ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.66
Committed: Thu Dec 6 00:35:29 2007 UTC (16 years, 5 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.65: +9 -6 lines
Log Message: 
inline callbacks

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.42 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7     GVPE is free software; you can redistribute it and/or modify
8 pcg 1.1 it under the terms of the GNU General Public License as published by
9     the Free Software Foundation; either version 2 of the License, or
10     (at your option) any later version.
11    
12     This program is distributed in the hope that it will be useful,
13     but WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     GNU General Public License for more details.
16    
17     You should have received a copy of the GNU General Public License
18 pcg 1.42 along with gvpe; if not, write to the Free Software
19 pcg 1.55 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 pcg 1.1 */
21    
22     #include "config.h"
23    
24     #include <list>
25    
26 pcg 1.2 #include <openssl/rand.h>
27     #include <openssl/evp.h>
28     #include <openssl/rsa.h>
29     #include <openssl/err.h>
30    
31 pcg 1.1 #include "conf.h"
32     #include "slog.h"
33     #include "device.h"
34 pcg 1.2 #include "vpn.h"
35 pcg 1.1 #include "connection.h"
36    
37 pcg 1.20 #include "netcompat.h"
38 pcg 1.19
39 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
40     # define RAND_pseudo_bytes RAND_bytes
41     #endif
42    
43     #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
44 pcg 1.30
45     #define ULTRA_FAST 1
46     #define HLOG 15
47     #include "lzf/lzf.h"
48     #include "lzf/lzf_c.c"
49     #include "lzf/lzf_d.c"
50 pcg 1.1
51     struct crypto_ctx
52     {
53     EVP_CIPHER_CTX cctx;
54     HMAC_CTX hctx;
55    
56     crypto_ctx (const rsachallenge &challenge, int enc);
57     ~crypto_ctx ();
58     };
59    
60     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
61     {
62     EVP_CIPHER_CTX_init (&cctx);
63 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
64 pcg 1.1 HMAC_CTX_init (&hctx);
65     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
66     }
67    
68     crypto_ctx::~crypto_ctx ()
69     {
70 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
71 pcg 1.1 HMAC_CTX_cleanup (&hctx);
72     }
73    
74     static void
75     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
76     {
77     EVP_MD_CTX ctx;
78    
79     EVP_MD_CTX_init (&ctx);
80 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
81     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
82     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
83     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
84 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
85     }
86    
87 pcg 1.63 struct rsa_entry
88     {
89 pcg 1.1 tstamp expire;
90     rsaid id;
91     rsachallenge chg;
92     };
93    
94     struct rsa_cache : list<rsa_entry>
95     {
96 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
97 pcg 1.1
98     bool find (const rsaid &id, rsachallenge &chg)
99 pcg 1.51 {
100     for (iterator i = begin (); i != end (); ++i)
101     {
102 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
103 pcg 1.51 {
104     memcpy (&chg, &i->chg, sizeof chg);
105 pcg 1.1
106 pcg 1.51 erase (i);
107     return true;
108     }
109     }
110 pcg 1.1
111 pcg 1.60 if (!cleaner.is_active ())
112     cleaner.again ();
113 pcg 1.1
114 pcg 1.51 return false;
115     }
116 pcg 1.1
117     void gen (rsaid &id, rsachallenge &chg)
118 pcg 1.51 {
119     rsa_entry e;
120 pcg 1.1
121 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
122     RAND_bytes ((unsigned char *)&chg, sizeof chg);
123 pcg 1.1
124 pcg 1.62 e.expire = ev_now () + RSA_TTL;
125 pcg 1.51 e.id = id;
126     memcpy (&e.chg, &chg, sizeof chg);
127 pcg 1.1
128 pcg 1.51 push_back (e);
129 pcg 1.1
130 pcg 1.60 if (!cleaner.is_active ())
131     cleaner.again ();
132 pcg 1.51 }
133 pcg 1.1
134     rsa_cache ()
135 pcg 1.60 {
136 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
137 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
138     }
139 pcg 1.1
140     } rsa_cache;
141    
142 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
143 pcg 1.1 {
144 pcg 1.60 if (empty ())
145     w.stop ();
146     else
147 pcg 1.1 {
148     for (iterator i = begin (); i != end (); )
149 pcg 1.62 if (i->expire <= ev_now ())
150 pcg 1.1 i = erase (i);
151     else
152     ++i;
153     }
154     }
155    
156     //////////////////////////////////////////////////////////////////////////////
157    
158 pcg 1.12 void pkt_queue::put (net_packet *p)
159 pcg 1.1 {
160     if (queue[i])
161     {
162     delete queue[i];
163     j = (j + 1) % QUEUEDEPTH;
164     }
165    
166     queue[i] = p;
167    
168     i = (i + 1) % QUEUEDEPTH;
169     }
170    
171 pcg 1.12 net_packet *pkt_queue::get ()
172 pcg 1.1 {
173 pcg 1.12 net_packet *p = queue[j];
174 pcg 1.1
175     if (p)
176     {
177     queue[j] = 0;
178     j = (j + 1) % QUEUEDEPTH;
179     }
180    
181     return p;
182     }
183    
184     pkt_queue::pkt_queue ()
185     {
186     memset (queue, 0, sizeof (queue));
187     i = 0;
188     j = 0;
189     }
190    
191     pkt_queue::~pkt_queue ()
192     {
193     for (i = QUEUEDEPTH; --i > 0; )
194     delete queue[i];
195     }
196    
197 pcg 1.63 struct net_rateinfo
198     {
199 pcg 1.1 u32 host;
200     double pcnt, diff;
201     tstamp last;
202     };
203    
204     // only do action once every x seconds per host whole allowing bursts.
