ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.74
Committed: Sun Aug 10 02:49:21 2008 UTC (15 years, 9 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.73: +1 -1 lines
Log Message: 
lots bugfixing

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.69 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55     #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
56 pcg 1.30
57     #define ULTRA_FAST 1
58     #define HLOG 15
59     #include "lzf/lzf.h"
60     #include "lzf/lzf_c.c"
61     #include "lzf/lzf_d.c"
62 pcg 1.1
63 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
64    
65     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66     static ev::child rs_child_ev;
67    
68     void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72    
73     if (rs_queue.empty ())
74     return;
75    
76     pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84    
85     delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88    
89     // despite the fancy name, this is quite a hack
90     static void
91     run_script_queued (run_script_cb *cb, const char *warnmsg)
92     {
93     rs_queue.push (std::make_pair (cb, warnmsg));
94    
95     if (!rs_child_ev.is_active ())
96     {
97     rs_child_ev.set<rs_child_cb> ();
98     rs_child_ev ();
99     }
100     }
101    
102     //////////////////////////////////////////////////////////////////////////////
103    
104 pcg 1.1 struct crypto_ctx
105     {
106     EVP_CIPHER_CTX cctx;
107     HMAC_CTX hctx;
108    
109     crypto_ctx (const rsachallenge &challenge, int enc);
110     ~crypto_ctx ();
111     };
112    
113     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
114     {
115     EVP_CIPHER_CTX_init (&cctx);
116 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
117 pcg 1.1 HMAC_CTX_init (&hctx);
118     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
119     }
120    
121     crypto_ctx::~crypto_ctx ()
122     {
123 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
124 pcg 1.1 HMAC_CTX_cleanup (&hctx);
125     }
126    
127     static void
128     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
129     {
130     EVP_MD_CTX ctx;
131    
132     EVP_MD_CTX_init (&ctx);
133 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
134     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
135     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
136     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
137 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
138     }
139    
140 pcg 1.63 struct rsa_entry
141     {
142 pcg 1.1 tstamp expire;
143     rsaid id;
144     rsachallenge chg;
145     };
146    
147     struct rsa_cache : list<rsa_entry>
148     {
149 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
150 pcg 1.1
151     bool find (const rsaid &id, rsachallenge &chg)
152 pcg 1.51 {
153     for (iterator i = begin (); i != end (); ++i)
154     {
155 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
156 pcg 1.51 {
157     memcpy (&chg, &i->chg, sizeof chg);
158 pcg 1.1
159 pcg 1.51 erase (i);
160     return true;
161     }
162     }
163 pcg 1.1
164 pcg 1.60 if (!cleaner.is_active ())
165     cleaner.again ();
166 pcg 1.1
167 pcg 1.51 return false;
168     }
169 pcg 1.1
170     void gen (rsaid &id, rsachallenge &chg)
171 pcg 1.51 {
172     rsa_entry e;
173 pcg 1.1
174 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
175     RAND_bytes ((unsigned char *)&chg, sizeof chg);
176 pcg 1.1
177 pcg 1.62 e.expire = ev_now () + RSA_TTL;
178 pcg 1.51 e.id = id;
179     memcpy (&e.chg, &chg, sizeof chg);
180 pcg 1.1
181 pcg 1.51 push_back (e);
182 pcg 1.1
183 pcg 1.60 if (!cleaner.is_active ())
184     cleaner.again ();
185 pcg 1.51 }
186 pcg 1.1
187     rsa_cache ()
188 pcg 1.60 {
189 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
191     }
192 pcg 1.1
193     } rsa_cache;
194    
195 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
196 pcg 1.1 {
197 pcg 1.60 if (empty ())
198     w.stop ();
199     else
200 pcg 1.1 {
201     for (iterator i = begin (); i != end (); )
202 pcg 1.62 if (i->expire <= ev_now ())
203 pcg 1.1 i = erase (i);
204     else
205     ++i;
206     }
207     }
208    
209     //////////////////////////////////////////////////////////////////////////////
210    
211 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
212     : max_ttl (max_ttl), max_queue (max_queue)
213 pcg 1.1 {
214 pcg 1.67 queue = new pkt [max_queue];
215    
216     i = 0;
217     j = 0;
218    
219     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
220     }
221 pcg 1.1
222 pcg 1.67 pkt_queue::~pkt_queue ()
223     {
224     while (net_packet *p = get ())
225     delete p;
226 pcg 1.1
227 pcg 1.67 delete [] queue;
228 pcg 1.1 }
229    
230 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
231 pcg 1.1 {
232 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
233 pcg 1.1
234 pcg 1.67 for (;;)
235 pcg 1.1 {
236 pcg 1.67 if (empty ())
237     break;
238    
239     double diff = queue[j].tstamp - expire;
240    
241     if (diff >= 0.)
