ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.103
Committed: Thu Jul 18 17:35:10 2013 UTC (10 years, 10 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.102: +44 -41 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.98 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48 root 1.98 #include "hkdf.h"
49 pcg 1.1
50 pcg 1.20 #include "netcompat.h"
51 pcg 1.19
52 root 1.98 #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53 root 1.102 #define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D
54 pcg 1.30
55     #define ULTRA_FAST 1
56     #define HLOG 15
57     #include "lzf/lzf.h"
58     #include "lzf/lzf_c.c"
59     #include "lzf/lzf_d.c"
60 pcg 1.1
61 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
62    
63     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
64     static ev::child rs_child_ev;
65    
66 root 1.90 namespace
67 pcg 1.70 {
68 root 1.90 void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72 pcg 1.70
73 root 1.90 if (rs_queue.empty ())
74     return;
75 pcg 1.70
76 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84 pcg 1.70
85 root 1.90 delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88     };
89 pcg 1.70
90     // despite the fancy name, this is quite a hack
91     static void
92     run_script_queued (run_script_cb *cb, const char *warnmsg)
93     {
94     rs_queue.push (std::make_pair (cb, warnmsg));
95    
96     if (!rs_child_ev.is_active ())
97     {
98     rs_child_ev.set<rs_child_cb> ();
99     rs_child_ev ();
100     }
101     }
102    
103     //////////////////////////////////////////////////////////////////////////////
104    
105 pcg 1.1 struct crypto_ctx
106     {
107     EVP_CIPHER_CTX cctx;
108     HMAC_CTX hctx;
109    
110 root 1.98 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
111 pcg 1.1 ~crypto_ctx ();
112     };
113    
114 root 1.98 crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
115 pcg 1.1 {
116 root 1.98 ecdh_key s;
117    
118     curve25519_combine (a, b, s);
119    
120     {
121     u8 mac_key[MAC_KEYSIZE];
122     static const unsigned char mac_info[] = "gvpe mac key";
123    
124 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
125 root 1.98 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
126     kdf.extract (s, sizeof (s));
127 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
128 root 1.98 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
129    
130     HMAC_CTX_init (&hctx);
131     require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
132     }
133    
134     {
135     u8 cipher_key[CIPHER_KEYSIZE];
136     static const unsigned char cipher_info[] = "gvpe cipher key";
137    
138 root 1.99 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
139 root 1.98 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
140     kdf.extract (s, sizeof (s));
141 root 1.99 kdf.extract_done (HKDF_PRF_HASH ());
142 root 1.98 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
143    
144     EVP_CIPHER_CTX_init (&cctx);
145     require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
146     }
147 pcg 1.1 }
148    
149     crypto_ctx::~crypto_ctx ()
150     {
151 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
152 pcg 1.1 HMAC_CTX_cleanup (&hctx);
153     }
154    
155 root 1.98 static inline void
156     auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
157 pcg 1.1 {
158 root 1.98 if (RSA_public_encrypt (sizeof (auth.rsa),
159     (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
160     key, RSA_PKCS1_OAEP_PADDING) < 0)
161     fatal ("RSA_public_encrypt error");
162 root 1.100
163     memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh));
164 pcg 1.1 }
165    
166 root 1.98 static inline bool
167     auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
168 pcg 1.63 {
169 root 1.98 u8 rsa_decrypt[RSA_KEYLEN];
170 pcg 1.1
171 root 1.98 if (RSA_private_decrypt (sizeof (encr.rsa),
172     (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
173     key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
174     return 0;
175 pcg 1.1
176 root 1.98 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
177 root 1.100 memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh));
178 pcg 1.1
179 root 1.98 return 1;
180     }
181 pcg 1.1
182 root 1.98 static void
183     auth_hash (const auth_data &auth, auth_mac &mac)
184     {
185     HMAC_CTX ctx;
186 pcg 1.1
187 root 1.98 HMAC_CTX_init (&ctx);
188     require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
189     require (HMAC_Update (&ctx, (const unsigned char *)&auth, sizeof auth));
190     require (HMAC_Final (&ctx, (unsigned char *)&mac, 0));
191     HMAC_CTX_cleanup (&ctx);
192     }
193 pcg 1.1
194 root 1.90 void
195 root 1.98 connection::generate_auth_data ()
196 pcg 1.1 {
197 root 1.98 if (auth_expire < ev_now ())
198 pcg 1.1 {
199 root 1.98 // request data
200 root 1.101 rand_fill (snd_auth.rsa);
201 root 1.98 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
202     auth_hash (snd_auth, snd_auth_mac);
203    
204     // eventual response data
205     curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
206 pcg 1.1 }
207 root 1.98
208     // every use prolongs the expiry
209     auth_expire = ev_now () + AUTH_TTL;
210 pcg 1.1 }
211    
212     //////////////////////////////////////////////////////////////////////////////
213    
214 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
215     : max_ttl (max_ttl), max_queue (max_queue)
216 pcg 1.1 {
217 pcg 1.67 queue = new pkt [max_queue];
218    
219     i = 0;
220     j = 0;
221    
222     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
223     }
224 pcg 1.1
225 pcg 1.67 pkt_queue::~pkt_queue ()
226     {
227     while (net_packet *p = get ())
228     delete p;
229 pcg 1.1
230 pcg 1.67 delete [] queue;
231 pcg 1.1 }
232    
233 root 1.90 void
234     pkt_queue::expire_cb (ev::timer &w, int revents)
235 pcg 1.1 {
236 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
237 pcg 1.1
238 pcg 1.67 for (;;)
239 pcg 1.1 {
240 pcg 1.67 if (empty ())
241     break;
242    
243     double diff = queue[j].tstamp - expire;
244    
245     if (diff >= 0.)
