ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.78
Committed: Mon Aug 11 16:44:47 2008 UTC (15 years, 9 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.77: +3 -3 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.69 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55     #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
56 pcg 1.30
57     #define ULTRA_FAST 1
58     #define HLOG 15
59     #include "lzf/lzf.h"
60     #include "lzf/lzf_c.c"
61     #include "lzf/lzf_d.c"
62 pcg 1.1
63 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
64    
65     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66     static ev::child rs_child_ev;
67    
68     void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72    
73     if (rs_queue.empty ())
74     return;
75    
76     pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84    
85     delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88    
89     // despite the fancy name, this is quite a hack
90     static void
91     run_script_queued (run_script_cb *cb, const char *warnmsg)
92     {
93     rs_queue.push (std::make_pair (cb, warnmsg));
94    
95     if (!rs_child_ev.is_active ())
96     {
97     rs_child_ev.set<rs_child_cb> ();
98     rs_child_ev ();
99     }
100     }
101    
102     //////////////////////////////////////////////////////////////////////////////
103    
104 pcg 1.1 struct crypto_ctx
105     {
106     EVP_CIPHER_CTX cctx;
107     HMAC_CTX hctx;
108    
109     crypto_ctx (const rsachallenge &challenge, int enc);
110     ~crypto_ctx ();
111     };
112    
113     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
114     {
115     EVP_CIPHER_CTX_init (&cctx);
116 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
117 pcg 1.1 HMAC_CTX_init (&hctx);
118     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
119     }
120    
121     crypto_ctx::~crypto_ctx ()
122     {
123 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
124 pcg 1.1 HMAC_CTX_cleanup (&hctx);
125     }
126    
127     static void
128     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
129     {
130     EVP_MD_CTX ctx;
131    
132     EVP_MD_CTX_init (&ctx);
133 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
134     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
135     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
136     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
137 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
138     }
139    
140 pcg 1.63 struct rsa_entry
141     {
142 pcg 1.1 tstamp expire;
143     rsaid id;
144     rsachallenge chg;
145     };
146    
147     struct rsa_cache : list<rsa_entry>
148     {
149 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
150 pcg 1.1
151     bool find (const rsaid &id, rsachallenge &chg)
152 pcg 1.51 {
153     for (iterator i = begin (); i != end (); ++i)
154     {
155 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
156 pcg 1.51 {
157     memcpy (&chg, &i->chg, sizeof chg);
158 pcg 1.1
159 pcg 1.51 erase (i);
160     return true;
161     }
162     }
163 pcg 1.1
164 pcg 1.60 if (!cleaner.is_active ())
165     cleaner.again ();
166 pcg 1.1
167 pcg 1.51 return false;
168     }
169 pcg 1.1
170     void gen (rsaid &id, rsachallenge &chg)
171 pcg 1.51 {
172     rsa_entry e;
173 pcg 1.1
174 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
175     RAND_bytes ((unsigned char *)&chg, sizeof chg);
176 pcg 1.1
177 pcg 1.62 e.expire = ev_now () + RSA_TTL;
178 pcg 1.51 e.id = id;
179     memcpy (&e.chg, &chg, sizeof chg);
180 pcg 1.1
181 pcg 1.51 push_back (e);
182 pcg 1.1
183 pcg 1.60 if (!cleaner.is_active ())
184     cleaner.again ();
185 pcg 1.51 }
186 pcg 1.1
187     rsa_cache ()
188 pcg 1.60 {
189 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
191     }
192 pcg 1.1
193     } rsa_cache;
194    
195 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
196 pcg 1.1 {
197 pcg 1.60 if (empty ())
198     w.stop ();
199     else
200 pcg 1.1 {
201     for (iterator i = begin (); i != end (); )
202 pcg 1.62 if (i->expire <= ev_now ())
203 pcg 1.1 i = erase (i);
204     else
205     ++i;
206     }
207     }
208    
209     //////////////////////////////////////////////////////////////////////////////
210    
211 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
212     : max_ttl (max_ttl), max_queue (max_queue)
213 pcg 1.1 {
214 pcg 1.67 queue = new pkt [max_queue];
215    
216     i = 0;
217     j = 0;
218    
219     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
220     }
221 pcg 1.1
222 pcg 1.67 pkt_queue::~pkt_queue ()
223     {
224     while (net_packet *p = get ())
225     delete p;
226 pcg 1.1
227 pcg 1.67 delete [] queue;
228 pcg 1.1 }
229    
230 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
231 pcg 1.1 {
232 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
233 pcg 1.1
234 pcg 1.67 for (;;)
235 pcg 1.1 {
236 pcg 1.67 if (empty ())
237     break;
238    
239     double diff = queue[j].tstamp - expire;
240    
241     if (diff >= 0.)