242     {
243     w.start (diff > 0.5 ? diff : 0.5);
244     break;
245     }
246    
247     delete get ();
248 pcg 1.1 }
249     }
250    
251 pcg 1.67 void pkt_queue::put (net_packet *p)
252 pcg 1.1 {
253 pcg 1.67 ev_tstamp now = ev_now ();
254    
255     // start expiry timer
256     if (empty ())
257     expire.start (max_ttl);
258    
259     int ni = i + 1 == max_queue ? 0 : i + 1;
260    
261     if (ni == j)
262     delete get ();
263    
264     queue[i].pkt = p;
265     queue[i].tstamp = now;
266    
267     i = ni;
268 pcg 1.1 }
269    
270 pcg 1.67 net_packet *pkt_queue::get ()
271 pcg 1.1 {
272 pcg 1.67 if (empty ())
273     return 0;
274    
275     net_packet *p = queue[j].pkt;
276     queue[j].pkt = 0;
277    
278     j = j + 1 == max_queue ? 0 : j + 1;
279    
280     return p;
281 pcg 1.1 }
282    
283 pcg 1.63 struct net_rateinfo
284     {
285 pcg 1.1 u32 host;
286     double pcnt, diff;
287     tstamp last;
288     };
289    
290     // only do action once every x seconds per host whole allowing bursts.
291     // this implementation ("splay list" ;) is inefficient,
292     // but low on resources.
293     struct net_rate_limiter : list<net_rateinfo>
294     {
295 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
296     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
297     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
298     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
299 pcg 1.1
300 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
301 pcg 1.1 bool can (u32 host);
302     };
303    
304     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
305    
306     bool net_rate_limiter::can (u32 host)
307     {
308     iterator i;
309    
310     for (i = begin (); i != end (); )
311     if (i->host == host)
312     break;
313 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
314 pcg 1.1 i = erase (i);
315     else
316     i++;
317    
318     if (i == end ())
319     {
320     net_rateinfo ri;
321    
322     ri.host = host;
323     ri.pcnt = 1.;
324 pcg 1.34 ri.diff = NRL_MAXDIF;
325 pcg 1.62 ri.last = ev_now ();
326 pcg 1.1
327     push_front (ri);
328    
329     return true;
330     }
331     else
332     {
333     net_rateinfo ri (*i);
334     erase (i);
335    
336 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
337 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
338 pcg 1.1
339 pcg 1.62 ri.last = ev_now ();
340 pcg 1.1
341 pcg 1.10 double dif = ri.diff / ri.pcnt;
342 pcg 1.1
343 pcg 1.34 bool send = dif > NRL_CUTOFF;
344 pcg 1.10
345 pcg 1.34 if (dif > NRL_MAXDIF)
346 pcg 1.10 {
347     ri.pcnt = 1.;
348 pcg 1.34 ri.diff = NRL_MAXDIF;
349 pcg 1.10 }
350     else if (send)
351 pcg 1.1 ri.pcnt++;
352    
353     push_front (ri);
354    
355     return send;
356     }
357     }
358    
359     /////////////////////////////////////////////////////////////////////////////
360    
361     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
362    
363     void hmac_packet::hmac_gen (crypto_ctx *ctx)
364     {
365     unsigned int xlen;
366    
367     HMAC_CTX *hctx = &ctx->hctx;
368    
369     HMAC_Init_ex (hctx, 0, 0, 0, 0);
370     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
371     len - sizeof (hmac_packet));
372     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
373     }
374    
375     void
376     hmac_packet::hmac_set (crypto_ctx *ctx)
377     {
378     hmac_gen (ctx);
379    
380     memcpy (hmac, hmac_digest, HMACLENGTH);
381     }
382    
383     bool
384     hmac_packet::hmac_chk (crypto_ctx *ctx)
385     {
386     hmac_gen (ctx);
387    
388     return !memcmp (hmac, hmac_digest, HMACLENGTH);
389     }
390    
391 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
392 pcg 1.1 {
393 pcg 1.6 type = type_;
394 pcg 1.1
395     int src = THISNODE->id;
396    
397     src1 = src;
398     srcdst = ((src >> 8) << 4) | (dst >> 8);
399     dst1 = dst;
400     }
401    