205     // this implementation ("splay list" ;) is inefficient,
206     // but low on resources.
207     struct net_rate_limiter : list<net_rateinfo>
208     {
209 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
210     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
211     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
212     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
213 pcg 1.1
214 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
215 pcg 1.1 bool can (u32 host);
216     };
217    
218     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
219    
220     bool net_rate_limiter::can (u32 host)
221     {
222     iterator i;
223    
224     for (i = begin (); i != end (); )
225     if (i->host == host)
226     break;
227 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
228 pcg 1.1 i = erase (i);
229     else
230     i++;
231    
232     if (i == end ())
233     {
234     net_rateinfo ri;
235    
236     ri.host = host;
237     ri.pcnt = 1.;
238 pcg 1.34 ri.diff = NRL_MAXDIF;
239 pcg 1.62 ri.last = ev_now ();
240 pcg 1.1
241     push_front (ri);
242    
243     return true;
244     }
245     else
246     {
247     net_rateinfo ri (*i);
248     erase (i);
249    
250 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
251 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
252 pcg 1.1
253 pcg 1.62 ri.last = ev_now ();
254 pcg 1.1
255 pcg 1.10 double dif = ri.diff / ri.pcnt;
256 pcg 1.1
257 pcg 1.34 bool send = dif > NRL_CUTOFF;
258 pcg 1.10
259 pcg 1.34 if (dif > NRL_MAXDIF)
260 pcg 1.10 {
261     ri.pcnt = 1.;
262 pcg 1.34 ri.diff = NRL_MAXDIF;
263 pcg 1.10 }
264     else if (send)
265 pcg 1.1 ri.pcnt++;
266    
267     push_front (ri);
268    
269     return send;
270     }
271     }
272    
273     /////////////////////////////////////////////////////////////////////////////
274    
275     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
276    
277     void hmac_packet::hmac_gen (crypto_ctx *ctx)
278     {
279     unsigned int xlen;
280    
281     HMAC_CTX *hctx = &ctx->hctx;
282    
283     HMAC_Init_ex (hctx, 0, 0, 0, 0);
284     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
285     len - sizeof (hmac_packet));
286     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
287     }
288    
289     void
290     hmac_packet::hmac_set (crypto_ctx *ctx)
291     {
292     hmac_gen (ctx);
293    
294     memcpy (hmac, hmac_digest, HMACLENGTH);
295     }
296    
297     bool
298     hmac_packet::hmac_chk (crypto_ctx *ctx)
299     {
300     hmac_gen (ctx);
301    
302     return !memcmp (hmac, hmac_digest, HMACLENGTH);
303     }
304    
305 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
306 pcg 1.1 {
307 pcg 1.6 type = type_;
308 pcg 1.1
309     int src = THISNODE->id;
310    
311     src1 = src;
312     srcdst = ((src >> 8) << 4) | (dst >> 8);
313     dst1 = dst;
314     }
315    
316     #define MAXVPNDATA (MAX_MTU - 6 - 6)
317     #define DATAHDR (sizeof (u32) + RAND_SIZE)
318    
319 pcg 1.28 struct vpndata_packet : vpn_packet
320 pcg 1.1 {
321     u8 data[MAXVPNDATA + DATAHDR]; // seqno
322    
323     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
324     tap_packet *unpack (connection *conn, u32 &seqno);
325     private:
326    
327     const u32 data_hdr_size () const
328     {
329     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
330     }
331     };
332    
333     void