242     {
243     w.start (diff > 0.5 ? diff : 0.5);
244     break;
245     }
246    
247     delete get ();
248 pcg 1.1 }
249     }
250    
251 pcg 1.67 void pkt_queue::put (net_packet *p)
252 pcg 1.1 {
253 pcg 1.67 ev_tstamp now = ev_now ();
254    
255     // start expiry timer
256     if (empty ())
257     expire.start (max_ttl);
258    
259     int ni = i + 1 == max_queue ? 0 : i + 1;
260    
261     if (ni == j)
262     delete get ();
263    
264     queue[i].pkt = p;
265     queue[i].tstamp = now;
266    
267     i = ni;
268 pcg 1.1 }
269    
270 pcg 1.67 net_packet *pkt_queue::get ()
271 pcg 1.1 {
272 pcg 1.67 if (empty ())
273     return 0;
274    
275     net_packet *p = queue[j].pkt;
276     queue[j].pkt = 0;
277    
278     j = j + 1 == max_queue ? 0 : j + 1;
279    
280     return p;
281 pcg 1.1 }
282    
283 pcg 1.63 struct net_rateinfo
284     {
285 pcg 1.1 u32 host;
286     double pcnt, diff;
287     tstamp last;
288     };
289    
290     // only do action once every x seconds per host whole allowing bursts.
291     // this implementation ("splay list" ;) is inefficient,
292     // but low on resources.
293     struct net_rate_limiter : list<net_rateinfo>
294     {
295 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
296     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
297     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
298     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
299 pcg 1.1
300 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
301 pcg 1.1 bool can (u32 host);
302     };
303    
304     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
305    
306     bool net_rate_limiter::can (u32 host)
307     {
308     iterator i;
309    
310     for (i = begin (); i != end (); )
311     if (i->host == host)
312     break;
313 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
314 pcg 1.1 i = erase (i);
315     else
316     i++;
317    
318     if (i == end ())
319     {
320     net_rateinfo ri;
321    
322     ri.host = host;
323     ri.pcnt = 1.;
324 pcg 1.34 ri.diff = NRL_MAXDIF;
325 pcg 1.62 ri.last = ev_now ();
326 pcg 1.1
327     push_front (ri);
328    
329     return true;
330     }
331     else
332     {
333     net_rateinfo ri (*i);
334     erase (i);
335    
336 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
337 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
338 pcg 1.1
339 pcg 1.62 ri.last = ev_now ();
340 pcg 1.1
341 pcg 1.10 double dif = ri.diff / ri.pcnt;
342 pcg 1.1
343 pcg 1.34 bool send = dif > NRL_CUTOFF;
344 pcg 1.10
345 pcg 1.34 if (dif > NRL_MAXDIF)
346 pcg 1.10 {
347     ri.pcnt = 1.;
348 pcg 1.34 ri.diff = NRL_MAXDIF;
349 pcg 1.10 }
350     else if (send)
351 pcg 1.1 ri.pcnt++;
352    
353     push_front (ri);
354    
355     return send;
356     }
357     }
358    
359     /////////////////////////////////////////////////////////////////////////////
360    
361     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
362    
363     void hmac_packet::hmac_gen (crypto_ctx *ctx)
364     {
365     unsigned int xlen;
366    
367     HMAC_CTX *hctx = &ctx->hctx;
368    
369     HMAC_Init_ex (hctx, 0, 0, 0, 0);
370     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
371     len - sizeof (hmac_packet));
372     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
373     }
374    
375     void
376     hmac_packet::hmac_set (crypto_ctx *ctx)
377     {
378     hmac_gen (ctx);
379    
380     memcpy (hmac, hmac_digest, HMACLENGTH);
381     }
382    
383     bool
384     hmac_packet::hmac_chk (crypto_ctx *ctx)
385     {
386     hmac_gen (ctx);
387    
388     return !memcmp (hmac, hmac_digest, HMACLENGTH);
389     }
390    
391 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
392 pcg 1.1 {
393 pcg 1.6 type = type_;
394 pcg 1.1
395     int src = THISNODE->id;
396    
397     src1 = src;
398     srcdst = ((src >> 8) << 4) | (dst >> 8);
399     dst1 = dst;
400     }
401    
