_auth_mac);
203    
204     // eventual response data
205     curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
206 pcg 1.1 }
207 root 1.98
208     // every use prolongs the expiry
209     auth_expire = ev_now () + AUTH_TTL;
210 pcg 1.1 }
211    
212     //////////////////////////////////////////////////////////////////////////////
213    
214 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
215     : max_ttl (max_ttl), max_queue (max_queue)
216 pcg 1.1 {
217 pcg 1.67 queue = new pkt [max_queue];
218    
219     i = 0;
220     j = 0;
221    
222     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
223     }
224 pcg 1.1
225 pcg 1.67 pkt_queue::~pkt_queue ()
226     {
227     while (net_packet *p = get ())
228     delete p;
229 pcg 1.1
230 pcg 1.67 delete [] queue;
231 pcg 1.1 }
232    
233 root 1.90 void
234     pkt_queue::expire_cb (ev::timer &w, int revents)
235 pcg 1.1 {
236 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
237 pcg 1.1
238 pcg 1.67 for (;;)
239 pcg 1.1 {
240 pcg 1.67 if (empty ())
241     break;
242    
243     double diff = queue[j].tstamp - expire;
244    
245     if (diff >= 0.)
246     {
247     w.start (diff > 0.5 ? diff : 0.5);
248     break;
249     }
250    
251     delete get ();
252 pcg 1.1 }
253     }
254    
255 root 1.90 void
256     pkt_queue::put (net_packet *p)
257 pcg 1.1 {
258 pcg 1.67 ev_tstamp now = ev_now ();
259    
260     // start expiry timer
261     if (empty ())
262     expire.start (max_ttl);
263    
264     int ni = i + 1 == max_queue ? 0 : i + 1;
265    
266     if (ni == j)
267     delete get ();
268    
269     queue[i].pkt = p;
270     queue[i].tstamp = now;
271    
272     i = ni;
273 pcg 1.1 }
274    
275 root 1.90 net_packet *
276     pkt_queue::get ()
277 pcg 1.1 {
278 pcg 1.67 if (empty ())
279     return 0;
280    
281     net_packet *p = queue[j].pkt;
282     queue[j].pkt = 0;
283    
284     j = j + 1 == max_queue ? 0 : j + 1;
285    
286     return p;
287 pcg 1.1 }
288    
289 pcg 1.63 struct net_rateinfo
290     {
291 pcg 1.1 u32 host;
292     double pcnt, diff;
293     tstamp last;
294     };
295    
296     // only do action once every x seconds per host whole allowing bursts.
297     // this implementation ("splay list" ;) is inefficient,
298     // but low on resources.
299     struct net_rate_limiter : list<net_rateinfo>
300     {
301 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
302     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
303     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
304     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
305 pcg 1.1
306 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
307 pcg 1.1 bool can (u32 host);
308     };
309    
310 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
311 pcg 1.1
312 root 1.90 bool
313     net_rate_limiter::can (u32 host)
314 pcg 1.1 {
315     iterator i;
316    
317     for (i = begin (); i != end (); )
318     if (i->host == host)
319     break;
320 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
321 pcg 1.1 i = erase (i);
322     else
323     i++;
324    
325     if (i == end ())
326     {
327     net_rateinfo ri;
328    
329     ri.host = host;
330     ri.pcnt = 1.;
331 pcg 1.34 ri.diff = NRL_MAXDIF;
332 pcg 1.62 ri.last = ev_now ();
333 pcg 1.1
334     push_front (ri);
335    
336     return true;
337     }
338     else
339     {
340     net_rateinfo ri (*i);
341     erase (i);
342    
343 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
344 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