334     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
335     {
336     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
337     int outl = 0, outl2;
338     ptype type = PT_DATA_UNCOMPRESSED;
339    
340     #if ENABLE_COMPRESSION
341     u8 cdata[MAX_MTU];
342    
343 pcg 1.31 if (conn->features & ENABLE_COMPRESSION)
344 pcg 1.1 {
345 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
346 pcg 1.1
347 pcg 1.31 if (cl)
348     {
349     type = PT_DATA_COMPRESSED;
350     d = cdata;
351     l = cl + 2;
352    
353     d[0] = cl >> 8;
354     d[1] = cl;
355     }
356 pcg 1.1 }
357     #endif
358    
359 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
360 pcg 1.1
361     struct {
362     #if RAND_SIZE
363     u8 rnd[RAND_SIZE];
364     #endif
365     u32 seqno;
366     } datahdr;
367    
368     datahdr.seqno = ntohl (seqno);
369     #if RAND_SIZE
370     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
371     #endif
372    
373 pcg 1.29 require (EVP_EncryptUpdate (cctx,
374 pcg 1.1 (unsigned char *) data + outl, &outl2,
375 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
376 pcg 1.1 outl += outl2;
377    
378 pcg 1.29 require (EVP_EncryptUpdate (cctx,
379 pcg 1.1 (unsigned char *) data + outl, &outl2,
380 pcg 1.29 (unsigned char *) d, l));
381 pcg 1.1 outl += outl2;
382    
383 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
384 pcg 1.1 outl += outl2;
385    
386     len = outl + data_hdr_size ();
387    
388     set_hdr (type, dst);
389    
390     hmac_set (conn->octx);
391     }
392    
393     tap_packet *
394     vpndata_packet::unpack (connection *conn, u32 &seqno)
395     {
396     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
397     int outl = 0, outl2;
398     tap_packet *p = new tap_packet;
399     u8 *d;
400     u32 l = len - data_hdr_size ();
401    
402 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
403 pcg 1.1
404     #if ENABLE_COMPRESSION
405     u8 cdata[MAX_MTU];
406    
407     if (type == PT_DATA_COMPRESSED)
408     d = cdata;
409     else
410     #endif
411     d = &(*p)[6 + 6 - DATAHDR];
412    
413     /* this overwrites part of the src mac, but we fix that later */
414 pcg 1.29 require (EVP_DecryptUpdate (cctx,
415 pcg 1.1 d, &outl2,
416 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
417 pcg 1.1 outl += outl2;
418    
419 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
420 pcg 1.1 outl += outl2;
421    
422     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
423    
424     id2mac (dst () ? dst() : THISNODE->id, p->dst);
425     id2mac (src (), p->src);
426    
427     #if ENABLE_COMPRESSION
428     if (type == PT_DATA_COMPRESSED)
429     {
430     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
431    
432     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
433     &(*p)[6 + 6], MAX_MTU)
434     + 6 + 6;
435     }
436     else
437     p->len = outl + (6 + 6 - DATAHDR);
438     #endif
439    
440     return p;
441     }
442    
443     struct ping_packet : vpn_packet
444     {
445     void setup (int dst, ptype type)
446     {
447     set_hdr (type, dst);
448     len = sizeof (*this) - sizeof (net_packet);
449     }
450     };
451    
452     struct config_packet : vpn_packet
453     {
454     // actually, hmaclen cannot be checked because the hmac
455     // field comes before this data, so peers with other
456     // hmacs simply will not work.