402     #define MAXVPNDATA (MAX_MTU - 6 - 6)
403     #define DATAHDR (sizeof (u32) + RAND_SIZE)
404    
405 pcg 1.28 struct vpndata_packet : vpn_packet
406 pcg 1.1 {
407     u8 data[MAXVPNDATA + DATAHDR]; // seqno
408    
409     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410     tap_packet *unpack (connection *conn, u32 &seqno);
411     private:
412    
413     const u32 data_hdr_size () const
414     {
415     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416     }
417     };
418    
419     void
420     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
421     {
422     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423     int outl = 0, outl2;
424     ptype type = PT_DATA_UNCOMPRESSED;
425    
426     #if ENABLE_COMPRESSION
427     u8 cdata[MAX_MTU];
428    
429 pcg 1.31 if (conn->features & ENABLE_COMPRESSION)
430 pcg 1.1 {
431 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432 pcg 1.1
433 pcg 1.31 if (cl)
434     {
435     type = PT_DATA_COMPRESSED;
436     d = cdata;
437     l = cl + 2;
438    
439     d[0] = cl >> 8;
440     d[1] = cl;
441     }
442 pcg 1.1 }
443     #endif
444    
445 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
446 pcg 1.1
447     struct {
448     #if RAND_SIZE
449     u8 rnd[RAND_SIZE];
450     #endif
451     u32 seqno;
452     } datahdr;
453    
454     datahdr.seqno = ntohl (seqno);
455     #if RAND_SIZE
456     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
457     #endif
458    
459 pcg 1.29 require (EVP_EncryptUpdate (cctx,
460 pcg 1.1 (unsigned char *) data + outl, &outl2,
461 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
462 pcg 1.1 outl += outl2;
463    
464 pcg 1.29 require (EVP_EncryptUpdate (cctx,
465 pcg 1.1 (unsigned char *) data + outl, &outl2,
466 pcg 1.29 (unsigned char *) d, l));
467 pcg 1.1 outl += outl2;
468    
469 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
470 pcg 1.1 outl += outl2;
471    
472     len = outl + data_hdr_size ();
473    
474     set_hdr (type, dst);
475    
476     hmac_set (conn->octx);
477     }
478    
479     tap_packet *
480     vpndata_packet::unpack (connection *conn, u32 &seqno)
481     {
482     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
483     int outl = 0, outl2;
484     tap_packet *p = new tap_packet;
485     u8 *d;
486     u32 l = len - data_hdr_size ();
487    
488 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
489 pcg 1.1
490     #if ENABLE_COMPRESSION
491     u8 cdata[MAX_MTU];
492    
493     if (type == PT_DATA_COMPRESSED)
494     d = cdata;
495     else
496     #endif
497     d = &(*p)[6 + 6 - DATAHDR];
498    
499     /* this overwrites part of the src mac, but we fix that later */
500 pcg 1.29 require (EVP_DecryptUpdate (cctx,
501 pcg 1.1 d, &outl2,
502 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
503 pcg 1.1 outl += outl2;
504    
505 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
506 pcg 1.1 outl += outl2;
507    
508     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
509    
510     id2mac (dst () ? dst() : THISNODE->id, p->dst);
511     id2mac (src (), p->src);
512    
513     #if ENABLE_COMPRESSION
514     if (type == PT_DATA_COMPRESSED)
515     {
516     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
517    
518     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
519     &(*p)[6 + 6], MAX_MTU)
520     + 6 + 6;
521     }
522     else
523     p->len = outl + (6 + 6 - DATAHDR);
524     #endif
525    
526     return p;
527     }
528    
529     struct ping_packet : vpn_packet
530     {
531     void setup (int dst, ptype type)
532     {
533     set_hdr (type, dst);
534     len = sizeof (*this) - sizeof (net_packet);
535     }
536     };
537    
538     struct config_packet : vpn_packet
539     {
540     // actually, hmaclen cannot be checked because the hmac
541     // field comes before this data, so peers with other
542     // hmacs simply will not work.