345 pcg 1.1
346 pcg 1.62 ri.last = ev_now ();
347 pcg 1.1
348 pcg 1.10 double dif = ri.diff / ri.pcnt;
349 pcg 1.1
350 pcg 1.34 bool send = dif > NRL_CUTOFF;
351 pcg 1.10
352 pcg 1.34 if (dif > NRL_MAXDIF)
353 pcg 1.10 {
354     ri.pcnt = 1.;
355 pcg 1.34 ri.diff = NRL_MAXDIF;
356 pcg 1.10 }
357     else if (send)
358 pcg 1.1 ri.pcnt++;
359    
360     push_front (ri);
361    
362     return send;
363     }
364     }
365    
366     /////////////////////////////////////////////////////////////////////////////
367    
368     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
369    
370 root 1.90 void
371     hmac_packet::hmac_gen (crypto_ctx *ctx)
372 pcg 1.1 {
373     unsigned int xlen;
374    
375     HMAC_CTX *hctx = &ctx->hctx;
376    
377 root 1.98 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
378     require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
379     len - sizeof (hmac_packet)));
380     require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
381 pcg 1.1 }
382    
383     void
384     hmac_packet::hmac_set (crypto_ctx *ctx)
385     {
386     hmac_gen (ctx);
387    
388     memcpy (hmac, hmac_digest, HMACLENGTH);
389     }
390    
391     bool
392     hmac_packet::hmac_chk (crypto_ctx *ctx)
393     {
394     hmac_gen (ctx);
395    
396     return !memcmp (hmac, hmac_digest, HMACLENGTH);
397     }
398    
399 root 1.90 void
400     vpn_packet::set_hdr (ptype type_, unsigned int dst)
401 pcg 1.1 {
402 pcg 1.6 type = type_;
403 pcg 1.1
404     int src = THISNODE->id;
405    
406     src1 = src;
407     srcdst = ((src >> 8) << 4) | (dst >> 8);
408     dst1 = dst;
409     }
410    
411     #define MAXVPNDATA (MAX_MTU - 6 - 6)
412     #define DATAHDR (sizeof (u32) + RAND_SIZE)
413    
414 pcg 1.28 struct vpndata_packet : vpn_packet
415 root 1.90 {
416     u8 data[MAXVPNDATA + DATAHDR]; // seqno
417    
418     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
419     tap_packet *unpack (connection *conn, u32 &seqno);
420 pcg 1.1
421     private:
422 root 1.90 const u32 data_hdr_size () const
423     {
424     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
425     }
426     };
427 pcg 1.1
428     void
429     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
430     {
431     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
432     int outl = 0, outl2;
433     ptype type = PT_DATA_UNCOMPRESSED;
434    
435     #if ENABLE_COMPRESSION
436     u8 cdata[MAX_MTU];
437    
438 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
439 pcg 1.1 {
440 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
441 pcg 1.1
442 pcg 1.31 if (cl)
443     {
444     type = PT_DATA_COMPRESSED;
445     d = cdata;
446     l = cl + 2;
447    
448     d[0] = cl >> 8;
449     d[1] = cl;
450     }
451 pcg 1.1 }
452     #endif
453    
454 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
455 pcg 1.1
456     struct {
457     #if RAND_SIZE
458     u8 rnd[RAND_SIZE];
459     #endif
460     u32 seqno;
461     } datahdr;
462    
463     datahdr.seqno = ntohl (seqno);
464     #if RAND_SIZE
465 root 1.102 // NB: a constant (per session) random prefix
466     // is likely enough, but we don't take any chances.
467     conn->oiv.get (datahdr.rnd, RAND_SIZE);
468 pcg 1.1 #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508 root 1.101 d = &(*p)[6 + 6] - DATAHDR;
509 pcg 1.1
510 root 1.101 // we play do evil games with the struct layout atm.
511     // pending better solutions, we at least do some verification.
512     // this is fine, as we left ISO territory long ago.
