ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.69
Committed: Thu Aug 7 17:54:26 2008 UTC (15 years, 9 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.68: +24 -14 lines
Log Message: 
update to gplv3, finally

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.69 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35    
36 pcg 1.2 #include <openssl/rand.h>
37     #include <openssl/evp.h>
38     #include <openssl/rsa.h>
39     #include <openssl/err.h>
40    
41 pcg 1.1 #include "conf.h"
42     #include "slog.h"
43     #include "device.h"
44 pcg 1.2 #include "vpn.h"
45 pcg 1.1 #include "connection.h"
46    
47 pcg 1.20 #include "netcompat.h"
48 pcg 1.19
49 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
50     # define RAND_pseudo_bytes RAND_bytes
51     #endif
52    
53     #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
54 pcg 1.30
55     #define ULTRA_FAST 1
56     #define HLOG 15
57     #include "lzf/lzf.h"
58     #include "lzf/lzf_c.c"
59     #include "lzf/lzf_d.c"
60 pcg 1.1
61     struct crypto_ctx
62     {
63     EVP_CIPHER_CTX cctx;
64     HMAC_CTX hctx;
65    
66     crypto_ctx (const rsachallenge &challenge, int enc);
67     ~crypto_ctx ();
68     };
69    
70     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
71     {
72     EVP_CIPHER_CTX_init (&cctx);
73 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
74 pcg 1.1 HMAC_CTX_init (&hctx);
75     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
76     }
77    
78     crypto_ctx::~crypto_ctx ()
79     {
80 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
81 pcg 1.1 HMAC_CTX_cleanup (&hctx);
82     }
83    
84     static void
85     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
86     {
87     EVP_MD_CTX ctx;
88    
89     EVP_MD_CTX_init (&ctx);
90 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
91     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
92     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
93     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
94 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
95     }
96    
97 pcg 1.63 struct rsa_entry
98     {
99 pcg 1.1 tstamp expire;
100     rsaid id;
101     rsachallenge chg;
102     };
103    
104     struct rsa_cache : list<rsa_entry>
105     {
106 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
107 pcg 1.1
108     bool find (const rsaid &id, rsachallenge &chg)
109 pcg 1.51 {
110     for (iterator i = begin (); i != end (); ++i)
111     {
112 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
113 pcg 1.51 {
114     memcpy (&chg, &i->chg, sizeof chg);
115 pcg 1.1
116 pcg 1.51 erase (i);
117     return true;
118     }
119     }
120 pcg 1.1
121 pcg 1.60 if (!cleaner.is_active ())
122     cleaner.again ();
123 pcg 1.1
124 pcg 1.51 return false;
125     }
126 pcg 1.1
127     void gen (rsaid &id, rsachallenge &chg)
128 pcg 1.51 {
129     rsa_entry e;
130 pcg 1.1
131 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
132     RAND_bytes ((unsigned char *)&chg, sizeof chg);
133 pcg 1.1
134 pcg 1.62 e.expire = ev_now () + RSA_TTL;
135 pcg 1.51 e.id = id;
136     memcpy (&e.chg, &chg, sizeof chg);
137 pcg 1.1
138 pcg 1.51 push_back (e);
139 pcg 1.1
140 pcg 1.60 if (!cleaner.is_active ())
141     cleaner.again ();
142 pcg 1.51 }
143 pcg 1.1
144     rsa_cache ()
145 pcg 1.60 {
146 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
147 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
148     }
149 pcg 1.1
150     } rsa_cache;
151    
152 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
153 pcg 1.1 {
154 pcg 1.60 if (empty ())
155     w.stop ();
156     else
157 pcg 1.1 {
158     for (iterator i = begin (); i != end (); )
159 pcg 1.62 if (i->expire <= ev_now ())
160 pcg 1.1 i = erase (i);
161     else
162     ++i;
163     }
164     }
165    
166     //////////////////////////////////////////////////////////////////////////////
167    
168 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
169     : max_ttl (max_ttl), max_queue (max_queue)
170 pcg 1.1 {
171 pcg 1.67 queue = new pkt [max_queue];
172    
173     i = 0;
174     j = 0;
175    
176     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
177     }
178 pcg 1.1
179 pcg 1.67 pkt_queue::~pkt_queue ()
180     {
181     while (net_packet *p = get ())
182     delete p;
183 pcg 1.1
184 pcg 1.67 delete [] queue;
185 pcg 1.1 }
186    
187 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
188 pcg 1.1 {
189 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
190 pcg 1.1
191 pcg 1.67 for (;;)
192 pcg 1.1 {
193 pcg 1.67 if (empty ())
194     break;
195    
196     double diff = queue[j].tstamp - expire;
197    
198     if (diff >= 0.)