543     u8 prot_major, prot_minor, randsize, hmaclen;
544 pcg 1.31 u8 flags, challengelen, features, pad3;
545 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
546    
547     void setup (ptype type, int dst);
548     bool chk_config () const;
549 pcg 1.32
550     static u8 get_features ()
551     {
552     u8 f = 0;
553     #if ENABLE_COMPRESSION
554     f |= FEATURE_COMPRESSION;
555     #endif
556     #if ENABLE_ROHC
557     f |= FEATURE_ROHC;
558     #endif
559 pcg 1.59 #if ENABLE_BRIDGING
560     f |= FEATURE_BRIDGING;
561     #endif
562 pcg 1.32 return f;
563     }
564 pcg 1.1 };
565    
566     void config_packet::setup (ptype type, int dst)
567     {
568     prot_major = PROTOCOL_MAJOR;
569     prot_minor = PROTOCOL_MINOR;
570     randsize = RAND_SIZE;
571     hmaclen = HMACLENGTH;
572 pcg 1.48 flags = 0;
573 pcg 1.1 challengelen = sizeof (rsachallenge);
574 pcg 1.32 features = get_features ();
575 pcg 1.1
576     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
577     digest_nid = htonl (EVP_MD_type (RSA_HASH));
578     hmac_nid = htonl (EVP_MD_type (DIGEST));
579    
580     len = sizeof (*this) - sizeof (net_packet);
581     set_hdr (type, dst);
582     }
583    
584     bool config_packet::chk_config () const
585     {
586 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
587 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
588 pcg 1.15 else if (randsize != RAND_SIZE)
589 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
590 pcg 1.15 else if (hmaclen != HMACLENGTH)
591 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
592 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
593 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
594 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
595 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
596 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
597 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
598 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
599 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
600 pcg 1.15 else
601     return true;
602    
603     return false;
604 pcg 1.1 }
605    
606     struct auth_req_packet : config_packet
607     {
608     char magic[8];
609     u8 initiate; // false if this is just an automatic reply
610 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
611 pcg 1.1 u8 pad2, pad3;
612     rsaid id;
613     rsaencrdata encr;
614    
615     auth_req_packet (int dst, bool initiate_, u8 protocols_)
616     {
617     config_packet::setup (PT_AUTH_REQ, dst);
618     strncpy (magic, MAGIC, 8);
619     initiate = !!initiate_;
620     protocols = protocols_;
621    
622     len = sizeof (*this) - sizeof (net_packet);
623     }
624     };
625    
626     struct auth_res_packet : config_packet
627     {
628     rsaid id;
629     u8 pad1, pad2, pad3;
630     u8 response_len; // encrypted length
631     rsaresponse response;
632    
633     auth_res_packet (int dst)
634     {
635     config_packet::setup (PT_AUTH_RES, dst);
636    
637     len = sizeof (*this) - sizeof (net_packet);
638     }
639     };
640    
641     struct connect_req_packet : vpn_packet
642     {
643     u8 id, protocols;
644     u8 pad1, pad2;
645    
646     connect_req_packet (int dst, int id_, u8 protocols_)
647     : id(id_)
648     , protocols(protocols_)
649     {
650     set_hdr (PT_CONNECT_REQ, dst);
651     len = sizeof (*this) - sizeof (net_packet);
652     }
653     };
654    
655     struct connect_info_packet : vpn_packet
656     {
657     u8 id, protocols;
658     u8 pad1, pad2;
659     sockinfo si;
660    
661     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
662     : id(id_)
663     , protocols(protocols_)
664     , si(si_)
665     {
666     set_hdr (PT_CONNECT_INFO, dst);
667    
668     len = sizeof (*this) - sizeof (net_packet);
669     }
670     };
671    
672     /////////////////////////////////////////////////////////////////////////////
673    
674     void
675 pcg 1.10 connection::connection_established ()
676     {
677 pcg 1.61 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678    
679 pcg 1.10 if (ictx && octx)
680     {
681 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
682 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
683     rekey.start (rekey_interval, rekey_interval);
684     keepalive.start (::conf.keepalive);
685 pcg 1.10
686     // send queued packets
687     if (ictx && octx)
688 pcg 1.12 {
689     while (tap_packet *p = (tap_packet *)data_queue.get ())
690     {
691 pcg 1.67 if (p->len) send_data_packet (p);
692 pcg 1.12 delete p;
693     }
694    
695     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
696     {
697 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
698 pcg 1.12 delete p;
699     }
700     }
701 pcg 1.73
702     vpn->connection_established (this);
703 pcg 1.10 }
704     else
705     {
706     retry_cnt = 0;
707 pcg 1.60 establish_connection.start (5);
708 pcg 1.25 keepalive.stop ();
709     rekey.stop ();
710 pcg 1.10 }
711     }
712    
713     void
714 pcg 1.8 connection::reset_si ()
715 pcg 1.1 {
716 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
717     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
718     else
719 pcg 1.59 {
720 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
721 pcg 1.59 protocol = 0;
722     }
723 pcg 1.6