513     require (DATAHDR <= 16);
514     require ((u8 *)(&p->len + 1) == &(*p)[0]);
515    
516     // this can overwrite the len/dst/src fields
517 pcg 1.29 require (EVP_DecryptUpdate (cctx,
518 pcg 1.1 d, &outl2,
519 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
520 pcg 1.1 outl += outl2;
521    
522 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
523 pcg 1.1 outl += outl2;
524    
525     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
526    
527     id2mac (dst () ? dst() : THISNODE->id, p->dst);
528     id2mac (src (), p->src);
529    
530     #if ENABLE_COMPRESSION
531     if (type == PT_DATA_COMPRESSED)
532     {
533     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
534    
535     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
536     &(*p)[6 + 6], MAX_MTU)
537     + 6 + 6;
538     }
539     else
540     p->len = outl + (6 + 6 - DATAHDR);
541     #endif
542    
543     return p;
544     }
545    
546     struct ping_packet : vpn_packet
547     {
548     void setup (int dst, ptype type)
549     {
550     set_hdr (type, dst);
551     len = sizeof (*this) - sizeof (net_packet);
552     }
553     };
554    
555     struct config_packet : vpn_packet
556     {
557 root 1.98 u8 prot_major, prot_minor, randsize;
558     u8 flags, features, pad6, pad7, pad8;
559     u32 cipher_nid, mac_nid, auth_nid;
560 pcg 1.1
561     void setup (ptype type, int dst);
562     bool chk_config () const;
563 pcg 1.32
564     static u8 get_features ()
565     {
566     u8 f = 0;
567     #if ENABLE_COMPRESSION
568     f |= FEATURE_COMPRESSION;
569     #endif
570     #if ENABLE_ROHC
571     f |= FEATURE_ROHC;
572     #endif
573 pcg 1.59 #if ENABLE_BRIDGING
574     f |= FEATURE_BRIDGING;
575     #endif
576 pcg 1.32 return f;
577     }
578 pcg 1.1 };
579    
580 root 1.90 void
581     config_packet::setup (ptype type, int dst)
582 pcg 1.1 {
583     prot_major = PROTOCOL_MAJOR;
584     prot_minor = PROTOCOL_MINOR;
585     randsize = RAND_SIZE;
586 pcg 1.48 flags = 0;
587 pcg 1.32 features = get_features ();
588 pcg 1.1
589 root 1.98 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
590     mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
591     auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
592 pcg 1.1
593     len = sizeof (*this) - sizeof (net_packet);
594     set_hdr (type, dst);
595     }
596    
597 root 1.90 bool
598     config_packet::chk_config () const
599 pcg 1.1 {
600 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
601 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
602 pcg 1.15 else if (randsize != RAND_SIZE)
603 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
604 root 1.98 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
605     slog (L_WARN, _("cipher algo mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
606     else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
607     slog (L_WARN, _("mac algo mismatch (remote %x <=> local %x)"), ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
608     else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
609     slog (L_WARN, _("auth algo mismatch (remote %x <=> local %x)"), ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
610 pcg 1.15 else
611     return true;
612    
613     return false;
614 pcg 1.1 }
615    
616 root 1.98 struct auth_req_packet : config_packet // UNPROTECTED
617 pcg 1.1 {
618     char magic[8];
619     u8 initiate; // false if this is just an automatic reply
620 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
621 pcg 1.1 u8 pad2, pad3;
622 root 1.98 auth_encr encr;
623 pcg 1.1
624     auth_req_packet (int dst, bool initiate_, u8 protocols_)
625     {
626     config_packet::setup (PT_AUTH_REQ, dst);
627 root 1.98 memcpy (magic, MAGIC, 8);
628 pcg 1.1 initiate = !!initiate_;
629     protocols = protocols_;
630    
631     len = sizeof (*this) - sizeof (net_packet);
632     }
633     };
634    
635 root 1.98 struct auth_res_packet : config_packet // UNPROTECTED
636 pcg 1.1 {
637 root 1.98 auth_response response;
638 pcg 1.1
639     auth_res_packet (int dst)
640     {
641     config_packet::setup (PT_AUTH_RES, dst);
642    
643     len = sizeof (*this) - sizeof (net_packet);
644     }
645     };
646    
647     struct connect_req_packet : vpn_packet
648     {
649     u8 id, protocols;
650     u8 pad1, pad2;
651    
652     connect_req_packet (int dst, int id_, u8 protocols_)
653     : id(id_)
654     , protocols(protocols_)
655     {
656     set_hdr (PT_CONNECT_REQ, dst);
657     len = sizeof (*this) - sizeof (net_packet);
658     }
659     };
660    
661     struct connect_info_packet : vpn_packet
662     {
663     u8 id, protocols;
664     u8 pad1, pad2;
665     sockinfo si;
666    
667     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
668     : id(id_)
669     , protocols(protocols_)
670     , si(si_)
671     {
672     set_hdr (PT_CONNECT_INFO, dst);
673    
674     len = sizeof (*this) - sizeof (net_packet);
675     }
676     };
677    
678     /////////////////////////////////////////////////////////////////////////////
679    
680     void
681 root 1.98 connection::connection_established (const sockinfo &rsi)
682 pcg 1.10 {
683 root 1.98 if (!have_snd_auth || !have_rcv_auth)
684     return;
685    
686     si = rsi;