402     #define MAXVPNDATA (MAX_MTU - 6 - 6)
403     #define DATAHDR (sizeof (u32) + RAND_SIZE)
404    
405 pcg 1.28 struct vpndata_packet : vpn_packet
406 pcg 1.1 {
407     u8 data[MAXVPNDATA + DATAHDR]; // seqno
408    
409     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410     tap_packet *unpack (connection *conn, u32 &seqno);
411     private:
412    
413     const u32 data_hdr_size () const
414     {
415     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416     }
417     };
418    
419     void
420     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
421     {
422     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423     int outl = 0, outl2;
424     ptype type = PT_DATA_UNCOMPRESSED;
425    
426     #if ENABLE_COMPRESSION
427     u8 cdata[MAX_MTU];
428    
429 pcg 1.31 if (conn->features & ENABLE_COMPRESSION)
430 pcg 1.1 {
431 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432 pcg 1.1
433 pcg 1.31 if (cl)
434     {
435     type = PT_DATA_COMPRESSED;
436     d = cdata;
437     l = cl + 2;
438    
439     d[0] = cl >> 8;
440     d[1] = cl;
441     }
442 pcg 1.1 }
443     #endif
444    
445 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
446 pcg 1.1
447     struct {
448     #if RAND_SIZE
449     u8 rnd[RAND_SIZE];
450     #endif
451     u32 seqno;
452     } datahdr;
453    
454     datahdr.seqno = ntohl (seqno);
455     #if RAND_SIZE
456     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
457     #endif
458    
459 pcg 1.29 require (EVP_EncryptUpdate (cctx,
460 pcg 1.1 (unsigned char *) data + outl, &outl2,
461 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
462 pcg 1.1 outl += outl2;
463    
464 pcg 1.29 require (EVP_EncryptUpdate (cctx,
465 pcg 1.1 (unsigned char *) data + outl, &outl2,
466 pcg 1.29 (unsigned char *) d, l));
467 pcg 1.1 outl += outl2;
468    
469 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
470 pcg 1.1 outl += outl2;
471    
472     len = outl + data_hdr_size ();
473    
474     set_hdr (type, dst);
475    
476     hmac_set (conn->octx);
477     }
478    
479     tap_packet *
480     vpndata_packet::unpack (connection *conn, u32 &seqno)
481     {
482     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
483     int outl = 0, outl2;
484     tap_packet *p = new tap_packet;
485     u8 *d;
486     u32 l = len - data_hdr_size ();
487    
488 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
489 pcg 1.1
490     #if ENABLE_COMPRESSION
491     u8 cdata[MAX_MTU];
492    
493     if (type == PT_DATA_COMPRESSED)
494     d = cdata;
495     else
496     #endif
497     d = &(*p)[6 + 6 - DATAHDR];
498    
499     /* this overwrites part of the src mac, but we fix that later */
500 pcg 1.29 require (EVP_DecryptUpdate (cctx,
501 pcg 1.1 d, &outl2,
502 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
503 pcg 1.1 outl += outl2;
504    
505 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
506 pcg 1.1 outl += outl2;
507    
508     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
509    
510     id2mac (dst () ? dst() : THISNODE->id, p->dst);
511     id2mac (src (), p->src);
512    
513     #if ENABLE_COMPRESSION
514     if (type == PT_DATA_COMPRESSED)
515     {
516     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
517    
518     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
519     &(*p)[6 + 6], MAX_MTU)
520     + 6 + 6;
521     }
522     else
523     p->len = outl + (6 + 6 - DATAHDR);
524     #endif
525    
526     return p;
527     }
528    
529     struct ping_packet : vpn_packet
530     {
531     void setup (int dst, ptype type)
532     {
533     set_hdr (type, dst);
534     len = sizeof (*this) - sizeof (net_packet);
535     }
536     };
537    
538     struct config_packet : vpn_packet
539     {
540     // actually, hmaclen cannot be checked because the hmac
541     // field comes before this data, so peers with other
542     // hmacs simply will not work.