724     si.set (conf, protocol);
725 pcg 1.73
726     is_direct = si.valid ();
727 pcg 1.1 }
728    
729 pcg 1.8 // ensure sockinfo is valid, forward if necessary
730     const sockinfo &
731     connection::forward_si (const sockinfo &si) const
732     {
733     if (!si.valid ())
734     {
735 pcg 1.73 connection *r = vpn->find_router_for (this);
736 pcg 1.8
737     if (r)
738     {
739 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
740     conf->nodename, r->conf->nodename);
741 pcg 1.8 return r->si;
742     }
743     else
744 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
745 pcg 1.8 conf->nodename);
746     }
747    
748     return si;
749     }
750    
751 pcg 1.1 void
752 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
753     {
754 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
755 pcg 1.10 reset_connection ();
756     }
757    
758     void
759 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
760     {
761     ping_packet *pkt = new ping_packet;
762    
763     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764 pcg 1.73
765     slog (L_TRACE, ">>%d %s [%s]", conf->id, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766    
767 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
768 pcg 1.1
769     delete pkt;
770     }
771    
772     void
773     connection::send_reset (const sockinfo &si)
774     {
775     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
776     {
777     config_packet *pkt = new config_packet;
778    
779     pkt->setup (vpn_packet::PT_RESET, conf->id);
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
781 pcg 1.1
782     delete pkt;
783     }
784     }
785    
786     void
787     connection::send_auth_request (const sockinfo &si, bool initiate)
788     {
789     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
790    
791 pcg 1.6 rsachallenge chg;
792     rsa_cache.gen (pkt->id, chg);
793 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
794 pcg 1.1
795 pcg 1.6 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
796 pcg 1.1
797 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
798 pcg 1.1
799 pcg 1.6 delete pkt;
800 pcg 1.1 }
801    
802     void
803     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
804     {
805     auth_res_packet *pkt = new auth_res_packet (conf->id);
806    
807     pkt->id = id;
808    
809     rsa_hash (id, chg, pkt->response);
810    
811     pkt->hmac_set (octx);
812    
813     slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
814    
815 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
816 pcg 1.1
817     delete pkt;
818     }
819    
820     void
821     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
822     {
823 pcg 1.58 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
824 pcg 1.1 conf->id, rid, (const char *)rsi);
825    
826     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
827    
828     r->hmac_set (octx);
829 pcg 1.10 send_vpn_packet (r, si);
830 pcg 1.1
831     delete r;
832     }
833    
834 pcg 1.66 inline void
835 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
836 pcg 1.1 {
837 pcg 1.25 if (!ictx
838     && conf != THISNODE
839     && connectmode != conf_node::C_NEVER
840     && connectmode != conf_node::C_DISABLED
841 pcg 1.60 && !w.is_active ())
842 pcg 1.1 {
843 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
844     // and stop trying. should probably be handled by a per-connection expire handler.
845     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846     {
847     reset_connection ();
848     return;
849     }
850    
851 pcg 1.68 last_establish_attempt = ev_now ();
852    
853 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854     ? (retry_cnt & 3) + 1
855     : 1 << (retry_cnt >> 2));
856 pcg 1.1
857 pcg 1.47 reset_si ();
858 pcg 1.1
859 pcg 1.47 bool slow = si.prot & PROT_SLOW;
860 pcg 1.8
861 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
862 pcg 1.60 {
863     /*TODO*/ /* start the timer so we don't recurse endlessly */
864     w.start (1);
865 pcg 1.74 vpn->send_connect_request (this);
866 pcg 1.60 }
867 pcg 1.8 else
868 pcg 1.1 {
869 pcg 1.73 if (si.valid ())
870     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
871     conf->nodename, (const char *)si);
872 pcg 1.61
873 pcg 1.8 const sockinfo &dsi = forward_si (si);
874 pcg 1.6
875 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
876    
877 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
878     {
879     if (retry_cnt < 4)
880     send_auth_request (dsi, true);
881     else
882     send_ping (dsi, 0);
883     }
884 pcg 1.1 }
885 pcg 1.47
886 pcg 1.68 retry_int *= slow ? 8. : 0.9;
887 pcg 1.47
888     if (retry_int < conf->max_retry)
889     retry_cnt++;
890     else
891     retry_int = conf->max_retry;
892    
893 pcg 1.60 w.start (retry_int);
894 pcg 1.1 }
895     }
896    
897     void
898     connection::reset_connection ()
899     {
900     if (ictx && octx)
901     {
902     slog (L_INFO, _("%s(%s): connection lost"),
903     conf->nodename, (const char *)si);
904    
905     if (::conf.script_node_down)
906 pcg 1.64 {
907 pcg 1.70 run_script_cb *cb = new run_script_cb;
908     cb->set<connection, &connection::script_node_down> (this);
909     run_script_queued (cb, _("node-down command execution failed, continuing."));
910 pcg 1.64 }