687     protocol = rsi.prot;
688    
689     slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
690     conf->nodename, (const char *)rsi,
691     is_direct ? "direct" : "forwarded",
692     PROTOCOL_MAJOR, prot_minor);
693    
694     if (::conf.script_node_up)
695     {
696     run_script_cb *cb = new run_script_cb;
697     cb->set<connection, &connection::script_node_up> (this);
698     run_script_queued (cb, _("node-up command execution failed, continuing."));
699     }
700    
701     delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
702     iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
703    
704     delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
705     oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
706 pcg 1.61
707 root 1.102 oiv.reset ();
708    
709     // make sure rekeying timeouts are slightly asymmetric
710     ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
711     rekey.start (rekey_interval, rekey_interval);
712    
713     keepalive.start (::conf.keepalive);
714    
715     // send queued packets
716 pcg 1.10 if (ictx && octx)
717     {
718 root 1.102 while (tap_packet *p = (tap_packet *)data_queue.get ())
719     {
720     if (p->len) send_data_packet (p);
721     delete p;
722     }
723 root 1.97
724 root 1.102 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
725 pcg 1.12 {
726 root 1.102 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
727     delete p;
728 pcg 1.12 }
729 root 1.102 }
730 pcg 1.73
731 root 1.102 vpn->connection_established (this);
732 pcg 1.10 }
733    
734     void
735 pcg 1.8 connection::reset_si ()
736 pcg 1.1 {
737 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
738     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
739     else
740 pcg 1.59 {
741 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
742 pcg 1.59 protocol = 0;
743     }
744 pcg 1.6
745     si.set (conf, protocol);
746 pcg 1.73
747     is_direct = si.valid ();
748 pcg 1.1 }
749    
750 pcg 1.8 // ensure sockinfo is valid, forward if necessary
751     const sockinfo &
752     connection::forward_si (const sockinfo &si) const
753     {
754     if (!si.valid ())
755     {
756 pcg 1.73 connection *r = vpn->find_router_for (this);
757 pcg 1.8
758     if (r)
759     {
760 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
761     conf->nodename, r->conf->nodename);
762 pcg 1.8 return r->si;
763     }
764     else
765 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
766 pcg 1.8 conf->nodename);
767     }
768    
769     return si;
770     }
771    
772 pcg 1.1 void
773 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
774     {
775 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
776 pcg 1.10 reset_connection ();
777     }
778    
779     void
780 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
781     {
782     ping_packet *pkt = new ping_packet;
783    
784     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
785 pcg 1.73
786 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
787 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
788 pcg 1.1
789     delete pkt;
790     }
791    
792     void
793     connection::send_reset (const sockinfo &si)
794     {
795     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
796     {
797     config_packet *pkt = new config_packet;
798    
799     pkt->setup (vpn_packet::PT_RESET, conf->id);
800 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
801 pcg 1.1
802     delete pkt;
803     }
804     }
805    
806     void
807     connection::send_auth_request (const sockinfo &si, bool initiate)
808     {
809     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
810    
811 root 1.98 generate_auth_data ();
812     auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
813 pcg 1.1
814 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
815 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
816 pcg 1.1
817 pcg 1.6 delete pkt;
818 pcg 1.1 }
819    
820     void
821 root 1.98 connection::send_auth_response (const sockinfo &si)
822 pcg 1.1 {
823     auth_res_packet *pkt = new auth_res_packet (conf->id);
824    
825 root 1.98 auth_hash (rcv_auth, pkt->response.mac);
826     memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
827 pcg 1.1
828 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
829 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
830 pcg 1.1
831     delete pkt;
832     }
833    
834     void
835     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
836     {
837 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
838     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
839     conf->protocols);
840 pcg 1.1
841     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
842    
843     r->hmac_set (octx);
844 pcg 1.10 send_vpn_packet (r, si);
845 pcg 1.1
846     delete r;
847     }
848    
849 pcg 1.66 inline void
850 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
851 pcg 1.1 {
852 root 1.92 if (!(ictx && octx)
853 pcg 1.25 && conf != THISNODE
854     && connectmode != conf_node::C_NEVER
855     && connectmode != conf_node::C_DISABLED
856 pcg 1.60 && !w.is_active ())
857 pcg 1.1 {
858 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
859     // and stop trying. should probably be handled by a per-connection expire handler.