246     {
247     w.start (diff > 0.5 ? diff : 0.5);
248     break;
249     }
250    
251     delete get ();
252 pcg 1.1 }
253     }
254    
255 root 1.90 void
256     pkt_queue::put (net_packet *p)
257 pcg 1.1 {
258 pcg 1.67 ev_tstamp now = ev_now ();
259    
260     // start expiry timer
261     if (empty ())
262     expire.start (max_ttl);
263    
264     int ni = i + 1 == max_queue ? 0 : i + 1;
265    
266     if (ni == j)
267     delete get ();
268    
269     queue[i].pkt = p;
270     queue[i].tstamp = now;
271    
272     i = ni;
273 pcg 1.1 }
274    
275 root 1.90 net_packet *
276     pkt_queue::get ()
277 pcg 1.1 {
278 pcg 1.67 if (empty ())
279     return 0;
280    
281     net_packet *p = queue[j].pkt;
282     queue[j].pkt = 0;
283    
284     j = j + 1 == max_queue ? 0 : j + 1;
285    
286     return p;
287 pcg 1.1 }
288    
289 pcg 1.63 struct net_rateinfo
290     {
291 pcg 1.1 u32 host;
292     double pcnt, diff;
293     tstamp last;
294     };
295    
296     // only do action once every x seconds per host whole allowing bursts.
297     // this implementation ("splay list" ;) is inefficient,
298     // but low on resources.
299     struct net_rate_limiter : list<net_rateinfo>
300     {
301 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
302     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
303     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
304     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
305 pcg 1.1
306 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
307 pcg 1.1 bool can (u32 host);
308     };
309    
310 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
311 pcg 1.1
312 root 1.90 bool
313     net_rate_limiter::can (u32 host)
314 pcg 1.1 {
315     iterator i;
316    
317     for (i = begin (); i != end (); )
318     if (i->host == host)
319     break;
320 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
321 pcg 1.1 i = erase (i);
322     else
323     i++;
324    
325     if (i == end ())
326     {
327     net_rateinfo ri;
328    
329     ri.host = host;
330     ri.pcnt = 1.;
331 pcg 1.34 ri.diff = NRL_MAXDIF;
332 pcg 1.62 ri.last = ev_now ();
333 pcg 1.1
334     push_front (ri);
335    
336     return true;
337     }
338     else
339     {
340     net_rateinfo ri (*i);
341     erase (i);
342    
343 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
344 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
345 pcg 1.1
346 pcg 1.62 ri.last = ev_now ();
347 pcg 1.1
348 pcg 1.10 double dif = ri.diff / ri.pcnt;
349 pcg 1.1
350 pcg 1.34 bool send = dif > NRL_CUTOFF;
351 pcg 1.10
352 pcg 1.34 if (dif > NRL_MAXDIF)
353 pcg 1.10 {
354     ri.pcnt = 1.;
355 pcg 1.34 ri.diff = NRL_MAXDIF;
356 pcg 1.10 }
357     else if (send)
358 pcg 1.1 ri.pcnt++;
359    
360     push_front (ri);
361    
362     return send;
363     }
364     }
365    
366     /////////////////////////////////////////////////////////////////////////////
367    
368     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
369    
370 root 1.90 void
371     hmac_packet::hmac_gen (crypto_ctx *ctx)
372 pcg 1.1 {
373     unsigned int xlen;
374    
375     HMAC_CTX *hctx = &ctx->hctx;
376    
377 root 1.98 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
378     require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
379     len - sizeof (hmac_packet)));
380     require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
381 pcg 1.1 }
382    
383     void
384     hmac_packet::hmac_set (crypto_ctx *ctx)
385     {
386     hmac_gen (ctx);
387    
388     memcpy (hmac, hmac_digest, HMACLENGTH);
389     }
390    
391     bool
392     hmac_packet::hmac_chk (crypto_ctx *ctx)
393     {
394     hmac_gen (ctx);
395    
396     return !memcmp (hmac, hmac_digest, HMACLENGTH);
397     }
398    
399 root 1.90 void
400     vpn_packet::set_hdr (ptype type_, unsigned int dst)
401 pcg 1.1 {
402 pcg 1.6 type = type_;
403 pcg 1.1
404     int src = THISNODE->id;
405    
406     src1 = src;
407     srcdst = ((src >> 8) << 4) | (dst >> 8);
408     dst1 = dst;
409     }
410    
411     #define MAXVPNDATA (MAX_MTU - 6 - 6)
412     #define DATAHDR (sizeof (u32) + RAND_SIZE)
413    
414 pcg 1.28 struct vpndata_packet : vpn_packet
415 root 1.90 {
416     u8 data[MAXVPNDATA + DATAHDR]; // seqno
417    
418     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
419     tap_packet *unpack (connection *conn, u32 &seqno);
420 pcg 1.1
421     private:
422 root 1.90 const u32 data_hdr_size () const
423     {
424     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
425     }
426     };
427 pcg 1.1
428     void
429     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
430     {
431     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
432     int outl = 0, outl2;
433     ptype type = PT_DATA_UNCOMPRESSED;
434    
435     #if ENABLE_COMPRESSION
436     u8 cdata[MAX_MTU];
437    
438 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
439 pcg 1.1 {
440 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
441 pcg 1.1
442 pcg 1.31 if (cl)