457     u8 prot_major, prot_minor, randsize, hmaclen;
458 pcg 1.31 u8 flags, challengelen, features, pad3;
459 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
460    
461     void setup (ptype type, int dst);
462     bool chk_config () const;
463 pcg 1.32
464     static u8 get_features ()
465     {
466     u8 f = 0;
467     #if ENABLE_COMPRESSION
468     f |= FEATURE_COMPRESSION;
469     #endif
470     #if ENABLE_ROHC
471     f |= FEATURE_ROHC;
472     #endif
473 pcg 1.59 #if ENABLE_BRIDGING
474     f |= FEATURE_BRIDGING;
475     #endif
476 pcg 1.32 return f;
477     }
478 pcg 1.1 };
479    
480     void config_packet::setup (ptype type, int dst)
481     {
482     prot_major = PROTOCOL_MAJOR;
483     prot_minor = PROTOCOL_MINOR;
484     randsize = RAND_SIZE;
485     hmaclen = HMACLENGTH;
486 pcg 1.48 flags = 0;
487 pcg 1.1 challengelen = sizeof (rsachallenge);
488 pcg 1.32 features = get_features ();
489 pcg 1.1
490     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
491     digest_nid = htonl (EVP_MD_type (RSA_HASH));
492     hmac_nid = htonl (EVP_MD_type (DIGEST));
493    
494     len = sizeof (*this) - sizeof (net_packet);
495     set_hdr (type, dst);
496     }
497    
498     bool config_packet::chk_config () const
499     {
500 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
501 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
502 pcg 1.15 else if (randsize != RAND_SIZE)
503 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
504 pcg 1.15 else if (hmaclen != HMACLENGTH)
505 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
506 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
507 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
508 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
509 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
510 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
511 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
512 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
513 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
514 pcg 1.15 else
515     return true;
516    
517     return false;
518 pcg 1.1 }
519    
520     struct auth_req_packet : config_packet
521     {
522     char magic[8];
523     u8 initiate; // false if this is just an automatic reply
524 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
525 pcg 1.1 u8 pad2, pad3;
526     rsaid id;
527     rsaencrdata encr;
528    
529     auth_req_packet (int dst, bool initiate_, u8 protocols_)
530     {
531     config_packet::setup (PT_AUTH_REQ, dst);
532     strncpy (magic, MAGIC, 8);
533     initiate = !!initiate_;
534     protocols = protocols_;
535    
536     len = sizeof (*this) - sizeof (net_packet);
537     }
538     };
539    
540     struct auth_res_packet : config_packet
541     {
542     rsaid id;
543     u8 pad1, pad2, pad3;
544     u8 response_len; // encrypted length
545     rsaresponse response;
546    
547     auth_res_packet (int dst)
548     {
549     config_packet::setup (PT_AUTH_RES, dst);
550    
551     len = sizeof (*this) - sizeof (net_packet);
552     }
553     };
554    
555     struct connect_req_packet : vpn_packet
556     {
557     u8 id, protocols;
558     u8 pad1, pad2;
559    
560     connect_req_packet (int dst, int id_, u8 protocols_)
561     : id(id_)
562     , protocols(protocols_)
563     {
564     set_hdr (PT_CONNECT_REQ, dst);
565     len = sizeof (*this) - sizeof (net_packet);
566     }
567     };
568    
569     struct connect_info_packet : vpn_packet
570     {
571     u8 id, protocols;
572     u8 pad1, pad2;
573     sockinfo si;
574    
575     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
576     : id(id_)
577     , protocols(protocols_)
578     , si(si_)
579     {
580     set_hdr (PT_CONNECT_INFO, dst);
581    
582     len = sizeof (*this) - sizeof (net_packet);
583     }
584     };
585    
586     /////////////////////////////////////////////////////////////////////////////
587    
588     void
589 pcg 1.10 connection::connection_established ()
590     {
591 pcg 1.61 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
592    
593 pcg 1.10 if (ictx && octx)
594     {
595     connectmode = conf->connectmode;
596    
597 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
598 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
599     rekey.start (rekey_interval, rekey_interval);
600     keepalive.start (::conf.keepalive);
601 pcg 1.10
602     // send queued packets
603     if (ictx && octx)
604 pcg 1.12 {
605     while (tap_packet *p = (tap_packet *)data_queue.get ())
606     {
607     send_data_packet (p);
608     delete p;
609     }
610    
611     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
612     {
613     send_vpn_packet (p, si, IPTOS_RELIABILITY);
614     delete p;
615     }
616     }
617 pcg 1.10 }
618     else
619     {
620     retry_cnt = 0;
621 pcg 1.60 establish_connection.start (5);
622 pcg 1.25 keepalive.stop ();