860     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
861     {
862     reset_connection ();
863     return;
864     }
865    
866 pcg 1.68 last_establish_attempt = ev_now ();
867    
868 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
869     ? (retry_cnt & 3) + 1
870     : 1 << (retry_cnt >> 2));
871 pcg 1.1
872 pcg 1.47 reset_si ();
873 pcg 1.1
874 pcg 1.47 bool slow = si.prot & PROT_SLOW;
875 pcg 1.8
876 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
877 pcg 1.60 {
878     /*TODO*/ /* start the timer so we don't recurse endlessly */
879     w.start (1);
880 pcg 1.74 vpn->send_connect_request (this);
881 pcg 1.60 }
882 pcg 1.8 else
883 pcg 1.1 {
884 pcg 1.73 if (si.valid ())
885     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
886     conf->nodename, (const char *)si);
887 pcg 1.61
888 pcg 1.8 const sockinfo &dsi = forward_si (si);
889 pcg 1.6
890 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
891    
892 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
893     {
894     if (retry_cnt < 4)
895     send_auth_request (dsi, true);
896     else
897     send_ping (dsi, 0);
898     }
899 pcg 1.1 }
900 pcg 1.47
901 pcg 1.68 retry_int *= slow ? 8. : 0.9;
902 pcg 1.47
903     if (retry_int < conf->max_retry)
904     retry_cnt++;
905     else
906     retry_int = conf->max_retry;
907    
908 pcg 1.60 w.start (retry_int);
909 pcg 1.1 }
910     }
911    
912     void
913     connection::reset_connection ()
914     {
915     if (ictx && octx)
916     {
917     slog (L_INFO, _("%s(%s): connection lost"),
918     conf->nodename, (const char *)si);
919    
920     if (::conf.script_node_down)
921 pcg 1.64 {
922 pcg 1.70 run_script_cb *cb = new run_script_cb;
923     cb->set<connection, &connection::script_node_down> (this);
924     run_script_queued (cb, _("node-down command execution failed, continuing."));
925 pcg 1.64 }
926 pcg 1.1 }
927    
928     delete ictx; ictx = 0;
929     delete octx; octx = 0;
930    
931 pcg 1.38 si.host = 0;
932 pcg 1.1
933 root 1.98 have_snd_auth = false;
934     have_rcv_auth = false;
935     auth_expire = 0.;
936    
937 pcg 1.73 last_activity = 0.;
938     //last_si_change = 0.;
939 pcg 1.1 retry_cnt = 0;
940    
941 pcg 1.25 rekey.stop ();
942     keepalive.stop ();
943     establish_connection.stop ();
944 pcg 1.1 }
945    
946     void
947     connection::shutdown ()
948     {
949     if (ictx && octx)
950     send_reset (si);
951    
952     reset_connection ();
953     }
954    
955 pcg 1.73 // poor-man's rekeying
956 pcg 1.66 inline void
957 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
958 pcg 1.1 {
959     reset_connection ();
960     establish_connection ();
961     }
962    
963     void
964 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
965 pcg 1.1 {
966     vpndata_packet *p = new vpndata_packet;
967     int tos = 0;
968    
969 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
970 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
971 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
972    
973 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
974 pcg 1.10 send_vpn_packet (p, si, tos);
975 pcg 1.1
976     delete p;
977    
978     if (oseqno > MAX_SEQNO)
979     rekey ();
980     }
981    
982     void
983 pcg 1.68 connection::post_inject_queue ()
984     {
985     // force a connection every now and when when packets are sent (max 1/s)
986     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
987     establish_connection.stop ();
988    
989     establish_connection ();
990     }
991    
992     void
993     connection::inject_data_packet (tap_packet *pkt)
994 pcg 1.1 {
995     if (ictx && octx)
996 pcg 1.21 send_data_packet (pkt);
997 pcg 1.1 else
998     {
999 pcg 1.68 data_queue.put (new tap_packet (*pkt));
1000     post_inject_queue ();
1001 pcg 1.1 }
1002     }
1003    
1004 root 1.90 void
1005     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1006 pcg 1.8 {
1007     if (ictx && octx)
1008 pcg 1.10 send_vpn_packet (pkt, si, tos);
1009 pcg 1.8 else
1010 pcg 1.12 {
1011 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1012 pcg 1.68 post_inject_queue ();
1013 pcg 1.12 }
1014 pcg 1.8 }
1015    
1016 pcg 1.1 void
1017     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1018     {
1019 pcg 1.62 last_activity = ev_now ();
1020 pcg 1.1
1021 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1022 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1023 pcg 1.1
1024 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1025     return;
1026    
1027 pcg 1.1 switch (pkt->typ ())
1028     {
1029 pcg 1.3 case vpn_packet::PT_PING:
1030 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1031    
1032 pcg 1.3 // we send pings instead of auth packets after some retries,
1033     // so reset the retry counter and establish a connection
1034     // when we receive a ping.