543     u8 prot_major, prot_minor, randsize, hmaclen;
544 pcg 1.31 u8 flags, challengelen, features, pad3;
545 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
546    
547     void setup (ptype type, int dst);
548     bool chk_config () const;
549 pcg 1.32
550     static u8 get_features ()
551     {
552     u8 f = 0;
553     #if ENABLE_COMPRESSION
554     f |= FEATURE_COMPRESSION;
555     #endif
556     #if ENABLE_ROHC
557     f |= FEATURE_ROHC;
558     #endif
559 pcg 1.59 #if ENABLE_BRIDGING
560     f |= FEATURE_BRIDGING;
561     #endif
562 pcg 1.32 return f;
563     }
564 pcg 1.1 };
565    
566     void config_packet::setup (ptype type, int dst)
567     {
568     prot_major = PROTOCOL_MAJOR;
569     prot_minor = PROTOCOL_MINOR;
570     randsize = RAND_SIZE;
571     hmaclen = HMACLENGTH;
572 pcg 1.48 flags = 0;
573 pcg 1.1 challengelen = sizeof (rsachallenge);
574 pcg 1.32 features = get_features ();
575 pcg 1.1
576     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
577     digest_nid = htonl (EVP_MD_type (RSA_HASH));
578     hmac_nid = htonl (EVP_MD_type (DIGEST));
579    
580     len = sizeof (*this) - sizeof (net_packet);
581     set_hdr (type, dst);
582     }
583    
584     bool config_packet::chk_config () const
585     {
586 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
587 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
588 pcg 1.15 else if (randsize != RAND_SIZE)
589 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
590 pcg 1.15 else if (hmaclen != HMACLENGTH)
591 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
592 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
593 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
594 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
595 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
596 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
597 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
598 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
599 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
600 pcg 1.15 else
601     return true;
602    
603     return false;
604 pcg 1.1 }
605    
606     struct auth_req_packet : config_packet
607     {
608     char magic[8];
609     u8 initiate; // false if this is just an automatic reply
610 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
611 pcg 1.1 u8 pad2, pad3;
612     rsaid id;
613     rsaencrdata encr;
614    
615     auth_req_packet (int dst, bool initiate_, u8 protocols_)
616     {
617     config_packet::setup (PT_AUTH_REQ, dst);
618     strncpy (magic, MAGIC, 8);
619     initiate = !!initiate_;
620     protocols = protocols_;
621    
622     len = sizeof (*this) - sizeof (net_packet);
623     }
624     };
625    
626     struct auth_res_packet : config_packet
627     {
628     rsaid id;
629     u8 pad1, pad2, pad3;
630     u8 response_len; // encrypted length
631     rsaresponse response;
632    
633     auth_res_packet (int dst)
634     {
635     config_packet::setup (PT_AUTH_RES, dst);
636    
637     len = sizeof (*this) - sizeof (net_packet);
638     }
639     };
640    
641     struct connect_req_packet : vpn_packet
642     {
643     u8 id, protocols;
644     u8 pad1, pad2;
645    
646     connect_req_packet (int dst, int id_, u8 protocols_)
647     : id(id_)
648     , protocols(protocols_)
649     {
650     set_hdr (PT_CONNECT_REQ, dst);
651     len = sizeof (*this) - sizeof (net_packet);
652     }
653     };
654    
655     struct connect_info_packet : vpn_packet
656     {
657     u8 id, protocols;
658     u8 pad1, pad2;
659     sockinfo si;
660    
661     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
662     : id(id_)
663     , protocols(protocols_)
664     , si(si_)
665     {
666     set_hdr (PT_CONNECT_INFO, dst);
667    
668     len = sizeof (*this) - sizeof (net_packet);
669     }
670     };
671    
672     /////////////////////////////////////////////////////////////////////////////
673    
674     void
675 pcg 1.10 connection::connection_established ()
676     {
677 pcg 1.61 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678    
679 pcg 1.10 if (ictx && octx)
680     {
681 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
682 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
683     rekey.start (rekey_interval, rekey_interval);
684     keepalive.start (::conf.keepalive);
685 pcg 1.10
686     // send queued packets
687     if (ictx && octx)
688 pcg 1.12 {
689     while (tap_packet *p = (tap_packet *)data_queue.get ())
690     {
691 pcg 1.67 if (p->len) send_data_packet (p);
692 pcg 1.12 delete p;
693     }
694    
695     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
696     {
697 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
698 pcg 1.12 delete p;
699     }
700     }
701 pcg 1.73
702     vpn->connection_established (this);
703 pcg 1.10 }
704     else
705     {
706     retry_cnt = 0;
707 pcg 1.60 establish_connection.start (5);
708 pcg 1.25 keepalive.stop ();
709     rekey.stop ();
710 pcg 1.10 }
711     }
712    
713     void
714 pcg 1.8 connection::reset_si ()
715 pcg 1.1 {
716 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
717     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
718     else
719 pcg 1.59 {
720 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