623     rekey.stop ();
624 pcg 1.10 }
625     }
626    
627     void
628 pcg 1.8 connection::reset_si ()
629 pcg 1.1 {
630 pcg 1.6 protocol = best_protocol (THISNODE->protocols & conf->protocols);
631    
632     // mask out protocols we cannot establish
633     if (!conf->udp_port) protocol &= ~PROT_UDPv4;
634     if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
635 pcg 1.40 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
636 pcg 1.59
637     if (protocol
638     && (!conf->can_direct (THISNODE)
639     || !THISNODE->can_direct (conf)))
640     {
641     slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
642     protocol = 0;
643     }
644 pcg 1.6
645     si.set (conf, protocol);
646 pcg 1.1 }
647    
648 pcg 1.8 // ensure sockinfo is valid, forward if necessary
649     const sockinfo &
650     connection::forward_si (const sockinfo &si) const
651     {
652     if (!si.valid ())
653     {
654     connection *r = vpn->find_router ();
655    
656     if (r)
657     {
658 pcg 1.46 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
659     conf->nodename, r->conf->nodename, (const char *)r->si);
660 pcg 1.8 return r->si;
661     }
662     else
663     slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
664     conf->nodename);
665     }
666    
667     return si;
668     }
669    
670 pcg 1.1 void
671 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
672     {
673 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
674 pcg 1.10 reset_connection ();
675     }
676    
677     void
678 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
679     {
680     ping_packet *pkt = new ping_packet;
681    
682     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
683 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
684 pcg 1.1
685     delete pkt;
686     }
687    
688     void
689     connection::send_reset (const sockinfo &si)
690     {
691     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
692     {
693     config_packet *pkt = new config_packet;
694    
695     pkt->setup (vpn_packet::PT_RESET, conf->id);
696 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
697 pcg 1.1
698     delete pkt;
699     }
700     }
701    
702     void
703     connection::send_auth_request (const sockinfo &si, bool initiate)
704     {
705     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
706    
707 pcg 1.6 rsachallenge chg;
708     rsa_cache.gen (pkt->id, chg);
709 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
710 pcg 1.1
711 pcg 1.6 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
712 pcg 1.1
713 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
714 pcg 1.1
715 pcg 1.6 delete pkt;
716 pcg 1.1 }
717    
718     void
719     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
720     {
721     auth_res_packet *pkt = new auth_res_packet (conf->id);
722    
723     pkt->id = id;
724    
725     rsa_hash (id, chg, pkt->response);
726    
727     pkt->hmac_set (octx);
728    
729     slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
730    
731 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
732 pcg 1.1
733     delete pkt;
734     }
735    
736     void
737     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
738     {
739 pcg 1.58 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
740 pcg 1.1 conf->id, rid, (const char *)rsi);
741    
742     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
743    
744     r->hmac_set (octx);
745 pcg 1.10 send_vpn_packet (r, si);
746 pcg 1.1
747     delete r;
748     }
749    
750 pcg 1.66 inline void
751 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
752 pcg 1.1 {
753 pcg 1.25 if (!ictx
754     && conf != THISNODE
755     && connectmode != conf_node::C_NEVER
756     && connectmode != conf_node::C_DISABLED
757 pcg 1.60 && !w.is_active ())
758 pcg 1.1 {
759 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
760     ? (retry_cnt & 3) + 1
761     : 1 << (retry_cnt >> 2));
762 pcg 1.1
763 pcg 1.47 reset_si ();
764 pcg 1.1
765 pcg 1.47 bool slow = si.prot & PROT_SLOW;
766 pcg 1.8
767     if (si.prot && !si.host)
768 pcg 1.60 {
769 pcg 1.61 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
770 pcg 1.60 /*TODO*/ /* start the timer so we don't recurse endlessly */
771     w.start (1);
772     vpn->send_connect_request (conf->id);
773     }
774 pcg 1.8 else
775 pcg 1.1 {
776 pcg 1.61 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
777    
778 pcg 1.8 const sockinfo &dsi = forward_si (si);
779 pcg 1.6
780 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
781    
782 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
783     {
784     if (retry_cnt < 4)
785     send_auth_request (dsi, true);
786     else
787     send_ping (dsi, 0);
788     }
789 pcg 1.1 }
790 pcg 1.47
791 pcg 1.49 retry_int *= slow ? 8. : 0.7;
792 pcg 1.47
793     if (retry_int < conf->max_retry)
794     retry_cnt++;
795     else
796     retry_int = conf->max_retry;
797    