199     {
200     w.start (diff > 0.5 ? diff : 0.5);
201     break;
202     }
203    
204     delete get ();
205 pcg 1.1 }
206     }
207    
208 pcg 1.67 void pkt_queue::put (net_packet *p)
209 pcg 1.1 {
210 pcg 1.67 ev_tstamp now = ev_now ();
211    
212     // start expiry timer
213     if (empty ())
214     expire.start (max_ttl);
215    
216     int ni = i + 1 == max_queue ? 0 : i + 1;
217    
218     if (ni == j)
219     delete get ();
220    
221     queue[i].pkt = p;
222     queue[i].tstamp = now;
223    
224     i = ni;
225 pcg 1.1 }
226    
227 pcg 1.67 net_packet *pkt_queue::get ()
228 pcg 1.1 {
229 pcg 1.67 if (empty ())
230     return 0;
231    
232     net_packet *p = queue[j].pkt;
233     queue[j].pkt = 0;
234    
235     j = j + 1 == max_queue ? 0 : j + 1;
236    
237     return p;
238 pcg 1.1 }
239    
240 pcg 1.63 struct net_rateinfo
241     {
242 pcg 1.1 u32 host;
243     double pcnt, diff;
244     tstamp last;
245     };
246    
247     // only do action once every x seconds per host whole allowing bursts.
248     // this implementation ("splay list" ;) is inefficient,
249     // but low on resources.
250     struct net_rate_limiter : list<net_rateinfo>
251     {
252 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
253     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
254     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
255     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
256 pcg 1.1
257 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
258 pcg 1.1 bool can (u32 host);
259     };
260    
261     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
262    
263     bool net_rate_limiter::can (u32 host)
264     {
265     iterator i;
266    
267     for (i = begin (); i != end (); )
268     if (i->host == host)
269     break;
270 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
271 pcg 1.1 i = erase (i);
272     else
273     i++;
274    
275     if (i == end ())
276     {
277     net_rateinfo ri;
278    
279     ri.host = host;
280     ri.pcnt = 1.;
281 pcg 1.34 ri.diff = NRL_MAXDIF;
282 pcg 1.62 ri.last = ev_now ();
283 pcg 1.1
284     push_front (ri);
285    
286     return true;
287     }
288     else
289     {
290     net_rateinfo ri (*i);
291     erase (i);
292    
293 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
294 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
295 pcg 1.1
296 pcg 1.62 ri.last = ev_now ();
297 pcg 1.1
298 pcg 1.10 double dif = ri.diff / ri.pcnt;
299 pcg 1.1
300 pcg 1.34 bool send = dif > NRL_CUTOFF;
301 pcg 1.10
302 pcg 1.34 if (dif > NRL_MAXDIF)
303 pcg 1.10 {
304     ri.pcnt = 1.;
305 pcg 1.34 ri.diff = NRL_MAXDIF;
306 pcg 1.10 }
307     else if (send)
308 pcg 1.1 ri.pcnt++;
309    
310     push_front (ri);
311    
312     return send;
313     }
314     }
315    
316     /////////////////////////////////////////////////////////////////////////////
317    
318     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
319    
320     void hmac_packet::hmac_gen (crypto_ctx *ctx)
321     {
322     unsigned int xlen;
323    
324     HMAC_CTX *hctx = &ctx->hctx;
325    
326     HMAC_Init_ex (hctx, 0, 0, 0, 0);
327     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
328     len - sizeof (hmac_packet));
329     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
330     }
331    
332     void
333     hmac_packet::hmac_set (crypto_ctx *ctx)
334     {
335     hmac_gen (ctx);
336    
337     memcpy (hmac, hmac_digest, HMACLENGTH);
338     }
339    
340     bool
341     hmac_packet::hmac_chk (crypto_ctx *ctx)
342     {
343     hmac_gen (ctx);
344    
345     return !memcmp (hmac, hmac_digest, HMACLENGTH);
346     }
347    
348 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
349 pcg 1.1 {
350 pcg 1.6 type = type_;
351 pcg 1.1
352     int src = THISNODE->id;
353    
354     src1 = src;
355     srcdst = ((src >> 8) << 4) | (dst >> 8);
356     dst1 = dst;
357     }
358    