1035 root 1.89 if (!ictx)
1036 pcg 1.3 {
1037     if (auth_rate_limiter.can (rsi))
1038     send_auth_request (rsi, true);
1039     }
1040     else
1041 root 1.89 // we would love to change the socket address here, but ping's aren't
1042 pcg 1.73 // authenticated, so we best ignore it.
1043 pcg 1.3 send_ping (rsi, 1); // pong
1044    
1045     break;
1046    
1047     case vpn_packet::PT_PONG:
1048 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1049 root 1.89
1050     // a PONG might mean that the other side doesn't really know
1051     // about our desire for communication.
1052     establish_connection ();
1053 pcg 1.3 break;
1054    
1055     case vpn_packet::PT_RESET:
1056 pcg 1.1 {
1057 pcg 1.3 reset_connection ();
1058    
1059     config_packet *p = (config_packet *) pkt;
1060    
1061     if (!p->chk_config ())
1062     {
1063 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1064 pcg 1.3 conf->nodename, (const char *)rsi);
1065     connectmode = conf_node::C_DISABLED;
1066     }
1067     else if (connectmode == conf_node::C_ALWAYS)
1068     establish_connection ();
1069 pcg 1.1 }
1070 pcg 1.3 break;
1071    
1072     case vpn_packet::PT_AUTH_REQ:
1073     if (auth_rate_limiter.can (rsi))
1074     {
1075 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1076 pcg 1.3
1077 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1078     conf->nodename, p->initiate ? "initiate" : "reply",
1079     p->protocols, p->features);
1080 pcg 1.1
1081 root 1.98 if (p->chk_config () && !memcmp (p->magic, MAGIC, 8))
1082 pcg 1.3 {
1083     if (p->prot_minor != PROTOCOL_MINOR)
1084     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1085     conf->nodename, (const char *)rsi,
1086     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1087    
1088     if (p->initiate)
1089     send_auth_request (rsi, false);
1090    
1091 root 1.98 auth_data auth;
1092 pcg 1.3
1093 root 1.98 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
1094 pcg 1.23 {
1095     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1096     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1097     }
1098 pcg 1.3 else
1099     {
1100 root 1.98 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
1101 pcg 1.1
1102 root 1.98 rcv_auth = auth;
1103     have_rcv_auth = true;
1104 pcg 1.1
1105 root 1.98 send_auth_response (rsi);
1106 pcg 1.10
1107 root 1.98 if (chg)
1108     {
1109     conf->protocols = p->protocols;
1110     features = p->features & config_packet::get_features ();
1111 pcg 1.3
1112 root 1.98 connection_established (rsi);
1113     }
1114     }
1115 pcg 1.10
1116 root 1.98 break;
1117 pcg 1.3 }
1118 pcg 1.15 else
1119 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1120 pcg 1.15 conf->nodename, (const char *)rsi);
1121 pcg 1.3
1122     send_reset (rsi);
1123 pcg 1.1 }
1124    
1125 pcg 1.3 break;
1126    
1127     case vpn_packet::PT_AUTH_RES:
1128 pcg 1.1 {
1129 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1130 pcg 1.1
1131 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1132 pcg 1.1
1133 pcg 1.3 if (p->chk_config ())
1134 pcg 1.1 {
1135 root 1.98 if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
1136 pcg 1.13 {
1137 root 1.98 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
1138 pcg 1.13 conf->nodename, (const char *)rsi);
1139     }
1140 root 1.98 else if (!have_snd_auth)
1141 pcg 1.1 {
1142 root 1.98 if (p->prot_minor != PROTOCOL_MINOR)
1143     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1144     conf->nodename, (const char *)rsi,
1145     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1146 pcg 1.3
1147 root 1.98 prot_minor = p->prot_minor;
1148     memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
1149 pcg 1.1
1150 root 1.98 have_snd_auth = true;
1151     connection_established (rsi);
1152 pcg 1.1 }
1153 root 1.98
1154     break;
1155 pcg 1.1 }
1156     }
1157    
1158 pcg 1.3 send_reset (rsi);
1159     break;
1160 pcg 1.1
1161 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1162     #if !ENABLE_COMPRESSION
1163     send_reset (rsi);
1164     break;
1165     #endif
1166 pcg 1.1
1167 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1168 pcg 1.1
1169 pcg 1.3 if (ictx && octx)
1170 pcg 1.1 {
1171 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1172 pcg 1.1
1173 pcg 1.10 if (!p->hmac_chk (ictx))
1174     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1175 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1176 pcg 1.10 conf->nodename, (const char *)rsi);