443     {
444     type = PT_DATA_COMPRESSED;
445     d = cdata;
446     l = cl + 2;
447    
448     d[0] = cl >> 8;
449     d[1] = cl;
450     }
451 pcg 1.1 }
452     #endif
453    
454 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
455 pcg 1.1
456     struct {
457     #if RAND_SIZE
458     u8 rnd[RAND_SIZE];
459     #endif
460     u32 seqno;
461     } datahdr;
462    
463     datahdr.seqno = ntohl (seqno);
464     #if RAND_SIZE
465 root 1.102 // NB: a constant (per session) random prefix
466     // is likely enough, but we don't take any chances.
467     conn->oiv.get (datahdr.rnd, RAND_SIZE);
468 pcg 1.1 #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 root 1.98 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508 root 1.101 d = &(*p)[6 + 6] - DATAHDR;
509 pcg 1.1
510 root 1.101 // we play do evil games with the struct layout atm.
511     // pending better solutions, we at least do some verification.
512     // this is fine, as we left ISO territory long ago.
513     require (DATAHDR <= 16);
514     require ((u8 *)(&p->len + 1) == &(*p)[0]);
515    
516     // this can overwrite the len/dst/src fields
517 pcg 1.29 require (EVP_DecryptUpdate (cctx,
518 pcg 1.1 d, &outl2,
519 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
520 pcg 1.1 outl += outl2;
521    
522 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
523 pcg 1.1 outl += outl2;
524    
525     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
526    
527     id2mac (dst () ? dst() : THISNODE->id, p->dst);
528     id2mac (src (), p->src);
529    
530     #if ENABLE_COMPRESSION
531     if (type == PT_DATA_COMPRESSED)
532     {
533     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
534    
535     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
536     &(*p)[6 + 6], MAX_MTU)
537     + 6 + 6;
538     }
539     else
540     p->len = outl + (6 + 6 - DATAHDR);
541     #endif
542    
543     return p;
544     }
545    
546     struct ping_packet : vpn_packet
547     {
548     void setup (int dst, ptype type)
549     {
550     set_hdr (type, dst);
551     len = sizeof (*this) - sizeof (net_packet);
552     }
553     };
554    
555     struct config_packet : vpn_packet
556     {
557 root 1.103 u8 serial[SERIAL_SIZE];
558 root 1.98 u8 prot_major, prot_minor, randsize;
559     u8 flags, features, pad6, pad7, pad8;
560     u32 cipher_nid, mac_nid, auth_nid;
561 pcg 1.1
562     void setup (ptype type, int dst);
563 root 1.103 bool chk_config (const conf_node *conf, const sockinfo &rsi) const;
564 pcg 1.32
565     static u8 get_features ()
566     {
567     u8 f = 0;
568     #if ENABLE_COMPRESSION
569     f |= FEATURE_COMPRESSION;
570     #endif
571     #if ENABLE_ROHC
572     f |= FEATURE_ROHC;
573     #endif
574 pcg 1.59 #if ENABLE_BRIDGING
575     f |= FEATURE_BRIDGING;
576     #endif
577 pcg 1.32 return f;
578     }
579 pcg 1.1 };
580    
581 root 1.90 void
582     config_packet::setup (ptype type, int dst)
583 pcg 1.1 {
584     prot_major = PROTOCOL_MAJOR;
585     prot_minor = PROTOCOL_MINOR;
586     randsize = RAND_SIZE;
587 pcg 1.48 flags = 0;
588 pcg 1.32 features = get_features ();
589 pcg 1.1
590 root 1.103 strncpy ((char *)serial, conf.serial, sizeof (serial));
591    
592 root 1.98 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
593     mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
594     auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
595 pcg 1.1
596     len = sizeof (*this) - sizeof (net_packet);
597     set_hdr (type, dst);
598     }
599    
600 root 1.90 bool
601 root 1.103 config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
602 pcg 1.1 {
603 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
604 root 1.103 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
605     conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
606 pcg 1.15 else if (randsize != RAND_SIZE)
607 root 1.103 slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
608     conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
609 root 1.98 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
610 root 1.103 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
611     conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
612 root 1.98 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
613 root 1.103 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
614     conf->nodename, (const char *)rsi, ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
615 root 1.98 else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
616 root 1.103 slog (L_WARN, _("%s(%s): auth algo mismatch (remote %x <=> local %x)"),
617     conf->nodename, (const char *)rsi, ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
618 pcg 1.15 else
619 root 1.103 {
620     int cmp = memcmp (serial, ::conf.serial, sizeof (serial));
621    
622     if (cmp > 0)
623     slog (L_WARN, _("%s(%s): remote serial newer than local serial - outdated config?"),
624     conf->nodename, (const char *)rsi);
625     else if (cmp == 0)
626     return true;
627     }