359     #define MAXVPNDATA (MAX_MTU - 6 - 6)
360     #define DATAHDR (sizeof (u32) + RAND_SIZE)
361    
362 pcg 1.28 struct vpndata_packet : vpn_packet
363 pcg 1.1 {
364     u8 data[MAXVPNDATA + DATAHDR]; // seqno
365    
366     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
367     tap_packet *unpack (connection *conn, u32 &seqno);
368     private:
369    
370     const u32 data_hdr_size () const
371     {
372     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
373     }
374     };
375    
376     void
377     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
378     {
379     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
380     int outl = 0, outl2;
381     ptype type = PT_DATA_UNCOMPRESSED;
382    
383     #if ENABLE_COMPRESSION
384     u8 cdata[MAX_MTU];
385    
386 pcg 1.31 if (conn->features & ENABLE_COMPRESSION)
387 pcg 1.1 {
388 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
389 pcg 1.1
390 pcg 1.31 if (cl)
391     {
392     type = PT_DATA_COMPRESSED;
393     d = cdata;
394     l = cl + 2;
395    
396     d[0] = cl >> 8;
397     d[1] = cl;
398     }
399 pcg 1.1 }
400     #endif
401    
402 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
403 pcg 1.1
404     struct {
405     #if RAND_SIZE
406     u8 rnd[RAND_SIZE];
407     #endif
408     u32 seqno;
409     } datahdr;
410    
411     datahdr.seqno = ntohl (seqno);
412     #if RAND_SIZE
413     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
414     #endif
415    
416 pcg 1.29 require (EVP_EncryptUpdate (cctx,
417 pcg 1.1 (unsigned char *) data + outl, &outl2,
418 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
419 pcg 1.1 outl += outl2;
420    
421 pcg 1.29 require (EVP_EncryptUpdate (cctx,
422 pcg 1.1 (unsigned char *) data + outl, &outl2,
423 pcg 1.29 (unsigned char *) d, l));
424 pcg 1.1 outl += outl2;
425    
426 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
427 pcg 1.1 outl += outl2;
428    
429     len = outl + data_hdr_size ();
430    
431     set_hdr (type, dst);
432    
433     hmac_set (conn->octx);
434     }
435    
436     tap_packet *
437     vpndata_packet::unpack (connection *conn, u32 &seqno)
438     {
439     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
440     int outl = 0, outl2;
441     tap_packet *p = new tap_packet;
442     u8 *d;
443     u32 l = len - data_hdr_size ();
444    
445 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
446 pcg 1.1
447     #if ENABLE_COMPRESSION
448     u8 cdata[MAX_MTU];
449    
450     if (type == PT_DATA_COMPRESSED)
451     d = cdata;
452     else
453     #endif
454     d = &(*p)[6 + 6 - DATAHDR];
455    
456     /* this overwrites part of the src mac, but we fix that later */
457 pcg 1.29 require (EVP_DecryptUpdate (cctx,
458 pcg 1.1 d, &outl2,
459 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
460 pcg 1.1 outl += outl2;
461    
462 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
463 pcg 1.1 outl += outl2;
464    
465     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
466    
467     id2mac (dst () ? dst() : THISNODE->id, p->dst);
468     id2mac (src (), p->src);
469    
470     #if ENABLE_COMPRESSION
471     if (type == PT_DATA_COMPRESSED)
472     {
473     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
474    
475     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
476     &(*p)[6 + 6], MAX_MTU)
477     + 6 + 6;
478     }
479     else
480     p->len = outl + (6 + 6 - DATAHDR);
481     #endif
482    
483     return p;
484     }
485    
486     struct ping_packet : vpn_packet
487     {
488     void setup (int dst, ptype type)
489     {
490     set_hdr (type, dst);
491     len = sizeof (*this) - sizeof (net_packet);
492     }
493     };
494    
495     struct config_packet : vpn_packet
496     {
497     // actually, hmaclen cannot be checked because the hmac
498     // field comes before this data, so peers with other
499     // hmacs simply will not work.
