ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.79
Committed: Fri Aug 15 17:45:12 2008 UTC (15 years, 9 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.78: +21 -16 lines
Log Message: 
improved logging

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.69 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55     #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
56 pcg 1.30
57     #define ULTRA_FAST 1
58     #define HLOG 15
59     #include "lzf/lzf.h"
60     #include "lzf/lzf_c.c"
61     #include "lzf/lzf_d.c"
62 pcg 1.1
63 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
64    
65     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66     static ev::child rs_child_ev;
67    
68     void // c++ requires external linkage here, apparently :(
69     rs_child_cb (ev::child &w, int revents)
70     {
71     w.stop ();
72    
73     if (rs_queue.empty ())
74     return;
75    
76     pid_t pid = run_script (*rs_queue.front ().first, false);
77     if (pid)
78     {
79     w.set (pid);
80     w.start ();
81     }
82     else
83     slog (L_WARN, rs_queue.front ().second);
84    
85     delete rs_queue.front ().first;
86     rs_queue.pop ();
87     }
88    
89     // despite the fancy name, this is quite a hack
90     static void
91     run_script_queued (run_script_cb *cb, const char *warnmsg)
92     {
93     rs_queue.push (std::make_pair (cb, warnmsg));
94    
95     if (!rs_child_ev.is_active ())
96     {
97     rs_child_ev.set<rs_child_cb> ();
98     rs_child_ev ();
99     }
100     }
101    
102     //////////////////////////////////////////////////////////////////////////////
103    
104 pcg 1.1 struct crypto_ctx
105     {
106     EVP_CIPHER_CTX cctx;
107     HMAC_CTX hctx;
108    
109     crypto_ctx (const rsachallenge &challenge, int enc);
110     ~crypto_ctx ();
111     };
112    
113     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
114     {
115     EVP_CIPHER_CTX_init (&cctx);
116 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
117 pcg 1.1 HMAC_CTX_init (&hctx);
118     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
119     }
120    
121     crypto_ctx::~crypto_ctx ()
122     {
123 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
124 pcg 1.1 HMAC_CTX_cleanup (&hctx);
125     }
126    
127     static void
128     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
129     {
130     EVP_MD_CTX ctx;
131    
132     EVP_MD_CTX_init (&ctx);
133 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
134     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
135     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
136     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
137 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
138     }
139    
140 pcg 1.63 struct rsa_entry
141     {
142 pcg 1.1 tstamp expire;
143     rsaid id;
144     rsachallenge chg;
145     };
146    
147     struct rsa_cache : list<rsa_entry>
148     {
149 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
150 pcg 1.1
151     bool find (const rsaid &id, rsachallenge &chg)
152 pcg 1.51 {
153     for (iterator i = begin (); i != end (); ++i)
154     {
155 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
156 pcg 1.51 {
157     memcpy (&chg, &i->chg, sizeof chg);
158 pcg 1.1
159 pcg 1.51 erase (i);
160     return true;
161     }
162     }
163 pcg 1.1
164 pcg 1.60 if (!cleaner.is_active ())
165     cleaner.again ();
166 pcg 1.1
167 pcg 1.51 return false;
168     }
169 pcg 1.1
170     void gen (rsaid &id, rsachallenge &chg)
171 pcg 1.51 {
172     rsa_entry e;
173 pcg 1.1
174 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
175     RAND_bytes ((unsigned char *)&chg, sizeof chg);
176 pcg 1.1
177 pcg 1.62 e.expire = ev_now () + RSA_TTL;
178 pcg 1.51 e.id = id;
179     memcpy (&e.chg, &chg, sizeof chg);
180 pcg 1.1
181 pcg 1.51 push_back (e);
182 pcg 1.1
183 pcg 1.60 if (!cleaner.is_active ())
184     cleaner.again ();
185 pcg 1.51 }
186 pcg 1.1
187     rsa_cache ()
188 pcg 1.60 {
189 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
191     }
192 pcg 1.1
193     } rsa_cache;
194    
195 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
196 pcg 1.1 {
197 pcg 1.60 if (empty ())
198     w.stop ();
199     else
200 pcg 1.1 {
201     for (iterator i = begin (); i != end (); )
202 pcg 1.62 if (i->expire <= ev_now ())
203 pcg 1.1 i = erase (i);
204     else
205     ++i;
206     }
207     }
208    
209     //////////////////////////////////////////////////////////////////////////////
210    
211 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
212     : max_ttl (max_ttl), max_queue (max_queue)
213 pcg 1.1 {
214 pcg 1.67 queue = new pkt [max_queue];
215    
216     i = 0;
217     j = 0;
218    
219     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
220     }
221 pcg 1.1
222 pcg 1.67 pkt_queue::~pkt_queue ()
223     {
224     while (net_packet *p = get ())
225     delete p;
226 pcg 1.1
227 pcg 1.67 delete [] queue;
228 pcg 1.1 }
229    
230 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
231 pcg 1.1 {
232 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
233 pcg 1.1
234 pcg 1.67 for (;;)
235 pcg 1.1 {
236 pcg 1.67 if (empty ())
237     break;
238    
239     double diff = queue[j].tstamp - expire;
240    
241     if (diff >= 0.)