628 pcg 1.15
629     return false;
630 pcg 1.1 }
631    
632 root 1.98 struct auth_req_packet : config_packet // UNPROTECTED
633 pcg 1.1 {
634     char magic[8];
635     u8 initiate; // false if this is just an automatic reply
636 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
637 pcg 1.1 u8 pad2, pad3;
638 root 1.98 auth_encr encr;
639 pcg 1.1
640     auth_req_packet (int dst, bool initiate_, u8 protocols_)
641     {
642     config_packet::setup (PT_AUTH_REQ, dst);
643 root 1.98 memcpy (magic, MAGIC, 8);
644 pcg 1.1 initiate = !!initiate_;
645     protocols = protocols_;
646    
647     len = sizeof (*this) - sizeof (net_packet);
648     }
649     };
650    
651 root 1.103 struct auth_res_packet : vpn_packet // UNPROTECTED
652 pcg 1.1 {
653 root 1.98 auth_response response;
654 pcg 1.1
655     auth_res_packet (int dst)
656     {
657 root 1.103 set_hdr (PT_AUTH_RES, dst);
658 pcg 1.1
659     len = sizeof (*this) - sizeof (net_packet);
660     }
661     };
662    
663     struct connect_req_packet : vpn_packet
664     {
665     u8 id, protocols;
666     u8 pad1, pad2;
667    
668     connect_req_packet (int dst, int id_, u8 protocols_)
669     : id(id_)
670     , protocols(protocols_)
671     {
672     set_hdr (PT_CONNECT_REQ, dst);
673     len = sizeof (*this) - sizeof (net_packet);
674     }
675     };
676    
677     struct connect_info_packet : vpn_packet
678     {
679     u8 id, protocols;
680     u8 pad1, pad2;
681     sockinfo si;
682    
683     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
684     : id(id_)
685     , protocols(protocols_)
686     , si(si_)
687     {
688     set_hdr (PT_CONNECT_INFO, dst);
689    
690     len = sizeof (*this) - sizeof (net_packet);
691     }
692     };
693    
694     /////////////////////////////////////////////////////////////////////////////
695    
696     void
697 root 1.98 connection::connection_established (const sockinfo &rsi)
698 pcg 1.10 {
699 root 1.98 if (!have_snd_auth || !have_rcv_auth)
700     return;
701    
702     si = rsi;
703     protocol = rsi.prot;
704    
705     slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
706     conf->nodename, (const char *)rsi,
707     is_direct ? "direct" : "forwarded",
708     PROTOCOL_MAJOR, prot_minor);
709    
710     if (::conf.script_node_up)
711     {
712     run_script_cb *cb = new run_script_cb;
713     cb->set<connection, &connection::script_node_up> (this);
714     run_script_queued (cb, _("node-up command execution failed, continuing."));
715     }
716    
717     delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
718     iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
719    
720     delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
721     oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
722 pcg 1.61
723 root 1.102 oiv.reset ();
724    
725     // make sure rekeying timeouts are slightly asymmetric
726     ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
727     rekey.start (rekey_interval, rekey_interval);
728    
729     keepalive.start (::conf.keepalive);
730    
731     // send queued packets
732 pcg 1.10 if (ictx && octx)
733     {
734 root 1.102 while (tap_packet *p = (tap_packet *)data_queue.get ())
735     {
736     if (p->len) send_data_packet (p);
737     delete p;
738     }
739 root 1.97
740 root 1.102 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
741 pcg 1.12 {
742 root 1.102 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
743     delete p;
744 pcg 1.12 }
745 root 1.102 }
746 pcg 1.73
747 root 1.102 vpn->connection_established (this);
748 pcg 1.10 }
749    
750     void
751 pcg 1.8 connection::reset_si ()
752 pcg 1.1 {
753 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
754     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
755     else
756 pcg 1.59 {
757 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
758 pcg 1.59 protocol = 0;
759     }
760 pcg 1.6
761     si.set (conf, protocol);
762 pcg 1.73
763     is_direct = si.valid ();
764 pcg 1.1 }
765    
766 pcg 1.8 // ensure sockinfo is valid, forward if necessary
767     const sockinfo &
768     connection::forward_si (const sockinfo &si) const
769     {
770     if (!si.valid ())
771     {
772 pcg 1.73 connection *r = vpn->find_router_for (this);
773 pcg 1.8
774     if (r)
775     {
776 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
777     conf->nodename, r->conf->nodename);
778 pcg 1.8 return r->si;
779     }
780     else
781 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
782 pcg 1.8 conf->nodename);
783     }
784    
785     return si;
786     }
787    
788 pcg 1.1 void
789 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
790     {
791 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
792 pcg 1.10 reset_connection ();
793     }
794    
795     void
796 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
797     {
798     ping_packet *pkt = new ping_packet;
799    
800     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
801 pcg 1.73