1177     else
1178 pcg 1.1 {
1179 pcg 1.10 u32 seqno;
1180     tap_packet *d = p->unpack (this, seqno);
1181 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1182 pcg 1.10
1183 pcg 1.73 if (seqclass == 0) // ok
1184 pcg 1.1 {
1185 pcg 1.10 vpn->tap->send (d);
1186 pcg 1.1
1187 pcg 1.10 if (si != rsi)
1188 pcg 1.1 {
1189 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1190 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1191     // {
1192 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1193     conf->nodename, (const char *)si, (const char *)rsi);
1194    
1195 pcg 1.73 si = rsi;
1196 pcg 1.84
1197     if (::conf.script_node_change)
1198     {
1199     run_script_cb *cb = new run_script_cb;
1200     cb->set<connection, &connection::script_node_change> (this);
1201     run_script_queued (cb, _("node-change command execution failed, continuing."));
1202     }
1203    
1204 pcg 1.73 // }
1205     //else
1206     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1207     // conf->nodename, (const char *)si, (const char *)rsi);
1208 pcg 1.10 }
1209 pcg 1.32 }
1210 pcg 1.75 else if (seqclass == 1) // far history
1211     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1212     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1213     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1214     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1215     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1216     else if (seqclass == 3) // reset
1217 pcg 1.73 {
1218 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1219     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1220 pcg 1.73 send_reset (rsi);
1221     }
1222 pcg 1.3
1223 pcg 1.32 delete d;
1224     break;
1225 pcg 1.1 }
1226     }
1227    
1228 pcg 1.3 send_reset (rsi);
1229     break;
1230 pcg 1.1
1231 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1232     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1233     {
1234 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1235 pcg 1.1
1236 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1237     {
1238     connection *c = vpn->conns[p->id - 1];
1239     conf->protocols = p->protocols;
1240 pcg 1.1
1241 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1242     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1243     p->protocols,
1244     c->ictx && c->octx);
1245 pcg 1.1
1246 pcg 1.57 if (c->ictx && c->octx)
1247     {
1248     // send connect_info packets to both sides, in case one is
1249     // behind a nat firewall (or both ;)
1250     c->send_connect_info (conf->id, si, conf->protocols);
1251     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1252     }
1253     else
1254     c->establish_connection ();
1255 pcg 1.3 }
1256 pcg 1.11 else
1257 pcg 1.57 slog (L_WARN,
1258     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1259     p->id);
1260 pcg 1.3 }
1261 pcg 1.1
1262 pcg 1.3 break;
1263 pcg 1.1
1264 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1265     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1266     {
1267 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1268 pcg 1.1
1269 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1270 pcg 1.39 {
1271     connection *c = vpn->conns[p->id - 1];
1272 pcg 1.7
1273 pcg 1.39 c->conf->protocols = p->protocols;
1274     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1275     p->si.upgrade_protocol (protocol, c->conf);
1276 pcg 1.1
1277 root 1.96 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1278 root 1.93 conf->nodename,
1279     vpn->conns[p->id - 1]->conf->nodename,
1280     (const char *)p->si,
1281     p->protocols,
1282 root 1.96 protocol,
1283     p->si.supported_protocols (c->conf),
1284 root 1.93 !c->ictx && !c->octx);
1285 pcg 1.7
1286 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1287 pcg 1.1
1288 pcg 1.39 if (dsi.valid ())
1289     c->send_auth_request (dsi, true);
1290 root 1.96 else
1291     slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1292     vpn->conns[p->id - 1]->conf->nodename,
1293     (const char *)p->si);
1294 pcg 1.39 }
1295 pcg 1.57 else
1296     slog (L_WARN,
1297     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298     p->id);
1299 pcg 1.3 }
1300 pcg 1.1
1301 pcg 1.3 break;
1302 pcg 1.1
1303 pcg 1.3 default:
1304     send_reset (rsi);
1305     break;
1306 pcg 1.1 }
1307     }
1308    
1309 pcg 1.66 inline void
1310     connection::keepalive_cb (ev::timer &w, int revents)