500     u8 prot_major, prot_minor, randsize, hmaclen;
501 pcg 1.31 u8 flags, challengelen, features, pad3;
502 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
503    
504     void setup (ptype type, int dst);
505     bool chk_config () const;
506 pcg 1.32
507     static u8 get_features ()
508     {
509     u8 f = 0;
510     #if ENABLE_COMPRESSION
511     f |= FEATURE_COMPRESSION;
512     #endif
513     #if ENABLE_ROHC
514     f |= FEATURE_ROHC;
515     #endif
516 pcg 1.59 #if ENABLE_BRIDGING
517     f |= FEATURE_BRIDGING;
518     #endif
519 pcg 1.32 return f;
520     }
521 pcg 1.1 };
522    
523     void config_packet::setup (ptype type, int dst)
524     {
525     prot_major = PROTOCOL_MAJOR;
526     prot_minor = PROTOCOL_MINOR;
527     randsize = RAND_SIZE;
528     hmaclen = HMACLENGTH;
529 pcg 1.48 flags = 0;
530 pcg 1.1 challengelen = sizeof (rsachallenge);
531 pcg 1.32 features = get_features ();
532 pcg 1.1
533     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
534     digest_nid = htonl (EVP_MD_type (RSA_HASH));
535     hmac_nid = htonl (EVP_MD_type (DIGEST));
536    
537     len = sizeof (*this) - sizeof (net_packet);
538     set_hdr (type, dst);
539     }
540    
541     bool config_packet::chk_config () const
542     {
543 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
544 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
545 pcg 1.15 else if (randsize != RAND_SIZE)
546 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
547 pcg 1.15 else if (hmaclen != HMACLENGTH)
548 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
549 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
550 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
551 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
552 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
553 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
554 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
555 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
556 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
557 pcg 1.15 else
558     return true;
559    
560     return false;
561 pcg 1.1 }
562    
563     struct auth_req_packet : config_packet
564     {
565     char magic[8];
566     u8 initiate; // false if this is just an automatic reply
567 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
568 pcg 1.1 u8 pad2, pad3;
569     rsaid id;
570     rsaencrdata encr;
571    
572     auth_req_packet (int dst, bool initiate_, u8 protocols_)
573     {
574     config_packet::setup (PT_AUTH_REQ, dst);
575     strncpy (magic, MAGIC, 8);
576     initiate = !!initiate_;
577     protocols = protocols_;
578    
579     len = sizeof (*this) - sizeof (net_packet);
580     }
581     };
582    
583     struct auth_res_packet : config_packet
584     {
585     rsaid id;
586     u8 pad1, pad2, pad3;
587     u8 response_len; // encrypted length
588     rsaresponse response;
589    
590     auth_res_packet (int dst)
591     {
592     config_packet::setup (PT_AUTH_RES, dst);
593    
594     len = sizeof (*this) - sizeof (net_packet);
595     }
596     };
597    
598     struct connect_req_packet : vpn_packet
599     {
600     u8 id, protocols;
601     u8 pad1, pad2;
602    
603     connect_req_packet (int dst, int id_, u8 protocols_)
604     : id(id_)
605     , protocols(protocols_)
606     {
607     set_hdr (PT_CONNECT_REQ, dst);
608     len = sizeof (*this) - sizeof (net_packet);
609     }
610     };
611    
612     struct connect_info_packet : vpn_packet
613     {
614     u8 id, protocols;
615     u8 pad1, pad2;
616     sockinfo si;
617    
618     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
619     : id(id_)
620     , protocols(protocols_)
621     , si(si_)
622     {
623     set_hdr (PT_CONNECT_INFO, dst);
624    
625     len = sizeof (*this) - sizeof (net_packet);
626     }
627     };
628    
629     /////////////////////////////////////////////////////////////////////////////
630    
631     void
632 pcg 1.10 connection::connection_established ()
633     {
634 pcg 1.61 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
635    
636 pcg 1.10 if (ictx && octx)
637     {
638 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
639 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
640     rekey.start (rekey_interval, rekey_interval);
641     keepalive.start (::conf.keepalive);
642 pcg 1.10
643     // send queued packets
644     if (ictx && octx)
645 pcg 1.12 {
646     while (tap_packet *p = (tap_packet *)data_queue.get ())
647     {
648 pcg 1.67 if (p->len) send_data_packet (p);
649 pcg 1.12 delete p;
650     }
651    
652     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
653     {
654 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
655 pcg 1.12 delete p;
656     }
657     }
658 pcg 1.10 }
659     else
660     {
661     retry_cnt = 0;
662 pcg 1.60 establish_connection.start (5);
663 pcg 1.25 keepalive.stop ();
664     rekey.stop ();
665 pcg 1.10 }
666     }
667    
668     void
669 pcg 1.8 connection::reset_si ()
670 pcg 1.1 {
671 pcg 1.6 protocol = best_protocol (THISNODE->protocols & conf->protocols);
672    