911 pcg 1.1 }
912    
913     delete ictx; ictx = 0;
914     delete octx; octx = 0;
915 pcg 1.44 #if ENABLE_DNS
916 pcg 1.45 dnsv4_reset_connection ();
917 pcg 1.44 #endif
918 pcg 1.1
919 pcg 1.38 si.host = 0;
920 pcg 1.1
921 pcg 1.73 last_activity = 0.;
922     //last_si_change = 0.;
923 pcg 1.1 retry_cnt = 0;
924    
925 pcg 1.25 rekey.stop ();
926     keepalive.stop ();
927     establish_connection.stop ();
928 pcg 1.1 }
929    
930     void
931     connection::shutdown ()
932     {
933     if (ictx && octx)
934     send_reset (si);
935    
936     reset_connection ();
937     }
938    
939 pcg 1.73 // poor-man's rekeying
940 pcg 1.66 inline void
941 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
942 pcg 1.1 {
943     reset_connection ();
944     establish_connection ();
945     }
946    
947     void
948 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
949 pcg 1.1 {
950     vpndata_packet *p = new vpndata_packet;
951     int tos = 0;
952    
953 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
954 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
955 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
956    
957 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
958 pcg 1.10 send_vpn_packet (p, si, tos);
959 pcg 1.1
960     delete p;
961    
962     if (oseqno > MAX_SEQNO)
963     rekey ();
964     }
965    
966     void
967 pcg 1.68 connection::post_inject_queue ()
968     {
969     // force a connection every now and when when packets are sent (max 1/s)
970     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
971     establish_connection.stop ();
972    
973     establish_connection ();
974     }
975    
976     void
977     connection::inject_data_packet (tap_packet *pkt)
978 pcg 1.1 {
979     if (ictx && octx)
980 pcg 1.21 send_data_packet (pkt);
981 pcg 1.1 else
982     {
983 pcg 1.68 data_queue.put (new tap_packet (*pkt));
984     post_inject_queue ();
985 pcg 1.1 }
986     }
987    
988 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
989     {
990     if (ictx && octx)
991 pcg 1.10 send_vpn_packet (pkt, si, tos);
992 pcg 1.8 else
993 pcg 1.12 {
994 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
995 pcg 1.68 post_inject_queue ();
996 pcg 1.12 }
997 pcg 1.8 }
998    
999 pcg 1.1 void
1000     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1001     {
1002 pcg 1.62 last_activity = ev_now ();
1003 pcg 1.1
1004 pcg 1.73 slog (L_NOISE, "<<%d received packet type %d from %d to %d.",
1005 pcg 1.1 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1006    
1007 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1008     return;
1009    
1010 pcg 1.1 switch (pkt->typ ())
1011     {
1012 pcg 1.3 case vpn_packet::PT_PING:
1013     // we send pings instead of auth packets after some retries,
1014     // so reset the retry counter and establish a connection
1015     // when we receive a ping.
1016     if (!ictx)
1017     {
1018     if (auth_rate_limiter.can (rsi))
1019     send_auth_request (rsi, true);
1020     }
1021     else
1022 pcg 1.73 // we would love to change thre socket address here, but ping's aren't
1023     // authenticated, so we best ignore it.
1024 pcg 1.3 send_ping (rsi, 1); // pong
1025    
1026     break;
1027    
1028     case vpn_packet::PT_PONG:
1029     break;
1030    
1031     case vpn_packet::PT_RESET:
1032 pcg 1.1 {
1033 pcg 1.3 reset_connection ();
1034    
1035     config_packet *p = (config_packet *) pkt;
1036    
1037     if (!p->chk_config ())
1038     {
1039 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1040 pcg 1.3 conf->nodename, (const char *)rsi);
1041     connectmode = conf_node::C_DISABLED;
1042     }
1043     else if (connectmode == conf_node::C_ALWAYS)
1044     establish_connection ();
1045 pcg 1.1 }
1046 pcg 1.3 break;
1047    
1048     case vpn_packet::PT_AUTH_REQ:
1049     if (auth_rate_limiter.can (rsi))
1050     {
1051     auth_req_packet *p = (auth_req_packet *) pkt;
1052    
1053     slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
1054 pcg 1.1
1055 pcg 1.3 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
1056     {
1057     if (p->prot_minor != PROTOCOL_MINOR)
1058     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1059     conf->nodename, (const char *)rsi,
1060     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1061    
1062     if (p->initiate)
1063     send_auth_request (rsi, false);
1064    
1065     rsachallenge k;
1066    
1067 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1068 pcg 1.23 {
1069     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1070     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1071     break;
1072     }
1073 pcg 1.3 else
1074     {
1075     delete octx;
1076 pcg 1.1
1077 pcg 1.3 octx = new crypto_ctx (k, 1);
1078     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1079 pcg 1.1
1080 pcg 1.3 conf->protocols = p->protocols;
1081 pcg 1.32 features = p->features & config_packet::get_features ();
1082 pcg 1.10
1083 pcg 1.3 send_auth_response (rsi, p->id, k);
1084    
1085 pcg 1.10 connection_established ();
1086    
1087 pcg 1.3 break;
1088     }
1089     }
1090 pcg 1.15 else
1091 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1092 pcg 1.15 conf->nodename, (const char *)rsi);
1093 pcg 1.3
1094     send_reset (rsi);
1095 pcg 1.1 }
1096    
1097 pcg 1.3 break;
1098    