721 pcg 1.59 protocol = 0;
722     }
723 pcg 1.6
724     si.set (conf, protocol);
725 pcg 1.73
726     is_direct = si.valid ();
727 pcg 1.1 }
728    
729 pcg 1.8 // ensure sockinfo is valid, forward if necessary
730     const sockinfo &
731     connection::forward_si (const sockinfo &si) const
732     {
733     if (!si.valid ())
734     {
735 pcg 1.73 connection *r = vpn->find_router_for (this);
736 pcg 1.8
737     if (r)
738     {
739 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
740     conf->nodename, r->conf->nodename);
741 pcg 1.8 return r->si;
742     }
743     else
744 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
745 pcg 1.8 conf->nodename);
746     }
747    
748     return si;
749     }
750    
751 pcg 1.1 void
752 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
753     {
754 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
755 pcg 1.10 reset_connection ();
756     }
757    
758     void
759 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
760     {
761     ping_packet *pkt = new ping_packet;
762    
763     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764 pcg 1.73
765     slog (L_TRACE, ">>%d %s [%s]", conf->id, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766    
767 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
768 pcg 1.1
769     delete pkt;
770     }
771    
772     void
773     connection::send_reset (const sockinfo &si)
774     {
775     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
776     {
777     config_packet *pkt = new config_packet;
778    
779     pkt->setup (vpn_packet::PT_RESET, conf->id);
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
781 pcg 1.1
782     delete pkt;
783     }
784     }
785    
786     void
787     connection::send_auth_request (const sockinfo &si, bool initiate)
788     {
789     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
790    
791 pcg 1.6 rsachallenge chg;
792     rsa_cache.gen (pkt->id, chg);
793 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
794 pcg 1.1
795 pcg 1.6 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
796 pcg 1.1
797 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
798 pcg 1.1
799 pcg 1.6 delete pkt;
800 pcg 1.1 }
801    
802     void
803     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
804     {
805     auth_res_packet *pkt = new auth_res_packet (conf->id);
806    
807     pkt->id = id;
808    
809     rsa_hash (id, chg, pkt->response);
810    
811     pkt->hmac_set (octx);
812    
813     slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
814    
815 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
816 pcg 1.1
817     delete pkt;
818     }
819    
820     void
821     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
822     {
823 pcg 1.58 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
824 pcg 1.1 conf->id, rid, (const char *)rsi);
825    
826     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
827    
828     r->hmac_set (octx);
829 pcg 1.10 send_vpn_packet (r, si);
830 pcg 1.1
831     delete r;
832     }
833    
834 pcg 1.66 inline void
835 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
836 pcg 1.1 {
837 pcg 1.25 if (!ictx
838     && conf != THISNODE
839     && connectmode != conf_node::C_NEVER
840     && connectmode != conf_node::C_DISABLED
841 pcg 1.60 && !w.is_active ())
842 pcg 1.1 {
843 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
844     // and stop trying. should probably be handled by a per-connection expire handler.
845     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846     {
847     reset_connection ();
848     return;
849     }
850    
851 pcg 1.68 last_establish_attempt = ev_now ();
852    
853 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854     ? (retry_cnt & 3) + 1
855     : 1 << (retry_cnt >> 2));
856 pcg 1.1
857 pcg 1.47 reset_si ();
858 pcg 1.1
859 pcg 1.47 bool slow = si.prot & PROT_SLOW;
860 pcg 1.8
861 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
862 pcg 1.60 {
863     /*TODO*/ /* start the timer so we don't recurse endlessly */
864     w.start (1);
865 pcg 1.74 vpn->send_connect_request (this);
866 pcg 1.60 }
867 pcg 1.8 else
868 pcg 1.1 {
869 pcg 1.73 if (si.valid ())
870     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
871     conf->nodename, (const char *)si);
872 pcg 1.61
873 pcg 1.8 const sockinfo &dsi = forward_si (si);
874 pcg 1.6
875 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
876    
877 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
878     {
879     if (retry_cnt < 4)
880     send_auth_request (dsi, true);
881     else
882     send_ping (dsi, 0);
883     }
884 pcg 1.1 }
885 pcg 1.47
886 pcg 1.68 retry_int *= slow ? 8. : 0.9;
887 pcg 1.47
888     if (retry_int < conf->max_retry)
889     retry_cnt++;
890     else
891     retry_int = conf->max_retry;
892    
893 pcg 1.60 w.start (retry_int);
894 pcg 1.1 }
895     }
896    
897     void
898     connection::reset_connection ()
899     {
900     if (ictx && octx)
901     {
902     slog (L_INFO, _("%s(%s): connection lost"),
903     conf->nodename, (const char *)si);
904    
905     if (::conf.script_node_down)
906 pcg 1.64 {
907 pcg 1.70 run_script_cb *cb = new run_script_cb;
908     cb->set<connection, &connection::script_node_down> (this);