673     // mask out protocols we cannot establish
674     if (!conf->udp_port) protocol &= ~PROT_UDPv4;
675     if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
676 pcg 1.40 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
677 pcg 1.59
678     if (protocol
679     && (!conf->can_direct (THISNODE)
680     || !THISNODE->can_direct (conf)))
681     {
682     slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
683     protocol = 0;
684     }
685 pcg 1.6
686     si.set (conf, protocol);
687 pcg 1.1 }
688    
689 pcg 1.8 // ensure sockinfo is valid, forward if necessary
690     const sockinfo &
691     connection::forward_si (const sockinfo &si) const
692     {
693     if (!si.valid ())
694     {
695     connection *r = vpn->find_router ();
696    
697     if (r)
698     {
699 pcg 1.46 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
700     conf->nodename, r->conf->nodename, (const char *)r->si);
701 pcg 1.8 return r->si;
702     }
703     else
704     slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
705     conf->nodename);
706     }
707    
708     return si;
709     }
710    
711 pcg 1.1 void
712 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
713     {
714 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
715 pcg 1.10 reset_connection ();
716     }
717    
718     void
719 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
720     {
721     ping_packet *pkt = new ping_packet;
722    
723     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
724 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
725 pcg 1.1
726     delete pkt;
727     }
728    
729     void
730     connection::send_reset (const sockinfo &si)
731     {
732     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
733     {
734     config_packet *pkt = new config_packet;
735    
736     pkt->setup (vpn_packet::PT_RESET, conf->id);
737 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
738 pcg 1.1
739     delete pkt;
740     }
741     }
742    
743     void
744     connection::send_auth_request (const sockinfo &si, bool initiate)
745     {
746     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
747    
748 pcg 1.6 rsachallenge chg;
749     rsa_cache.gen (pkt->id, chg);
750 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
751 pcg 1.1
752 pcg 1.6 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
753 pcg 1.1
754 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
755 pcg 1.1
756 pcg 1.6 delete pkt;
757 pcg 1.1 }
758    
759     void
760     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
761     {
762     auth_res_packet *pkt = new auth_res_packet (conf->id);
763    
764     pkt->id = id;
765    
766     rsa_hash (id, chg, pkt->response);
767    
768     pkt->hmac_set (octx);
769    
770     slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
771    
772 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
773 pcg 1.1
774     delete pkt;
775     }
776    
777     void
778     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
779     {
780 pcg 1.58 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
781 pcg 1.1 conf->id, rid, (const char *)rsi);
782    
783     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
784    
785     r->hmac_set (octx);
786 pcg 1.10 send_vpn_packet (r, si);
787 pcg 1.1
788     delete r;
789     }
790    
791 pcg 1.66 inline void
792 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
793 pcg 1.1 {
794 pcg 1.25 if (!ictx
795     && conf != THISNODE
796     && connectmode != conf_node::C_NEVER
797     && connectmode != conf_node::C_DISABLED
798 pcg 1.60 && !w.is_active ())
799 pcg 1.1 {
800 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
801     // and stop trying. should probably be handled by a per-connection expire handler.
802     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
803     {
804     reset_connection ();
805     return;
806     }
807    
808 pcg 1.68 last_establish_attempt = ev_now ();
809    
810 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
811     ? (retry_cnt & 3) + 1
812     : 1 << (retry_cnt >> 2));
813 pcg 1.1
814 pcg 1.47 reset_si ();
815 pcg 1.1
816 pcg 1.47 bool slow = si.prot & PROT_SLOW;
817 pcg 1.8
818     if (si.prot && !si.host)
819 pcg 1.60 {
820 pcg 1.61 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
821 pcg 1.60 /*TODO*/ /* start the timer so we don't recurse endlessly */
822     w.start (1);
823     vpn->send_connect_request (conf->id);
824     }
825 pcg 1.8 else
826 pcg 1.1 {
827 pcg 1.61 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
828    
829 pcg 1.8 const sockinfo &dsi = forward_si (si);
830 pcg 1.6
831 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
832    
833 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
834     {
835     if (retry_cnt < 4)
836     send_auth_request (dsi, true);
837     else
838     send_ping (dsi, 0);
839     }
840 pcg 1.1 }
841 pcg 1.47
842 pcg 1.68 retry_int *= slow ? 8. : 0.9;
843 pcg 1.47
844     if (retry_int < conf->max_retry)
845     retry_cnt++;
846     else
847     retry_int = conf->max_retry;
848    
849 pcg 1.60 w.start (retry_int);
850 pcg 1.1 }
851     }