1099     case vpn_packet::PT_AUTH_RES:
1100 pcg 1.1 {
1101 pcg 1.3 auth_res_packet *p = (auth_res_packet *) pkt;
1102 pcg 1.1
1103 pcg 1.3 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
1104 pcg 1.1
1105 pcg 1.3 if (p->chk_config ())
1106 pcg 1.1 {
1107     if (p->prot_minor != PROTOCOL_MINOR)
1108     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1109     conf->nodename, (const char *)rsi,
1110     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1111    
1112 pcg 1.3 rsachallenge chg;
1113 pcg 1.1
1114 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1115 pcg 1.13 {
1116 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1117 pcg 1.13 conf->nodename, (const char *)rsi);
1118     break;
1119     }
1120 pcg 1.1 else
1121     {
1122 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1123    
1124     if (!p->hmac_chk (cctx))
1125 pcg 1.18 {
1126     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1127 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1128 pcg 1.18 conf->nodename, (const char *)rsi);
1129     break;
1130     }
1131 pcg 1.3 else
1132     {
1133     rsaresponse h;
1134    
1135     rsa_hash (p->id, chg, h);
1136    
1137     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1138     {
1139     prot_minor = p->prot_minor;
1140    
1141     delete ictx; ictx = cctx;
1142    
1143     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1144    
1145     si = rsi;
1146 pcg 1.7 protocol = rsi.prot;
1147 pcg 1.3
1148 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1149 pcg 1.3 conf->nodename, (const char *)rsi,
1150 pcg 1.76 is_direct ? "direct" : "routed",
1151 pcg 1.3 p->prot_major, p->prot_minor);
1152 pcg 1.1
1153 pcg 1.73 connection_established ();
1154    
1155 pcg 1.3 if (::conf.script_node_up)
1156 pcg 1.64 {
1157 pcg 1.70 run_script_cb *cb = new run_script_cb;
1158     cb->set<connection, &connection::script_node_up> (this);
1159     run_script_queued (cb, _("node-up command execution failed, continuing."));
1160 pcg 1.64 }
1161 pcg 1.1
1162 pcg 1.3 break;
1163     }
1164     else
1165 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1166 pcg 1.3 conf->nodename, (const char *)rsi);
1167     }
1168 pcg 1.1
1169 pcg 1.3 delete cctx;
1170 pcg 1.1 }
1171     }
1172     }
1173    
1174 pcg 1.3 send_reset (rsi);
1175     break;
1176 pcg 1.1
1177 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1178     #if !ENABLE_COMPRESSION
1179     send_reset (rsi);
1180     break;
1181     #endif
1182 pcg 1.1
1183 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1184 pcg 1.1
1185 pcg 1.3 if (ictx && octx)
1186 pcg 1.1 {
1187 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1188 pcg 1.1
1189 pcg 1.10 if (!p->hmac_chk (ictx))
1190     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1191 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1192 pcg 1.10 conf->nodename, (const char *)rsi);
1193     else
1194 pcg 1.1 {
1195 pcg 1.10 u32 seqno;
1196     tap_packet *d = p->unpack (this, seqno);
1197 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1198 pcg 1.10
1199 pcg 1.73 if (seqclass == 0) // ok
1200 pcg 1.1 {
1201 pcg 1.10 vpn->tap->send (d);
1202 pcg 1.1
1203 pcg 1.10 if (si != rsi)
1204 pcg 1.1 {
1205 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1206 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1207     // {
1208 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1209     conf->nodename, (const char *)si, (const char *)rsi);
1210    
1211 pcg 1.73 si = rsi;
1212     // }
1213     //else
1214     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1215     // conf->nodename, (const char *)si, (const char *)rsi);
1216 pcg 1.10 }
1217 pcg 1.32 }
1218 pcg 1.75 else if (seqclass == 1) // far history
1219     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1220     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1221     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1222     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1223     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1224     else if (seqclass == 3) // reset
1225 pcg 1.73 {
1226 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1227     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1228 pcg 1.73 send_reset (rsi);
1229     }
1230 pcg 1.3
1231 pcg 1.32 delete d;
1232     break;
1233 pcg 1.1 }
1234     }
1235    
1236 pcg 1.3 send_reset (rsi);
1237     break;
1238 pcg 1.1
1239 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1240     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1241     {
1242     connect_req_packet *p = (connect_req_packet *) pkt;
1243 pcg 1.1
1244 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1245     {
1246     connection *c = vpn->conns[p->id - 1];
1247     conf->protocols = p->protocols;
1248 pcg 1.1
1249 pcg 1.58 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1250 pcg 1.57 conf->id, p->id, c->ictx && c->octx);
1251 pcg 1.1
1252 pcg 1.57 if (c->ictx && c->octx)
1253     {
1254     // send connect_info packets to both sides, in case one is
1255     // behind a nat firewall (or both ;)
1256     c->send_connect_info (conf->id, si, conf->protocols);
1257     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1258     }
1259     else
1260     c->establish_connection ();
1261 pcg 1.3 }
1262 pcg 1.11 else
1263 pcg 1.57 slog (L_WARN,