1311 pcg 1.1 {
1312 root 1.97 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1313    
1314     if (when >= 0)
1315     w.start (when);
1316     else if (when < -15)
1317 pcg 1.1 {
1318     reset_connection ();
1319     establish_connection ();
1320     }
1321     else if (conf->connectmode != conf_node::C_ONDEMAND
1322     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1323     {
1324 root 1.97 w.start (3);
1325 pcg 1.1 send_ping (si);
1326     }
1327 root 1.97 else if (when >= -10)
1328 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1329     // should delete octx, though, or something like that ;)
1330 root 1.97 w.start (when + 10);
1331 pcg 1.1 else
1332     reset_connection ();
1333     }
1334    
1335 root 1.90 void
1336     connection::send_connect_request (int id)
1337 pcg 1.1 {
1338 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1339 pcg 1.1
1340 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1341     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1342     THISNODE->protocols);
1343 pcg 1.1 p->hmac_set (octx);
1344 pcg 1.10 send_vpn_packet (p, si);
1345 pcg 1.1
1346     delete p;
1347     }
1348    
1349 root 1.90 void
1350     connection::script_init_env (const char *ext)
1351 pcg 1.53 {
1352     char *env;
1353     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1354 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1355 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1356     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1357 pcg 1.84 conf->id & 0xff); putenv (env);
1358 pcg 1.53 }
1359    
1360 root 1.90 void
1361     connection::script_init_connect_env ()
1362 pcg 1.1 {
1363 pcg 1.52 vpn->script_init_env ();
1364 pcg 1.1
1365     char *env;
1366 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1367     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1368     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1369     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1370     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1371 pcg 1.1 }
1372    
1373 pcg 1.66 inline const char *
1374     connection::script_node_up ()
1375 pcg 1.1 {
1376 pcg 1.53 script_init_connect_env ();
1377 pcg 1.1
1378 pcg 1.60 putenv ((char *)"STATE=up");
1379 pcg 1.1
1380 pcg 1.52 char *filename;
1381     asprintf (&filename,
1382     "%s/%s",
1383     confbase,
1384     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1385 pcg 1.54
1386     return filename;
1387 pcg 1.1 }
1388    
1389 pcg 1.66 inline const char *
1390 pcg 1.84 connection::script_node_change ()
1391     {
1392     script_init_connect_env ();
1393    
1394     putenv ((char *)"STATE=change");
1395    
1396     char *filename;
1397     asprintf (&filename,
1398     "%s/%s",
1399     confbase,
1400     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1401    
1402     return filename;
1403     }
1404    
1405     inline const char *
1406 pcg 1.66 connection::script_node_down ()
1407 pcg 1.1 {
1408 pcg 1.53 script_init_connect_env ();
1409 pcg 1.1
1410 pcg 1.60 putenv ((char *)"STATE=down");
1411 pcg 1.1
1412 pcg 1.52 char *filename;
1413     asprintf (&filename,
1414     "%s/%s",
1415     confbase,
1416     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1417 pcg 1.54
1418     return filename;
1419 pcg 1.1 }
1420    
1421 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1422 pcg 1.67 : vpn(vpn), conf(conf),
1423 pcg 1.40 #if ENABLE_DNS
1424 pcg 1.67 dns (0),
1425 pcg 1.40 #endif
1426 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1427     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1428 pcg 1.1 {
1429 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1430     keepalive .set<connection, &connection::keepalive_cb > (this);
1431     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1432    
1433 pcg 1.68 last_establish_attempt = 0.;
1434 pcg 1.1 octx = ictx = 0;
1435    
1436 pcg 1.67 connectmode = conf->connectmode;
1437    
1438     // queue a dummy packet to force an initial connection attempt
1439     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1440 pcg 1.68 vpn_queue.put (new net_packet);
1441 pcg 1.67
1442 pcg 1.1 reset_connection ();
1443     }
1444    
1445     connection::~connection ()
1446     {
1447     shutdown ();
1448     }
1449    
1450 root 1.90 void
1451     connection_init ()
1452 pcg 1.1 {
1453     auth_rate_limiter.clear ();
1454     reset_rate_limiter.clear ();
1455     }
1456