909     run_script_queued (cb, _("node-down command execution failed, continuing."));
910 pcg 1.64 }
911 pcg 1.1 }
912    
913     delete ictx; ictx = 0;
914     delete octx; octx = 0;
915 pcg 1.44 #if ENABLE_DNS
916 pcg 1.45 dnsv4_reset_connection ();
917 pcg 1.44 #endif
918 pcg 1.1
919 pcg 1.38 si.host = 0;
920 pcg 1.1
921 pcg 1.73 last_activity = 0.;
922     //last_si_change = 0.;
923 pcg 1.1 retry_cnt = 0;
924    
925 pcg 1.25 rekey.stop ();
926     keepalive.stop ();
927     establish_connection.stop ();
928 pcg 1.1 }
929    
930     void
931     connection::shutdown ()
932     {
933     if (ictx && octx)
934     send_reset (si);
935    
936     reset_connection ();
937     }
938    
939 pcg 1.73 // poor-man's rekeying
940 pcg 1.66 inline void
941 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
942 pcg 1.1 {
943     reset_connection ();
944     establish_connection ();
945     }
946    
947     void
948 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
949 pcg 1.1 {
950     vpndata_packet *p = new vpndata_packet;
951     int tos = 0;
952    
953 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
954 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
955 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
956    
957 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
958 pcg 1.10 send_vpn_packet (p, si, tos);
959 pcg 1.1
960     delete p;
961    
962     if (oseqno > MAX_SEQNO)
963     rekey ();
964     }
965    
966     void
967 pcg 1.68 connection::post_inject_queue ()
968     {
969     // force a connection every now and when when packets are sent (max 1/s)
970     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
971     establish_connection.stop ();
972    
973     establish_connection ();
974     }
975    
976     void
977     connection::inject_data_packet (tap_packet *pkt)
978 pcg 1.1 {
979     if (ictx && octx)
980 pcg 1.21 send_data_packet (pkt);
981 pcg 1.1 else
982     {
983 pcg 1.68 data_queue.put (new tap_packet (*pkt));
984     post_inject_queue ();
985 pcg 1.1 }
986     }
987    
988 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
989     {
990     if (ictx && octx)
991 pcg 1.10 send_vpn_packet (pkt, si, tos);
992 pcg 1.8 else
993 pcg 1.12 {
994 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
995 pcg 1.68 post_inject_queue ();
996 pcg 1.12 }
997 pcg 1.8 }
998    
999 pcg 1.1 void
1000     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1001     {
1002 pcg 1.62 last_activity = ev_now ();
1003 pcg 1.1
1004 pcg 1.73 slog (L_NOISE, "<<%d received packet type %d from %d to %d.",
1005 pcg 1.1 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1006    
1007 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1008     return;
1009    
1010 pcg 1.1 switch (pkt->typ ())
1011     {
1012 pcg 1.3 case vpn_packet::PT_PING:
1013     // we send pings instead of auth packets after some retries,
1014     // so reset the retry counter and establish a connection
1015     // when we receive a ping.
1016     if (!ictx)
1017     {
1018     if (auth_rate_limiter.can (rsi))
1019     send_auth_request (rsi, true);
1020     }
1021     else
1022 pcg 1.73 // we would love to change thre socket address here, but ping's aren't
1023     // authenticated, so we best ignore it.
1024 pcg 1.3 send_ping (rsi, 1); // pong
1025    
1026     break;
1027    
1028     case vpn_packet::PT_PONG:
1029     break;
1030    
1031     case vpn_packet::PT_RESET:
1032 pcg 1.1 {
1033 pcg 1.3 reset_connection ();
1034    
1035     config_packet *p = (config_packet *) pkt;
1036    
1037     if (!p->chk_config ())
1038     {
1039 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1040 pcg 1.3 conf->nodename, (const char *)rsi);
1041     connectmode = conf_node::C_DISABLED;
1042     }
1043     else if (connectmode == conf_node::C_ALWAYS)
1044     establish_connection ();
1045 pcg 1.1 }
1046 pcg 1.3 break;
1047    
1048     case vpn_packet::PT_AUTH_REQ:
1049     if (auth_rate_limiter.can (rsi))
1050     {
1051     auth_req_packet *p = (auth_req_packet *) pkt;
1052    
1053     slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
1054 pcg 1.1
1055 pcg 1.3 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
1056     {
1057     if (p->prot_minor != PROTOCOL_MINOR)
1058     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1059     conf->nodename, (const char *)rsi,
1060     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1061    
1062     if (p->initiate)
1063     send_auth_request (rsi, false);
1064    
1065     rsachallenge k;
1066    
1067 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1068 pcg 1.23 {
1069     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1070     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1071     break;
1072     }
1073 pcg 1.3 else
1074     {
1075     delete octx;
1076 pcg 1.1
1077 pcg 1.3 octx = new crypto_ctx (k, 1);
1078     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1079 pcg 1.1
1080 pcg 1.3 conf->protocols = p->protocols;
1081 pcg 1.32 features = p->features & config_packet::get_features ();
1082 pcg 1.10
1083 pcg 1.3 send_auth_response (rsi, p->id, k);
1084    
1085 pcg 1.10 connection_established ();
1086    
1087 pcg 1.3 break;
1088     }
1089     }
1090 pcg 1.15 else
1091 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1092 pcg 1.15 conf->nodename, (const char *)rsi);