802 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
803 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
804 pcg 1.1
805     delete pkt;
806     }
807    
808     void
809     connection::send_reset (const sockinfo &si)
810     {
811     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
812     {
813     config_packet *pkt = new config_packet;
814    
815     pkt->setup (vpn_packet::PT_RESET, conf->id);
816 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
817 pcg 1.1
818     delete pkt;
819     }
820     }
821    
822     void
823     connection::send_auth_request (const sockinfo &si, bool initiate)
824     {
825     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
826    
827 root 1.98 generate_auth_data ();
828     auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
829 pcg 1.1
830 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
831 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
832 pcg 1.1
833 pcg 1.6 delete pkt;
834 pcg 1.1 }
835    
836     void
837 root 1.98 connection::send_auth_response (const sockinfo &si)
838 pcg 1.1 {
839     auth_res_packet *pkt = new auth_res_packet (conf->id);
840    
841 root 1.98 auth_hash (rcv_auth, pkt->response.mac);
842     memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
843 pcg 1.1
844 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
845 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
846 pcg 1.1
847     delete pkt;
848     }
849    
850     void
851     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
852     {
853 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
854     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
855     conf->protocols);
856 pcg 1.1
857     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
858    
859     r->hmac_set (octx);
860 pcg 1.10 send_vpn_packet (r, si);
861 pcg 1.1
862     delete r;
863     }
864    
865 pcg 1.66 inline void
866 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
867 pcg 1.1 {
868 root 1.92 if (!(ictx && octx)
869 pcg 1.25 && conf != THISNODE
870     && connectmode != conf_node::C_NEVER
871     && connectmode != conf_node::C_DISABLED
872 pcg 1.60 && !w.is_active ())
873 pcg 1.1 {
874 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
875     // and stop trying. should probably be handled by a per-connection expire handler.
876     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
877     {
878     reset_connection ();
879     return;
880     }
881    
882 pcg 1.68 last_establish_attempt = ev_now ();
883    
884 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
885     ? (retry_cnt & 3) + 1
886     : 1 << (retry_cnt >> 2));
887 pcg 1.1
888 pcg 1.47 reset_si ();
889 pcg 1.1
890 pcg 1.47 bool slow = si.prot & PROT_SLOW;
891 pcg 1.8
892 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
893 pcg 1.60 {
894     /*TODO*/ /* start the timer so we don't recurse endlessly */
895     w.start (1);
896 pcg 1.74 vpn->send_connect_request (this);
897 pcg 1.60 }
898 pcg 1.8 else
899 pcg 1.1 {
900 pcg 1.73 if (si.valid ())
901     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
902     conf->nodename, (const char *)si);
903 pcg 1.61
904 pcg 1.8 const sockinfo &dsi = forward_si (si);
905 pcg 1.6
906 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
907    
908 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
909     {
910     if (retry_cnt < 4)
911     send_auth_request (dsi, true);
912     else
913     send_ping (dsi, 0);
914     }
915 pcg 1.1 }
916 pcg 1.47
917 pcg 1.68 retry_int *= slow ? 8. : 0.9;
918 pcg 1.47
919     if (retry_int < conf->max_retry)
920     retry_cnt++;
921     else
922     retry_int = conf->max_retry;
923    
924 pcg 1.60 w.start (retry_int);
925 pcg 1.1 }
926     }
927    
928     void
929     connection::reset_connection ()
930     {
931     if (ictx && octx)
932     {
933     slog (L_INFO, _("%s(%s): connection lost"),
934     conf->nodename, (const char *)si);
935    
936     if (::conf.script_node_down)
937 pcg 1.64 {
938 pcg 1.70 run_script_cb *cb = new run_script_cb;
939     cb->set<connection, &connection::script_node_down> (this);
940     run_script_queued (cb, _("node-down command execution failed, continuing."));
941 pcg 1.64 }
942 pcg 1.1 }
943    
944     delete ictx; ictx = 0;
945     delete octx; octx = 0;
946    
947 pcg 1.38 si.host = 0;
948 pcg 1.1
949 root 1.98 have_snd_auth = false;
950     have_rcv_auth = false;
951     auth_expire = 0.;
952    
953 pcg 1.73 last_activity = 0.;
954     //last_si_change = 0.;
955 pcg 1.1 retry_cnt = 0;
956    
957 pcg 1.25 rekey.stop ();
958     keepalive.stop ();
959     establish_connection.stop ();
960 pcg 1.1 }
961    
962     void
963     connection::shutdown ()
964     {
965     if (ictx && octx)
966     send_reset (si);
967    
968     reset_connection ();
969     }
970    
971 pcg 1.73 // poor-man's rekeying
972 pcg 1.66 inline void
973 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
974 pcg 1.1 {
975     reset_connection ();
976     establish_connection ();
977     }
978    
979     void