798 pcg 1.60 w.start (retry_int);
799 pcg 1.1 }
800     }
801    
802     void
803     connection::reset_connection ()
804     {
805     if (ictx && octx)
806     {
807     slog (L_INFO, _("%s(%s): connection lost"),
808     conf->nodename, (const char *)si);
809    
810     if (::conf.script_node_down)
811 pcg 1.64 {
812     run_script_cb cb;
813 pcg 1.65 cb.set<connection, &connection::script_node_down> (this);
814 pcg 1.64 if (!run_script (cb, false))
815     slog (L_WARN, _("node-down command execution failed, continuing."));
816     }
817 pcg 1.1 }
818    
819     delete ictx; ictx = 0;
820     delete octx; octx = 0;
821 pcg 1.44 #if ENABLE_DNS
822 pcg 1.45 dnsv4_reset_connection ();
823 pcg 1.44 #endif
824 pcg 1.1
825 pcg 1.38 si.host = 0;
826 pcg 1.1
827     last_activity = 0;
828     retry_cnt = 0;
829    
830 pcg 1.25 rekey.stop ();
831     keepalive.stop ();
832     establish_connection.stop ();
833 pcg 1.1 }
834    
835     void
836     connection::shutdown ()
837     {
838     if (ictx && octx)
839     send_reset (si);
840    
841     reset_connection ();
842     }
843    
844 pcg 1.66 inline void
845 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
846 pcg 1.1 {
847     reset_connection ();
848     establish_connection ();
849     }
850    
851     void
852 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
853 pcg 1.1 {
854     vpndata_packet *p = new vpndata_packet;
855     int tos = 0;
856    
857 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
858 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
859 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
860    
861 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
862 pcg 1.10 send_vpn_packet (p, si, tos);
863 pcg 1.1
864     delete p;
865    
866     if (oseqno > MAX_SEQNO)
867     rekey ();
868     }
869    
870     void
871 pcg 1.21 connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
872 pcg 1.1 {
873     if (ictx && octx)
874 pcg 1.21 send_data_packet (pkt);
875 pcg 1.1 else
876     {
877 pcg 1.56 if (!broadcast)
878 pcg 1.12 data_queue.put (new tap_packet (*pkt));
879 pcg 1.1
880     establish_connection ();
881     }
882     }
883    
884 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
885     {
886     if (ictx && octx)
887 pcg 1.10 send_vpn_packet (pkt, si, tos);
888 pcg 1.8 else
889 pcg 1.12 {
890 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
891 pcg 1.12
892     establish_connection ();
893     }
894 pcg 1.8 }
895    
896 pcg 1.1 void
897     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
898     {
899 pcg 1.62 last_activity = ev_now ();
900 pcg 1.1
901     slog (L_NOISE, "<<%d received packet type %d from %d to %d",
902     conf->id, pkt->typ (), pkt->src (), pkt->dst ());
903    
904 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
905     return;
906    
907 pcg 1.1 switch (pkt->typ ())
908     {
909 pcg 1.3 case vpn_packet::PT_PING:
910     // we send pings instead of auth packets after some retries,
911     // so reset the retry counter and establish a connection
912     // when we receive a ping.
913     if (!ictx)
914     {
915     if (auth_rate_limiter.can (rsi))
916     send_auth_request (rsi, true);
917     }
918     else
919     send_ping (rsi, 1); // pong
920    
921     break;
922    
923     case vpn_packet::PT_PONG:
924     break;
925    
926     case vpn_packet::PT_RESET:
927 pcg 1.1 {
928 pcg 1.3 reset_connection ();
929    
930     config_packet *p = (config_packet *) pkt;
931    
932     if (!p->chk_config ())
933     {
934     slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
935     conf->nodename, (const char *)rsi);
936     connectmode = conf_node::C_DISABLED;
937     }
938     else if (connectmode == conf_node::C_ALWAYS)
939     establish_connection ();
940 pcg 1.1 }
941 pcg 1.3 break;
942    
943     case vpn_packet::PT_AUTH_REQ:
944     if (auth_rate_limiter.can (rsi))
945     {
946     auth_req_packet *p = (auth_req_packet *) pkt;
947    
948     slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
949 pcg 1.1
950 pcg 1.3 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
951     {
952     if (p->prot_minor != PROTOCOL_MINOR)
953     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
954     conf->nodename, (const char *)rsi,
955     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
956    
957     if (p->initiate)
958     send_auth_request (rsi, false);
959    
960     rsachallenge k;
961    
962 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
963 pcg 1.23 {
964     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
965     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
966     break;
967     }
968 pcg 1.3 else
969     {
970     delete octx;
971 pcg 1.1
972 pcg 1.3 octx = new crypto_ctx (k, 1);
973     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
974 pcg 1.1
975 pcg 1.3 conf->protocols = p->protocols;
976 pcg 1.32 features = p->features & config_packet::get_features ();