242     {
243     w.start (diff > 0.5 ? diff : 0.5);
244     break;
245     }
246    
247     delete get ();
248 pcg 1.1 }
249     }
250    
251 pcg 1.67 void pkt_queue::put (net_packet *p)
252 pcg 1.1 {
253 pcg 1.67 ev_tstamp now = ev_now ();
254    
255     // start expiry timer
256     if (empty ())
257     expire.start (max_ttl);
258    
259     int ni = i + 1 == max_queue ? 0 : i + 1;
260    
261     if (ni == j)
262     delete get ();
263    
264     queue[i].pkt = p;
265     queue[i].tstamp = now;
266    
267     i = ni;
268 pcg 1.1 }
269    
270 pcg 1.67 net_packet *pkt_queue::get ()
271 pcg 1.1 {
272 pcg 1.67 if (empty ())
273     return 0;
274    
275     net_packet *p = queue[j].pkt;
276     queue[j].pkt = 0;
277    
278     j = j + 1 == max_queue ? 0 : j + 1;
279    
280     return p;
281 pcg 1.1 }
282    
283 pcg 1.63 struct net_rateinfo
284     {
285 pcg 1.1 u32 host;
286     double pcnt, diff;
287     tstamp last;
288     };
289    
290     // only do action once every x seconds per host whole allowing bursts.
291     // this implementation ("splay list" ;) is inefficient,
292     // but low on resources.
293     struct net_rate_limiter : list<net_rateinfo>
294     {
295 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
296     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
297     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
298     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
299 pcg 1.1
300 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
301 pcg 1.1 bool can (u32 host);
302     };
303    
304     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
305    
306     bool net_rate_limiter::can (u32 host)
307     {
308     iterator i;
309    
310     for (i = begin (); i != end (); )
311     if (i->host == host)
312     break;
313 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
314 pcg 1.1 i = erase (i);
315     else
316     i++;
317    
318     if (i == end ())
319     {
320     net_rateinfo ri;
321    
322     ri.host = host;
323     ri.pcnt = 1.;
324 pcg 1.34 ri.diff = NRL_MAXDIF;
325 pcg 1.62 ri.last = ev_now ();
326 pcg 1.1
327     push_front (ri);
328    
329     return true;
330     }
331     else
332     {
333     net_rateinfo ri (*i);
334     erase (i);
335    
336 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
337 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
338 pcg 1.1
339 pcg 1.62 ri.last = ev_now ();
340 pcg 1.1
341 pcg 1.10 double dif = ri.diff / ri.pcnt;
342 pcg 1.1
343 pcg 1.34 bool send = dif > NRL_CUTOFF;
344 pcg 1.10
345 pcg 1.34 if (dif > NRL_MAXDIF)
346 pcg 1.10 {
347     ri.pcnt = 1.;
348 pcg 1.34 ri.diff = NRL_MAXDIF;
349 pcg 1.10 }
350     else if (send)
351 pcg 1.1 ri.pcnt++;
352    
353     push_front (ri);
354    
355     return send;
356     }
357     }
358    
359     /////////////////////////////////////////////////////////////////////////////
360    
361     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
362    
363     void hmac_packet::hmac_gen (crypto_ctx *ctx)
364     {
365     unsigned int xlen;
366    
367     HMAC_CTX *hctx = &ctx->hctx;
368    
369     HMAC_Init_ex (hctx, 0, 0, 0, 0);
370     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
371     len - sizeof (hmac_packet));
372     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
373     }
374    
375     void
376     hmac_packet::hmac_set (crypto_ctx *ctx)
377     {
378     hmac_gen (ctx);
379    
380     memcpy (hmac, hmac_digest, HMACLENGTH);
381     }
382    
383     bool
384     hmac_packet::hmac_chk (crypto_ctx *ctx)
385     {
386     hmac_gen (ctx);
387    
388     return !memcmp (hmac, hmac_digest, HMACLENGTH);
389     }
390    
391 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
392 pcg 1.1 {
393 pcg 1.6 type = type_;
394 pcg 1.1
395     int src = THISNODE->id;
396    
397     src1 = src;
398     srcdst = ((src >> 8) << 4) | (dst >> 8);
399     dst1 = dst;
400     }
401    
402     #define MAXVPNDATA (MAX_MTU - 6 - 6)
403     #define DATAHDR (sizeof (u32) + RAND_SIZE)
404    
405 pcg 1.28 struct vpndata_packet : vpn_packet
406 pcg 1.1 {
407     u8 data[MAXVPNDATA + DATAHDR]; // seqno
408    
409     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410     tap_packet *unpack (connection *conn, u32 &seqno);
411     private:
412    
413     const u32 data_hdr_size () const
414     {
415     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416     }