980 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
981 pcg 1.1 {
982     vpndata_packet *p = new vpndata_packet;
983     int tos = 0;
984    
985 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
986 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
987 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
988    
989 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
990 pcg 1.10 send_vpn_packet (p, si, tos);
991 pcg 1.1
992     delete p;
993    
994     if (oseqno > MAX_SEQNO)
995     rekey ();
996     }
997    
998     void
999 pcg 1.68 connection::post_inject_queue ()
1000     {
1001     // force a connection every now and when when packets are sent (max 1/s)
1002     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
1003     establish_connection.stop ();
1004    
1005     establish_connection ();
1006     }
1007    
1008     void
1009     connection::inject_data_packet (tap_packet *pkt)
1010 pcg 1.1 {
1011     if (ictx && octx)
1012 pcg 1.21 send_data_packet (pkt);
1013 pcg 1.1 else
1014     {
1015 pcg 1.68 data_queue.put (new tap_packet (*pkt));
1016     post_inject_queue ();
1017 pcg 1.1 }
1018     }
1019    
1020 root 1.90 void
1021     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1022 pcg 1.8 {
1023     if (ictx && octx)
1024 pcg 1.10 send_vpn_packet (pkt, si, tos);
1025 pcg 1.8 else
1026 pcg 1.12 {
1027 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1028 pcg 1.68 post_inject_queue ();
1029 pcg 1.12 }
1030 pcg 1.8 }
1031    
1032 pcg 1.1 void
1033     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1034     {
1035 pcg 1.62 last_activity = ev_now ();
1036 pcg 1.1
1037 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1038 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1039 pcg 1.1
1040 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1041     return;
1042    
1043 pcg 1.1 switch (pkt->typ ())
1044     {
1045 pcg 1.3 case vpn_packet::PT_PING:
1046 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1047    
1048 pcg 1.3 // we send pings instead of auth packets after some retries,
1049     // so reset the retry counter and establish a connection
1050     // when we receive a ping.
1051 root 1.89 if (!ictx)
1052 pcg 1.3 {
1053     if (auth_rate_limiter.can (rsi))
1054     send_auth_request (rsi, true);
1055     }
1056     else
1057 root 1.89 // we would love to change the socket address here, but ping's aren't
1058 pcg 1.73 // authenticated, so we best ignore it.
1059 pcg 1.3 send_ping (rsi, 1); // pong
1060    
1061     break;
1062    
1063     case vpn_packet::PT_PONG:
1064 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1065 root 1.89
1066     // a PONG might mean that the other side doesn't really know
1067     // about our desire for communication.
1068     establish_connection ();
1069 pcg 1.3 break;
1070    
1071     case vpn_packet::PT_RESET:
1072 pcg 1.1 {
1073 pcg 1.3 reset_connection ();
1074    
1075     config_packet *p = (config_packet *) pkt;
1076    
1077 root 1.103 if (p->chk_config (conf, rsi) && connectmode == conf_node::C_ALWAYS)
1078 pcg 1.3 establish_connection ();
1079 pcg 1.1 }
1080 pcg 1.3 break;
1081    
1082     case vpn_packet::PT_AUTH_REQ:
1083     if (auth_rate_limiter.can (rsi))
1084     {
1085 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1086 pcg 1.3
1087 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1088     conf->nodename, p->initiate ? "initiate" : "reply",
1089     p->protocols, p->features);
1090 pcg 1.1
1091 root 1.103 if (memcmp (p->magic, MAGIC, 8))
1092     {
1093     slog (L_WARN, _("%s(%s): protocol magic mismatch - stray packet?"),
1094     conf->nodename, (const char *)rsi);
1095     }
1096     else if (p->chk_config (conf, rsi))
1097 pcg 1.3 {
1098     if (p->prot_minor != PROTOCOL_MINOR)
1099     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1100     conf->nodename, (const char *)rsi,
1101     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1102    
1103     if (p->initiate)
1104     send_auth_request (rsi, false);
1105    
1106 root 1.98 auth_data auth;
1107 pcg 1.3
1108 root 1.98 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
1109 pcg 1.23 {
1110     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1111     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1112     }
1113 pcg 1.3 else
1114     {
1115 root 1.98 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
1116 pcg 1.1
1117 root 1.98 rcv_auth = auth;
1118     have_rcv_auth = true;
1119 pcg 1.1
1120 root 1.98 send_auth_response (rsi);
1121 pcg 1.10
1122 root 1.98 if (chg)
1123     {
1124     conf->protocols = p->protocols;
1125     features = p->features & config_packet::get_features ();
1126 pcg 1.3
1127 root 1.98 connection_established (rsi);
1128     }
1129     }
1130 pcg 1.10
1131 root 1.98 break;
1132 pcg 1.3 }
1133    
1134     send_reset (rsi);
1135 pcg 1.1 }
1136    
1137 pcg 1.3 break;
1138    
1139     case vpn_packet::PT_AUTH_RES:
1140 pcg 1.1 {
1141 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1142 pcg 1.1