1093 pcg 1.3
1094     send_reset (rsi);
1095 pcg 1.1 }
1096    
1097 pcg 1.3 break;
1098    
1099     case vpn_packet::PT_AUTH_RES:
1100 pcg 1.1 {
1101 pcg 1.3 auth_res_packet *p = (auth_res_packet *) pkt;
1102 pcg 1.1
1103 pcg 1.3 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
1104 pcg 1.1
1105 pcg 1.3 if (p->chk_config ())
1106 pcg 1.1 {
1107     if (p->prot_minor != PROTOCOL_MINOR)
1108     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1109     conf->nodename, (const char *)rsi,
1110     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1111    
1112 pcg 1.3 rsachallenge chg;
1113 pcg 1.1
1114 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1115 pcg 1.13 {
1116 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1117 pcg 1.13 conf->nodename, (const char *)rsi);
1118     break;
1119     }
1120 pcg 1.1 else
1121     {
1122 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1123    
1124     if (!p->hmac_chk (cctx))
1125 pcg 1.18 {
1126     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1127 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1128 pcg 1.18 conf->nodename, (const char *)rsi);
1129     break;
1130     }
1131 pcg 1.3 else
1132     {
1133     rsaresponse h;
1134    
1135     rsa_hash (p->id, chg, h);
1136    
1137     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1138     {
1139     prot_minor = p->prot_minor;
1140    
1141     delete ictx; ictx = cctx;
1142    
1143     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1144    
1145     si = rsi;
1146 pcg 1.7 protocol = rsi.prot;
1147 pcg 1.3
1148 pcg 1.73 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d."),
1149 pcg 1.3 conf->nodename, (const char *)rsi,
1150     p->prot_major, p->prot_minor);
1151 pcg 1.1
1152 pcg 1.73 connection_established ();
1153    
1154 pcg 1.3 if (::conf.script_node_up)
1155 pcg 1.64 {
1156 pcg 1.70 run_script_cb *cb = new run_script_cb;
1157     cb->set<connection, &connection::script_node_up> (this);
1158     run_script_queued (cb, _("node-up command execution failed, continuing."));
1159 pcg 1.64 }
1160 pcg 1.1
1161 pcg 1.3 break;
1162     }
1163     else
1164 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1165 pcg 1.3 conf->nodename, (const char *)rsi);
1166     }
1167 pcg 1.1
1168 pcg 1.3 delete cctx;
1169 pcg 1.1 }
1170     }
1171     }
1172    
1173 pcg 1.3 send_reset (rsi);
1174     break;
1175 pcg 1.1
1176 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1177     #if !ENABLE_COMPRESSION
1178     send_reset (rsi);
1179     break;
1180     #endif
1181 pcg 1.1
1182 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1183 pcg 1.1
1184 pcg 1.3 if (ictx && octx)
1185 pcg 1.1 {
1186 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1187 pcg 1.1
1188 pcg 1.10 if (!p->hmac_chk (ictx))
1189     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1190 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1191 pcg 1.10 conf->nodename, (const char *)rsi);
1192     else
1193 pcg 1.1 {
1194 pcg 1.10 u32 seqno;
1195     tap_packet *d = p->unpack (this, seqno);
1196 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1197 pcg 1.10
1198 pcg 1.73 if (seqclass == 0) // ok
1199 pcg 1.1 {
1200 pcg 1.10 vpn->tap->send (d);
1201 pcg 1.1
1202 pcg 1.10 if (si != rsi)
1203 pcg 1.1 {
1204 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1205 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1206     // {
1207     si = rsi;
1208    
1209     slog (L_INFO, _("%s(%s): socket address changed to %s."),
1210     conf->nodename, (const char *)si, (const char *)rsi);
1211     // }
1212     //else
1213     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1214     // conf->nodename, (const char *)si, (const char *)rsi);
1215 pcg 1.10 }
1216 pcg 1.32 }
1217 pcg 1.73 else if (seqclass == 1) // silently ignore
1218     slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
1219     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1220     else if (seqclass == 2) // reset
1221     {
1222     slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
1223     "possible replay attack, or just massive packet loss, resetting connection."), seqno, iseqno.seq + 1);
1224     send_reset (rsi);
1225     }
1226 pcg 1.3
1227 pcg 1.32 delete d;
1228     break;
1229 pcg 1.1 }
1230     }
1231    
1232 pcg 1.3 send_reset (rsi);
1233     break;
1234 pcg 1.1
1235 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1236     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1237     {
1238     connect_req_packet *p = (connect_req_packet *) pkt;
1239 pcg 1.1
1240 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1241     {
1242     connection *c = vpn->conns[p->id - 1];
1243     conf->protocols = p->protocols;
1244 pcg 1.1
1245 pcg 1.58 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1246 pcg 1.57 conf->id, p->id, c->ictx && c->octx);
1247 pcg 1.1
1248 pcg 1.57 if (c->ictx && c->octx)
1249     {
1250     // send connect_info packets to both sides, in case one is
1251     // behind a nat firewall (or both ;)
1252     c->send_connect_info (conf->id, si, conf->protocols);
1253     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1254     }
1255     else
1256     c->establish_connection ();
1257 pcg 1.3 }
1258 pcg 1.11 else
1259 pcg 1.57 slog (L_WARN,