852    
853     void
854     connection::reset_connection ()
855     {
856     if (ictx && octx)
857     {
858     slog (L_INFO, _("%s(%s): connection lost"),
859     conf->nodename, (const char *)si);
860    
861     if (::conf.script_node_down)
862 pcg 1.64 {
863     run_script_cb cb;
864 pcg 1.65 cb.set<connection, &connection::script_node_down> (this);
865 pcg 1.64 if (!run_script (cb, false))
866     slog (L_WARN, _("node-down command execution failed, continuing."));
867     }
868 pcg 1.1 }
869    
870     delete ictx; ictx = 0;
871     delete octx; octx = 0;
872 pcg 1.44 #if ENABLE_DNS
873 pcg 1.45 dnsv4_reset_connection ();
874 pcg 1.44 #endif
875 pcg 1.1
876 pcg 1.38 si.host = 0;
877 pcg 1.1
878     last_activity = 0;
879     retry_cnt = 0;
880    
881 pcg 1.25 rekey.stop ();
882     keepalive.stop ();
883     establish_connection.stop ();
884 pcg 1.1 }
885    
886     void
887     connection::shutdown ()
888     {
889     if (ictx && octx)
890     send_reset (si);
891    
892     reset_connection ();
893     }
894    
895 pcg 1.66 inline void
896 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
897 pcg 1.1 {
898     reset_connection ();
899     establish_connection ();
900     }
901    
902     void
903 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
904 pcg 1.1 {
905     vpndata_packet *p = new vpndata_packet;
906     int tos = 0;
907    
908 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
909 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
910 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
911    
912 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
913 pcg 1.10 send_vpn_packet (p, si, tos);
914 pcg 1.1
915     delete p;
916    
917     if (oseqno > MAX_SEQNO)
918     rekey ();
919     }
920    
921     void
922 pcg 1.68 connection::post_inject_queue ()
923     {
924     // force a connection every now and when when packets are sent (max 1/s)
925     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
926     establish_connection.stop ();
927    
928     establish_connection ();
929     }
930    
931     void
932     connection::inject_data_packet (tap_packet *pkt)
933 pcg 1.1 {
934     if (ictx && octx)
935 pcg 1.21 send_data_packet (pkt);
936 pcg 1.1 else
937     {
938 pcg 1.68 data_queue.put (new tap_packet (*pkt));
939     post_inject_queue ();
940 pcg 1.1 }
941     }
942    
943 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
944     {
945     if (ictx && octx)
946 pcg 1.10 send_vpn_packet (pkt, si, tos);
947 pcg 1.8 else
948 pcg 1.12 {
949 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
950 pcg 1.68 post_inject_queue ();
951 pcg 1.12 }
952 pcg 1.8 }
953    
954 pcg 1.1 void
955     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
956     {
957 pcg 1.62 last_activity = ev_now ();
958 pcg 1.1
959     slog (L_NOISE, "<<%d received packet type %d from %d to %d",
960     conf->id, pkt->typ (), pkt->src (), pkt->dst ());
961    
962 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
963     return;
964    
965 pcg 1.1 switch (pkt->typ ())
966     {
967 pcg 1.3 case vpn_packet::PT_PING:
968     // we send pings instead of auth packets after some retries,
969     // so reset the retry counter and establish a connection
970     // when we receive a ping.
971     if (!ictx)
972     {
973     if (auth_rate_limiter.can (rsi))
974     send_auth_request (rsi, true);
975     }
976     else
977     send_ping (rsi, 1); // pong
978    
979     break;
980    
981     case vpn_packet::PT_PONG:
982     break;
983    
984     case vpn_packet::PT_RESET:
985 pcg 1.1 {
986 pcg 1.3 reset_connection ();
987    
988     config_packet *p = (config_packet *) pkt;
989    
990     if (!p->chk_config ())
991     {
992     slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
993     conf->nodename, (const char *)rsi);
994     connectmode = conf_node::C_DISABLED;
995     }
996     else if (connectmode == conf_node::C_ALWAYS)
997     establish_connection ();
998 pcg 1.1 }
999 pcg 1.3 break;
1000    
1001     case vpn_packet::PT_AUTH_REQ:
1002     if (auth_rate_limiter.can (rsi))
1003     {
1004     auth_req_packet *p = (auth_req_packet *) pkt;
1005    
1006     slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
1007 pcg 1.1
1008 pcg 1.3 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
1009     {
1010     if (p->prot_minor != PROTOCOL_MINOR)
1011     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1012     conf->nodename, (const char *)rsi,
1013     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1014    
1015     if (p->initiate)
1016     send_auth_request (rsi, false);
1017    
1018     rsachallenge k;
1019    
1020 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1021 pcg 1.23 {
1022     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1023     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1024     break;
1025     }
1026 pcg 1.3 else
1027     {
1028     delete octx;
1029 pcg 1.1
1030 pcg 1.3 octx = new crypto_ctx (k, 1);
1031     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1032 pcg 1.1
1033 pcg 1.3 conf->protocols = p->protocols;