1264     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1265     p->id);
1266 pcg 1.3 }
1267 pcg 1.1
1268 pcg 1.3 break;
1269 pcg 1.1
1270 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1271     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1272     {
1273 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1274 pcg 1.1
1275 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1276 pcg 1.39 {
1277     connection *c = vpn->conns[p->id - 1];
1278 pcg 1.7
1279 pcg 1.39 c->conf->protocols = p->protocols;
1280     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1281     p->si.upgrade_protocol (protocol, c->conf);
1282 pcg 1.1
1283 pcg 1.39 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1284     conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1285 pcg 1.7
1286 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1287 pcg 1.1
1288 pcg 1.39 if (dsi.valid ())
1289     c->send_auth_request (dsi, true);
1290     }
1291 pcg 1.57 else
1292     slog (L_WARN,
1293     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1294     p->id);
1295 pcg 1.3 }
1296 pcg 1.1
1297 pcg 1.3 break;
1298 pcg 1.1
1299 pcg 1.3 default:
1300     send_reset (rsi);
1301     break;
1302 pcg 1.1 }
1303     }
1304    
1305 pcg 1.66 inline void
1306     connection::keepalive_cb (ev::timer &w, int revents)
1307 pcg 1.1 {
1308 pcg 1.62 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1309 pcg 1.1 {
1310     reset_connection ();
1311     establish_connection ();
1312     }
1313 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1314 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1315 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1316     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1317     {
1318     send_ping (si);
1319 pcg 1.60 w.start (5);
1320 pcg 1.1 }
1321 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1322 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1323     // should delete octx, though, or something like that ;)
1324 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1325 pcg 1.1 else
1326     reset_connection ();
1327     }
1328    
1329 pcg 1.10 void connection::send_connect_request (int id)
1330 pcg 1.1 {
1331     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1332    
1333     slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1334     p->hmac_set (octx);
1335 pcg 1.10 send_vpn_packet (p, si);
1336 pcg 1.1
1337     delete p;
1338     }
1339    
1340 pcg 1.53 void connection::script_init_env (const char *ext)
1341     {
1342     char *env;
1343     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1344     asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1345     asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1346     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1347     conf->id & 0xff); putenv (env);
1348     }
1349    
1350     void connection::script_init_connect_env ()
1351 pcg 1.1 {
1352 pcg 1.52 vpn->script_init_env ();
1353 pcg 1.1
1354     char *env;
1355     asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1356     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1357     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1358     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1359     }
1360    
1361 pcg 1.66 inline const char *
1362     connection::script_node_up ()
1363 pcg 1.1 {
1364 pcg 1.53 script_init_connect_env ();
1365 pcg 1.1
1366 pcg 1.60 putenv ((char *)"STATE=up");
1367 pcg 1.1
1368 pcg 1.52 char *filename;
1369     asprintf (&filename,
1370     "%s/%s",
1371     confbase,
1372     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1373 pcg 1.54
1374     return filename;
1375 pcg 1.1 }
1376    
1377 pcg 1.66 inline const char *
1378     connection::script_node_down ()
1379 pcg 1.1 {
1380 pcg 1.53 script_init_connect_env ();
1381 pcg 1.1
1382 pcg 1.60 putenv ((char *)"STATE=down");
1383 pcg 1.1
1384 pcg 1.52 char *filename;
1385     asprintf (&filename,
1386     "%s/%s",
1387     confbase,
1388     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1389 pcg 1.54
1390     return filename;
1391 pcg 1.1 }
1392    
1393 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1394 pcg 1.67 : vpn(vpn), conf(conf),
1395 pcg 1.40 #if ENABLE_DNS
1396 pcg 1.67 dns (0),
1397 pcg 1.40 #endif
1398 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1399     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1400 pcg 1.1 {
1401 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1402     keepalive .set<connection, &connection::keepalive_cb > (this);
1403     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1404    
1405 pcg 1.68 last_establish_attempt = 0.;
1406 pcg 1.1 octx = ictx = 0;
1407    
1408 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1409     conf->protocols = PROT_UDPv4;
1410    
1411 pcg 1.67 connectmode = conf->connectmode;
1412    
1413     // queue a dummy packet to force an initial connection attempt
1414     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1415 pcg 1.68 vpn_queue.put (new net_packet);
1416 pcg 1.67
1417 pcg 1.1 reset_connection ();
1418     }
1419    
1420     connection::~connection ()
1421     {
1422     shutdown ();
1423     }
1424    
1425     void connection_init ()
1426     {
1427     auth_rate_limiter.clear ();
1428     reset_rate_limiter.clear ();
1429     }
1430