1260     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1261     p->id);
1262 pcg 1.3 }
1263 pcg 1.1
1264 pcg 1.3 break;
1265 pcg 1.1
1266 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1267     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1268     {
1269 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1270 pcg 1.1
1271 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1272 pcg 1.39 {
1273     connection *c = vpn->conns[p->id - 1];
1274 pcg 1.7
1275 pcg 1.39 c->conf->protocols = p->protocols;
1276     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1277     p->si.upgrade_protocol (protocol, c->conf);
1278 pcg 1.1
1279 pcg 1.39 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1280     conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1281 pcg 1.7
1282 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1283 pcg 1.1
1284 pcg 1.39 if (dsi.valid ())
1285     c->send_auth_request (dsi, true);
1286     }
1287 pcg 1.57 else
1288     slog (L_WARN,
1289     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1290     p->id);
1291 pcg 1.3 }
1292 pcg 1.1
1293 pcg 1.3 break;
1294 pcg 1.1
1295 pcg 1.3 default:
1296     send_reset (rsi);
1297     break;
1298 pcg 1.1 }
1299     }
1300    
1301 pcg 1.66 inline void
1302     connection::keepalive_cb (ev::timer &w, int revents)
1303 pcg 1.1 {
1304 pcg 1.62 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1305 pcg 1.1 {
1306     reset_connection ();
1307     establish_connection ();
1308     }
1309 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1310 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1311 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1312     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1313     {
1314     send_ping (si);
1315 pcg 1.60 w.start (5);
1316 pcg 1.1 }
1317 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1318 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1319     // should delete octx, though, or something like that ;)
1320 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1321 pcg 1.1 else
1322     reset_connection ();
1323     }
1324    
1325 pcg 1.10 void connection::send_connect_request (int id)
1326 pcg 1.1 {
1327     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1328    
1329     slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1330     p->hmac_set (octx);
1331 pcg 1.10 send_vpn_packet (p, si);
1332 pcg 1.1
1333     delete p;
1334     }
1335    
1336 pcg 1.53 void connection::script_init_env (const char *ext)
1337     {
1338     char *env;
1339     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1340     asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1341     asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1342     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1343     conf->id & 0xff); putenv (env);
1344     }
1345    
1346     void connection::script_init_connect_env ()
1347 pcg 1.1 {
1348 pcg 1.52 vpn->script_init_env ();
1349 pcg 1.1
1350     char *env;
1351     asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1352     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1353     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1354     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1355     }
1356    
1357 pcg 1.66 inline const char *
1358     connection::script_node_up ()
1359 pcg 1.1 {
1360 pcg 1.53 script_init_connect_env ();
1361 pcg 1.1
1362 pcg 1.60 putenv ((char *)"STATE=up");
1363 pcg 1.1
1364 pcg 1.52 char *filename;
1365     asprintf (&filename,
1366     "%s/%s",
1367     confbase,
1368     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1369 pcg 1.54
1370     return filename;
1371 pcg 1.1 }
1372    
1373 pcg 1.66 inline const char *
1374     connection::script_node_down ()
1375 pcg 1.1 {
1376 pcg 1.53 script_init_connect_env ();
1377 pcg 1.1
1378 pcg 1.60 putenv ((char *)"STATE=down");
1379 pcg 1.1
1380 pcg 1.52 char *filename;
1381     asprintf (&filename,
1382     "%s/%s",
1383     confbase,
1384     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1385 pcg 1.54
1386     return filename;
1387 pcg 1.1 }
1388    
1389 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1390 pcg 1.67 : vpn(vpn), conf(conf),
1391 pcg 1.40 #if ENABLE_DNS
1392 pcg 1.67 dns (0),
1393 pcg 1.40 #endif
1394 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1395     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1396 pcg 1.1 {
1397 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1398     keepalive .set<connection, &connection::keepalive_cb > (this);
1399     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1400    
1401 pcg 1.68 last_establish_attempt = 0.;
1402 pcg 1.1 octx = ictx = 0;
1403    
1404 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1405     conf->protocols = PROT_UDPv4;
1406    
1407 pcg 1.67 connectmode = conf->connectmode;
1408    
1409     // queue a dummy packet to force an initial connection attempt
1410     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1411 pcg 1.68 vpn_queue.put (new net_packet);
1412 pcg 1.67
1413 pcg 1.1 reset_connection ();
1414     }
1415    
1416     connection::~connection ()
1417     {
1418     shutdown ();
1419     }
1420    
1421     void connection_init ()
1422     {
1423     auth_rate_limiter.clear ();
1424     reset_rate_limiter.clear ();
1425     }
1426