1034 pcg 1.32 features = p->features & config_packet::get_features ();
1035 pcg 1.10
1036 pcg 1.3 send_auth_response (rsi, p->id, k);
1037    
1038 pcg 1.10 connection_established ();
1039    
1040 pcg 1.3 break;
1041     }
1042     }
1043 pcg 1.15 else
1044     slog (L_WARN, _("%s(%s): protocol mismatch"),
1045     conf->nodename, (const char *)rsi);
1046 pcg 1.3
1047     send_reset (rsi);
1048 pcg 1.1 }
1049    
1050 pcg 1.3 break;
1051    
1052     case vpn_packet::PT_AUTH_RES:
1053 pcg 1.1 {
1054 pcg 1.3 auth_res_packet *p = (auth_res_packet *) pkt;
1055 pcg 1.1
1056 pcg 1.3 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
1057 pcg 1.1
1058 pcg 1.3 if (p->chk_config ())
1059 pcg 1.1 {
1060     if (p->prot_minor != PROTOCOL_MINOR)
1061     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1062     conf->nodename, (const char *)rsi,
1063     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1064    
1065 pcg 1.3 rsachallenge chg;
1066 pcg 1.1
1067 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1068 pcg 1.13 {
1069 pcg 1.18 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
1070 pcg 1.13 conf->nodename, (const char *)rsi);
1071     break;
1072     }
1073 pcg 1.1 else
1074     {
1075 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1076    
1077     if (!p->hmac_chk (cctx))
1078 pcg 1.18 {
1079     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1080 pcg 1.27 "could be an attack, or just corruption or a synchronization error"),
1081 pcg 1.18 conf->nodename, (const char *)rsi);
1082     break;
1083     }
1084 pcg 1.3 else
1085     {
1086     rsaresponse h;
1087    
1088     rsa_hash (p->id, chg, h);
1089    
1090     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1091     {
1092     prot_minor = p->prot_minor;
1093    
1094     delete ictx; ictx = cctx;
1095    
1096     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1097    
1098     si = rsi;
1099 pcg 1.7 protocol = rsi.prot;
1100 pcg 1.3
1101 pcg 1.10 connection_established ();
1102 pcg 1.1
1103 pcg 1.7 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1104 pcg 1.3 conf->nodename, (const char *)rsi,
1105     p->prot_major, p->prot_minor);
1106 pcg 1.1
1107 pcg 1.3 if (::conf.script_node_up)
1108 pcg 1.64 {
1109     run_script_cb cb;
1110 pcg 1.65 cb.set<connection, &connection::script_node_up> (this);
1111 pcg 1.64 if (!run_script (cb, false))
1112     slog (L_WARN, _("node-up command execution failed, continuing."));
1113     }
1114 pcg 1.1
1115 pcg 1.3 break;
1116     }
1117     else
1118     slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1119     conf->nodename, (const char *)rsi);
1120     }
1121 pcg 1.1
1122 pcg 1.3 delete cctx;
1123 pcg 1.1 }
1124     }
1125     }
1126    
1127 pcg 1.3 send_reset (rsi);
1128     break;
1129 pcg 1.1
1130 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1131     #if !ENABLE_COMPRESSION
1132     send_reset (rsi);
1133     break;
1134     #endif
1135 pcg 1.1
1136 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1137 pcg 1.1
1138 pcg 1.3 if (ictx && octx)
1139 pcg 1.1 {
1140 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1141 pcg 1.1
1142 pcg 1.10 if (!p->hmac_chk (ictx))
1143     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1144 pcg 1.27 "could be an attack, or just corruption or a synchronization error"),
1145 pcg 1.10 conf->nodename, (const char *)rsi);
1146     else
1147 pcg 1.1 {
1148 pcg 1.10 u32 seqno;
1149     tap_packet *d = p->unpack (this, seqno);
1150    
1151     if (iseqno.recv_ok (seqno))
1152 pcg 1.1 {
1153 pcg 1.10 vpn->tap->send (d);
1154 pcg 1.1
1155 pcg 1.10 if (si != rsi)
1156 pcg 1.1 {
1157 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1158 pcg 1.10 si = rsi;
1159 pcg 1.1
1160 pcg 1.10 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1161     conf->nodename, (const char *)si, (const char *)rsi);
1162     }
1163 pcg 1.32 }
1164 pcg 1.3
1165 pcg 1.32 delete d;
1166     break;
1167 pcg 1.1 }
1168     }
1169    
1170 pcg 1.3 send_reset (rsi);
1171     break;
1172 pcg 1.1
1173 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1174     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1175     {
1176     connect_req_packet *p = (connect_req_packet *) pkt;
1177 pcg 1.1
1178 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1179     {
1180     connection *c = vpn->conns[p->id - 1];
1181     conf->protocols = p->protocols;
1182 pcg 1.1
1183 pcg 1.58 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1184 pcg 1.57 conf->id, p->id, c->ictx && c->octx);
1185 pcg 1.1
1186 pcg 1.57 if (c->ictx && c->octx)
1187     {
1188     // send connect_info packets to both sides, in case one is
1189     // behind a nat firewall (or both ;)
1190     c->send_connect_info (conf->id, si, conf->protocols);
1191     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1192     }
1193     else
1194     c->establish_connection ();
1195 pcg 1.3 }
1196 pcg 1.11 else
1197 pcg 1.57 slog (L_WARN,
1198     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1199     p->id);
1200 pcg 1.3 }
1201 pcg 1.1
1202 pcg 1.3 break;
1203 pcg 1.1