1143 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1144 pcg 1.1
1145 root 1.103 if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
1146 pcg 1.1 {
1147 root 1.103 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
1148     conf->nodename, (const char *)rsi);
1149     }
1150     else if (!have_snd_auth)
1151     {
1152     memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
1153 root 1.98
1154 root 1.103 have_snd_auth = true;
1155     connection_established (rsi);
1156 pcg 1.1 }
1157 root 1.103
1158     break;
1159 pcg 1.1 }
1160    
1161 pcg 1.3 send_reset (rsi);
1162     break;
1163 pcg 1.1
1164 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1165     #if !ENABLE_COMPRESSION
1166     send_reset (rsi);
1167     break;
1168     #endif
1169 pcg 1.1
1170 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1171 pcg 1.1
1172 pcg 1.3 if (ictx && octx)
1173 pcg 1.1 {
1174 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1175 pcg 1.1
1176 pcg 1.10 if (!p->hmac_chk (ictx))
1177     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1178 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1179 pcg 1.10 conf->nodename, (const char *)rsi);
1180     else
1181 pcg 1.1 {
1182 pcg 1.10 u32 seqno;
1183     tap_packet *d = p->unpack (this, seqno);
1184 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1185 pcg 1.10
1186 pcg 1.73 if (seqclass == 0) // ok
1187 pcg 1.1 {
1188 pcg 1.10 vpn->tap->send (d);
1189 pcg 1.1
1190 pcg 1.10 if (si != rsi)
1191 pcg 1.1 {
1192 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1193 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1194     // {
1195 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1196     conf->nodename, (const char *)si, (const char *)rsi);
1197    
1198 pcg 1.73 si = rsi;
1199 pcg 1.84
1200     if (::conf.script_node_change)
1201     {
1202     run_script_cb *cb = new run_script_cb;
1203     cb->set<connection, &connection::script_node_change> (this);
1204     run_script_queued (cb, _("node-change command execution failed, continuing."));
1205     }
1206    
1207 pcg 1.73 // }
1208     //else
1209     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1210     // conf->nodename, (const char *)si, (const char *)rsi);
1211 pcg 1.10 }
1212 pcg 1.32 }
1213 pcg 1.75 else if (seqclass == 1) // far history
1214     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1215     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1216     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1217     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1218     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1219     else if (seqclass == 3) // reset
1220 pcg 1.73 {
1221 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1222     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1223 pcg 1.73 send_reset (rsi);
1224     }
1225 pcg 1.3
1226 pcg 1.32 delete d;
1227     break;
1228 pcg 1.1 }
1229     }
1230    
1231 pcg 1.3 send_reset (rsi);
1232     break;
1233 pcg 1.1
1234 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1235     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1236     {
1237 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1238 pcg 1.1
1239 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1240     {
1241     connection *c = vpn->conns[p->id - 1];
1242     conf->protocols = p->protocols;
1243 pcg 1.1
1244 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1245     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1246     p->protocols,
1247     c->ictx && c->octx);
1248 pcg 1.1
1249 pcg 1.57 if (c->ictx && c->octx)
1250     {
1251     // send connect_info packets to both sides, in case one is
1252     // behind a nat firewall (or both ;)
1253     c->send_connect_info (conf->id, si, conf->protocols);
1254     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1255     }
1256     else
1257     c->establish_connection ();
1258 pcg 1.3 }
1259 pcg 1.11 else
1260 pcg 1.57 slog (L_WARN,
1261     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1262     p->id);
1263 pcg 1.3 }
1264 pcg 1.1
1265 pcg 1.3 break;
1266 pcg 1.1
1267 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1268     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1269     {
1270 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1271 pcg 1.1
1272 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1273 pcg 1.39 {
1274     connection *c = vpn->conns[p->id - 1];
1275 pcg 1.7
1276 pcg 1.39 c->conf->protocols = p->protocols;
1277     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1278     p->si.upgrade_protocol (protocol, c->conf);
1279 pcg 1.1
1280 root 1.96 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1281 root 1.93 conf->nodename,
1282     vpn->conns[p->id - 1]->conf->nodename,
1283     (const char *)p->si,
1284     p->protocols,
1285 root 1.96 protocol,
1286     p->si.supported_protocols (c->conf),
1287 root 1.93 !c->ictx && !c->octx);
1288 pcg 1.7
1289 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1290 pcg 1.1
1291 pcg 1.39 if (dsi.valid ())