977 pcg 1.10
978 pcg 1.3 send_auth_response (rsi, p->id, k);
979    
980 pcg 1.10 connection_established ();
981    
982 pcg 1.3 break;
983     }
984     }
985 pcg 1.15 else
986     slog (L_WARN, _("%s(%s): protocol mismatch"),
987     conf->nodename, (const char *)rsi);
988 pcg 1.3
989     send_reset (rsi);
990 pcg 1.1 }
991    
992 pcg 1.3 break;
993    
994     case vpn_packet::PT_AUTH_RES:
995 pcg 1.1 {
996 pcg 1.3 auth_res_packet *p = (auth_res_packet *) pkt;
997 pcg 1.1
998 pcg 1.3 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
999 pcg 1.1
1000 pcg 1.3 if (p->chk_config ())
1001 pcg 1.1 {
1002     if (p->prot_minor != PROTOCOL_MINOR)
1003     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1004     conf->nodename, (const char *)rsi,
1005     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1006    
1007 pcg 1.3 rsachallenge chg;
1008 pcg 1.1
1009 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1010 pcg 1.13 {
1011 pcg 1.18 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
1012 pcg 1.13 conf->nodename, (const char *)rsi);
1013     break;
1014     }
1015 pcg 1.1 else
1016     {
1017 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1018    
1019     if (!p->hmac_chk (cctx))
1020 pcg 1.18 {
1021     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1022 pcg 1.27 "could be an attack, or just corruption or a synchronization error"),
1023 pcg 1.18 conf->nodename, (const char *)rsi);
1024     break;
1025     }
1026 pcg 1.3 else
1027     {
1028     rsaresponse h;
1029    
1030     rsa_hash (p->id, chg, h);
1031    
1032     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1033     {
1034     prot_minor = p->prot_minor;
1035    
1036     delete ictx; ictx = cctx;
1037    
1038     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1039    
1040     si = rsi;
1041 pcg 1.7 protocol = rsi.prot;
1042 pcg 1.3
1043 pcg 1.10 connection_established ();
1044 pcg 1.1
1045 pcg 1.7 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1046 pcg 1.3 conf->nodename, (const char *)rsi,
1047     p->prot_major, p->prot_minor);
1048 pcg 1.1
1049 pcg 1.3 if (::conf.script_node_up)
1050 pcg 1.64 {
1051     run_script_cb cb;
1052 pcg 1.65 cb.set<connection, &connection::script_node_up> (this);
1053 pcg 1.64 if (!run_script (cb, false))
1054     slog (L_WARN, _("node-up command execution failed, continuing."));
1055     }
1056 pcg 1.1
1057 pcg 1.3 break;
1058     }
1059     else
1060     slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1061     conf->nodename, (const char *)rsi);
1062     }
1063 pcg 1.1
1064 pcg 1.3 delete cctx;
1065 pcg 1.1 }
1066     }
1067     }
1068    
1069 pcg 1.3 send_reset (rsi);
1070     break;
1071 pcg 1.1
1072 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1073     #if !ENABLE_COMPRESSION
1074     send_reset (rsi);
1075     break;
1076     #endif
1077 pcg 1.1
1078 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1079 pcg 1.1
1080 pcg 1.3 if (ictx && octx)
1081 pcg 1.1 {
1082 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1083 pcg 1.1
1084 pcg 1.10 if (!p->hmac_chk (ictx))
1085     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1086 pcg 1.27 "could be an attack, or just corruption or a synchronization error"),
1087 pcg 1.10 conf->nodename, (const char *)rsi);
1088     else
1089 pcg 1.1 {
1090 pcg 1.10 u32 seqno;
1091     tap_packet *d = p->unpack (this, seqno);
1092    
1093     if (iseqno.recv_ok (seqno))
1094 pcg 1.1 {
1095 pcg 1.10 vpn->tap->send (d);
1096 pcg 1.1
1097 pcg 1.10 if (si != rsi)
1098 pcg 1.1 {
1099 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1100 pcg 1.10 si = rsi;
1101 pcg 1.1
1102 pcg 1.10 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1103     conf->nodename, (const char *)si, (const char *)rsi);
1104     }
1105 pcg 1.32 }
1106 pcg 1.3
1107 pcg 1.32 delete d;
1108     break;
1109 pcg 1.1 }
1110     }
1111    
1112 pcg 1.3 send_reset (rsi);
1113     break;
1114 pcg 1.1
1115 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1116     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1117     {
1118     connect_req_packet *p = (connect_req_packet *) pkt;
1119 pcg 1.1
1120 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1121     {
1122     connection *c = vpn->conns[p->id - 1];
1123     conf->protocols = p->protocols;
1124 pcg 1.1
1125 pcg 1.58 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1126 pcg 1.57 conf->id, p->id, c->ictx && c->octx);
1127 pcg 1.1
1128 pcg 1.57 if (c->ictx && c->octx)
1129     {
1130     // send connect_info packets to both sides, in case one is
1131     // behind a nat firewall (or both ;)
1132     c->send_connect_info (conf->id, si, conf->protocols);
1133     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1134     }
1135     else
1136     c->establish_connection ();
1137 pcg 1.3 }
1138 pcg 1.11 else
1139 pcg 1.57 slog (L_WARN,
1140     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1141     p->id);