1204 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1205     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1206     {
1207 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1208 pcg 1.1
1209 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1210 pcg 1.39 {
1211     connection *c = vpn->conns[p->id - 1];
1212 pcg 1.7
1213 pcg 1.39 c->conf->protocols = p->protocols;
1214     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1215     p->si.upgrade_protocol (protocol, c->conf);
1216 pcg 1.1
1217 pcg 1.39 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1218     conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1219 pcg 1.7
1220 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1221 pcg 1.1
1222 pcg 1.39 if (dsi.valid ())
1223     c->send_auth_request (dsi, true);
1224     }
1225 pcg 1.57 else
1226     slog (L_WARN,
1227     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1228     p->id);
1229 pcg 1.3 }
1230 pcg 1.1
1231 pcg 1.3 break;
1232 pcg 1.1
1233 pcg 1.3 default:
1234     send_reset (rsi);
1235     break;
1236 pcg 1.1 }
1237     }
1238    
1239 pcg 1.66 inline void
1240     connection::keepalive_cb (ev::timer &w, int revents)
1241 pcg 1.1 {
1242 pcg 1.62 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1243 pcg 1.1 {
1244     reset_connection ();
1245     establish_connection ();
1246     }
1247 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1248 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1249 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1250     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1251     {
1252     send_ping (si);
1253 pcg 1.60 w.start (5);
1254 pcg 1.1 }
1255 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1256 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1257     // should delete octx, though, or something like that ;)
1258 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1259 pcg 1.1 else
1260     reset_connection ();
1261     }
1262    
1263 pcg 1.10 void connection::send_connect_request (int id)
1264 pcg 1.1 {
1265     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1266    
1267     slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1268     p->hmac_set (octx);
1269 pcg 1.10 send_vpn_packet (p, si);
1270 pcg 1.1
1271     delete p;
1272     }
1273    
1274 pcg 1.53 void connection::script_init_env (const char *ext)
1275     {
1276     char *env;
1277     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1278     asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1279     asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1280     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1281     conf->id & 0xff); putenv (env);
1282     }
1283    
1284     void connection::script_init_connect_env ()
1285 pcg 1.1 {
1286 pcg 1.52 vpn->script_init_env ();
1287 pcg 1.1
1288     char *env;
1289     asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1290     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1291     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1292     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1293     }
1294    
1295 pcg 1.66 inline const char *
1296     connection::script_node_up ()
1297 pcg 1.1 {
1298 pcg 1.53 script_init_connect_env ();
1299 pcg 1.1
1300 pcg 1.60 putenv ((char *)"STATE=up");
1301 pcg 1.1
1302 pcg 1.52 char *filename;
1303     asprintf (&filename,
1304     "%s/%s",
1305     confbase,
1306     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1307 pcg 1.54
1308     return filename;
1309 pcg 1.1 }
1310    
1311 pcg 1.66 inline const char *
1312     connection::script_node_down ()
1313 pcg 1.1 {
1314 pcg 1.53 script_init_connect_env ();
1315 pcg 1.1
1316 pcg 1.60 putenv ((char *)"STATE=down");
1317 pcg 1.1
1318 pcg 1.52 char *filename;
1319     asprintf (&filename,
1320     "%s/%s",
1321     confbase,
1322     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1323 pcg 1.54
1324     return filename;
1325 pcg 1.1 }
1326    
1327 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1328 pcg 1.67 : vpn(vpn), conf(conf),
1329 pcg 1.40 #if ENABLE_DNS
1330 pcg 1.67 dns (0),
1331 pcg 1.40 #endif
1332 pcg 1.67 data_queue(conf->max_ttl, conf->max_queue),
1333     vpn_queue(conf->max_ttl, conf->max_queue)
1334 pcg 1.1 {
1335 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1336     keepalive .set<connection, &connection::keepalive_cb > (this);
1337     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1338    
1339 pcg 1.68 last_establish_attempt = 0.;
1340 pcg 1.1 octx = ictx = 0;
1341    
1342 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1343     conf->protocols = PROT_UDPv4;
1344    
1345 pcg 1.67 connectmode = conf->connectmode;
1346    
1347     // queue a dummy packet to force an initial connection attempt
1348     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1349 pcg 1.68 vpn_queue.put (new net_packet);
1350 pcg 1.67
1351 pcg 1.1 reset_connection ();
1352     }
1353    
1354     connection::~connection ()
1355     {
1356     shutdown ();
1357     }
1358    
1359     void connection_init ()
1360     {
1361     auth_rate_limiter.clear ();
1362     reset_rate_limiter.clear ();
1363     }
1364