1292     c->send_auth_request (dsi, true);
1293 root 1.96 else
1294     slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1295     vpn->conns[p->id - 1]->conf->nodename,
1296     (const char *)p->si);
1297 pcg 1.39 }
1298 pcg 1.57 else
1299     slog (L_WARN,
1300     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1301     p->id);
1302 pcg 1.3 }
1303 pcg 1.1
1304 pcg 1.3 break;
1305 pcg 1.1
1306 pcg 1.3 default:
1307     send_reset (rsi);
1308     break;
1309 pcg 1.1 }
1310     }
1311    
1312 pcg 1.66 inline void
1313     connection::keepalive_cb (ev::timer &w, int revents)
1314 pcg 1.1 {
1315 root 1.97 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1316    
1317     if (when >= 0)
1318     w.start (when);
1319     else if (when < -15)
1320 pcg 1.1 {
1321     reset_connection ();
1322     establish_connection ();
1323     }
1324     else if (conf->connectmode != conf_node::C_ONDEMAND
1325     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1326     {
1327 root 1.97 w.start (3);
1328 pcg 1.1 send_ping (si);
1329     }
1330 root 1.97 else if (when >= -10)
1331 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1332     // should delete octx, though, or something like that ;)
1333 root 1.97 w.start (when + 10);
1334 pcg 1.1 else
1335     reset_connection ();
1336     }
1337    
1338 root 1.90 void
1339     connection::send_connect_request (int id)
1340 pcg 1.1 {
1341 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1342 pcg 1.1
1343 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1344     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1345     THISNODE->protocols);
1346 pcg 1.1 p->hmac_set (octx);
1347 pcg 1.10 send_vpn_packet (p, si);
1348 pcg 1.1
1349     delete p;
1350     }
1351    
1352 root 1.90 void
1353     connection::script_init_env (const char *ext)
1354 pcg 1.53 {
1355     char *env;
1356     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1357 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1358 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1359     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1360 pcg 1.84 conf->id & 0xff); putenv (env);
1361 pcg 1.53 }
1362    
1363 root 1.90 void
1364     connection::script_init_connect_env ()
1365 pcg 1.1 {
1366 pcg 1.52 vpn->script_init_env ();
1367 pcg 1.1
1368     char *env;
1369 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1370     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1371     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1372     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1373     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1374 pcg 1.1 }
1375    
1376 pcg 1.66 inline const char *
1377     connection::script_node_up ()
1378 pcg 1.1 {
1379 pcg 1.53 script_init_connect_env ();
1380 pcg 1.1
1381 pcg 1.60 putenv ((char *)"STATE=up");
1382 pcg 1.1
1383 pcg 1.52 char *filename;
1384     asprintf (&filename,
1385     "%s/%s",
1386     confbase,
1387     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1388 pcg 1.54
1389     return filename;
1390 pcg 1.1 }
1391    
1392 pcg 1.66 inline const char *
1393 pcg 1.84 connection::script_node_change ()
1394     {
1395     script_init_connect_env ();
1396    
1397     putenv ((char *)"STATE=change");
1398    
1399     char *filename;
1400     asprintf (&filename,
1401     "%s/%s",
1402     confbase,
1403     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1404    
1405     return filename;
1406     }
1407    
1408     inline const char *
1409 pcg 1.66 connection::script_node_down ()
1410 pcg 1.1 {
1411 pcg 1.53 script_init_connect_env ();
1412 pcg 1.1
1413 pcg 1.60 putenv ((char *)"STATE=down");
1414 pcg 1.1
1415 pcg 1.52 char *filename;
1416     asprintf (&filename,
1417     "%s/%s",
1418     confbase,
1419     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1420 pcg 1.54
1421     return filename;
1422 pcg 1.1 }
1423    
1424 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1425 pcg 1.67 : vpn(vpn), conf(conf),
1426 pcg 1.40 #if ENABLE_DNS
1427 pcg 1.67 dns (0),
1428 pcg 1.40 #endif
1429 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1430     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1431 pcg 1.1 {
1432 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1433     keepalive .set<connection, &connection::keepalive_cb > (this);
1434     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1435    
1436 pcg 1.68 last_establish_attempt = 0.;
1437 pcg 1.1 octx = ictx = 0;
1438    
1439 pcg 1.67 connectmode = conf->connectmode;
1440    
1441     // queue a dummy packet to force an initial connection attempt
1442     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1443 pcg 1.68 vpn_queue.put (new net_packet);
1444 pcg 1.67
1445 pcg 1.1 reset_connection ();
1446     }
1447    
1448     connection::~connection ()
1449     {
1450     shutdown ();
1451     }
1452    
1453 root 1.90 void
1454     connection_init ()
1455 pcg 1.1 {
1456     auth_rate_limiter.clear ();
1457     reset_rate_limiter.clear ();
1458     }
1459