1142 pcg 1.3 }
1143 pcg 1.1
1144 pcg 1.3 break;
1145 pcg 1.1
1146 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1147     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1148     {
1149 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1150 pcg 1.1
1151 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1152 pcg 1.39 {
1153     connection *c = vpn->conns[p->id - 1];
1154 pcg 1.7
1155 pcg 1.39 c->conf->protocols = p->protocols;
1156     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1157     p->si.upgrade_protocol (protocol, c->conf);
1158 pcg 1.1
1159 pcg 1.39 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1160     conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1161 pcg 1.7
1162 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1163 pcg 1.1
1164 pcg 1.39 if (dsi.valid ())
1165     c->send_auth_request (dsi, true);
1166     }
1167 pcg 1.57 else
1168     slog (L_WARN,
1169     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1170     p->id);
1171 pcg 1.3 }
1172 pcg 1.1
1173 pcg 1.3 break;
1174 pcg 1.1
1175 pcg 1.3 default:
1176     send_reset (rsi);
1177     break;
1178 pcg 1.1 }
1179     }
1180    
1181 pcg 1.66 inline void
1182     connection::keepalive_cb (ev::timer &w, int revents)
1183 pcg 1.1 {
1184 pcg 1.62 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1185 pcg 1.1 {
1186     reset_connection ();
1187     establish_connection ();
1188     }
1189 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1190 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1191 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1192     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1193     {
1194     send_ping (si);
1195 pcg 1.60 w.start (5);
1196 pcg 1.1 }
1197 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1198 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1199     // should delete octx, though, or something like that ;)
1200 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1201 pcg 1.1 else
1202     reset_connection ();
1203     }
1204    
1205 pcg 1.10 void connection::send_connect_request (int id)
1206 pcg 1.1 {
1207     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1208    
1209     slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1210     p->hmac_set (octx);
1211 pcg 1.10 send_vpn_packet (p, si);
1212 pcg 1.1
1213     delete p;
1214     }
1215    
1216 pcg 1.53 void connection::script_init_env (const char *ext)
1217     {
1218     char *env;
1219     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1220     asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1221     asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1222     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1223     conf->id & 0xff); putenv (env);
1224     }
1225    
1226     void connection::script_init_connect_env ()
1227 pcg 1.1 {
1228 pcg 1.52 vpn->script_init_env ();
1229 pcg 1.1
1230     char *env;
1231     asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1232     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1233     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1234     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1235     }
1236    
1237 pcg 1.66 inline const char *
1238     connection::script_node_up ()
1239 pcg 1.1 {
1240 pcg 1.53 script_init_connect_env ();
1241 pcg 1.1
1242 pcg 1.60 putenv ((char *)"STATE=up");
1243 pcg 1.1
1244 pcg 1.52 char *filename;
1245     asprintf (&filename,
1246     "%s/%s",
1247     confbase,
1248     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1249 pcg 1.54
1250     return filename;
1251 pcg 1.1 }
1252    
1253 pcg 1.66 inline const char *
1254     connection::script_node_down ()
1255 pcg 1.1 {
1256 pcg 1.53 script_init_connect_env ();
1257 pcg 1.1
1258 pcg 1.60 putenv ((char *)"STATE=down");
1259 pcg 1.1
1260 pcg 1.52 char *filename;
1261     asprintf (&filename,
1262     "%s/%s",
1263     confbase,
1264     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1265 pcg 1.54
1266     return filename;
1267 pcg 1.1 }
1268    
1269 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1270     : vpn(vpn), conf(conf)
1271     #if ENABLE_DNS
1272 pcg 1.43 , dns (0)
1273 pcg 1.40 #endif
1274 pcg 1.1 {
1275 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1276     keepalive .set<connection, &connection::keepalive_cb > (this);
1277     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1278    
1279 pcg 1.1 octx = ictx = 0;
1280     retry_cnt = 0;
1281    
1282 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1283     conf->protocols = PROT_UDPv4;
1284    
1285 pcg 1.1 connectmode = conf_node::C_ALWAYS; // initial setting
1286     reset_connection ();
1287     }
1288    
1289     connection::~connection ()
1290     {
1291     shutdown ();
1292     }
1293    
1294     void connection_init ()
1295     {
1296     auth_rate_limiter.clear ();
1297     reset_rate_limiter.clear ();
1298     }
1299