417     };
418    
419     void
420     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
421     {
422     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423     int outl = 0, outl2;
424     ptype type = PT_DATA_UNCOMPRESSED;
425    
426     #if ENABLE_COMPRESSION
427     u8 cdata[MAX_MTU];
428    
429 pcg 1.31 if (conn->features & ENABLE_COMPRESSION)
430 pcg 1.1 {
431 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432 pcg 1.1
433 pcg 1.31 if (cl)
434     {
435     type = PT_DATA_COMPRESSED;
436     d = cdata;
437     l = cl + 2;
438    
439     d[0] = cl >> 8;
440     d[1] = cl;
441     }
442 pcg 1.1 }
443     #endif
444    
445 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
446 pcg 1.1
447     struct {
448     #if RAND_SIZE
449     u8 rnd[RAND_SIZE];
450     #endif
451     u32 seqno;
452     } datahdr;
453    
454     datahdr.seqno = ntohl (seqno);
455     #if RAND_SIZE
456     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
457     #endif
458    
459 pcg 1.29 require (EVP_EncryptUpdate (cctx,
460 pcg 1.1 (unsigned char *) data + outl, &outl2,
461 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
462 pcg 1.1 outl += outl2;
463    
464 pcg 1.29 require (EVP_EncryptUpdate (cctx,
465 pcg 1.1 (unsigned char *) data + outl, &outl2,
466 pcg 1.29 (unsigned char *) d, l));
467 pcg 1.1 outl += outl2;
468    
469 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
470 pcg 1.1 outl += outl2;
471    
472     len = outl + data_hdr_size ();
473    
474     set_hdr (type, dst);
475    
476     hmac_set (conn->octx);
477     }
478    
479     tap_packet *
480     vpndata_packet::unpack (connection *conn, u32 &seqno)
481     {
482     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
483     int outl = 0, outl2;
484     tap_packet *p = new tap_packet;
485     u8 *d;
486     u32 l = len - data_hdr_size ();
487    
488 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
489 pcg 1.1
490     #if ENABLE_COMPRESSION
491     u8 cdata[MAX_MTU];
492    
493     if (type == PT_DATA_COMPRESSED)
494     d = cdata;
495     else
496     #endif
497     d = &(*p)[6 + 6 - DATAHDR];
498    
499     /* this overwrites part of the src mac, but we fix that later */
500 pcg 1.29 require (EVP_DecryptUpdate (cctx,
501 pcg 1.1 d, &outl2,
502 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
503 pcg 1.1 outl += outl2;
504    
505 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
506 pcg 1.1 outl += outl2;
507    
508     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
509    
510     id2mac (dst () ? dst() : THISNODE->id, p->dst);
511     id2mac (src (), p->src);
512    
513     #if ENABLE_COMPRESSION
514     if (type == PT_DATA_COMPRESSED)
515     {
516     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
517    
518     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
519     &(*p)[6 + 6], MAX_MTU)
520     + 6 + 6;
521     }
522     else
523     p->len = outl + (6 + 6 - DATAHDR);
524     #endif
525    
526     return p;
527     }
528    
529     struct ping_packet : vpn_packet
530     {
531     void setup (int dst, ptype type)
532     {
533     set_hdr (type, dst);
534     len = sizeof (*this) - sizeof (net_packet);
535     }
536     };
537    
538     struct config_packet : vpn_packet
539     {
540     // actually, hmaclen cannot be checked because the hmac
541     // field comes before this data, so peers with other
542     // hmacs simply will not work.
543     u8 prot_major, prot_minor, randsize, hmaclen;
544 pcg 1.31 u8 flags, challengelen, features, pad3;
545 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
546    
547     void setup (ptype type, int dst);
548     bool chk_config () const;
549 pcg 1.32
550     static u8 get_features ()
551     {
552     u8 f = 0;
553     #if ENABLE_COMPRESSION
554     f |= FEATURE_COMPRESSION;
555     #endif
556     #if ENABLE_ROHC
557     f |= FEATURE_ROHC;
558     #endif
559 pcg 1.59 #if ENABLE_BRIDGING
560     f |= FEATURE_BRIDGING;
561     #endif
562 pcg 1.32 return f;
563     }
564 pcg 1.1 };
565    
566     void config_packet::setup (ptype type, int dst)
567     {
568     prot_major = PROTOCOL_MAJOR;
569     prot_minor = PROTOCOL_MINOR;
570     randsize = RAND_SIZE;
571     hmaclen = HMACLENGTH;
572 pcg 1.48 flags = 0;
573 pcg 1.1 challengelen = sizeof (rsachallenge);
574 pcg 1.32 features = get_features ();
575 pcg 1.1
576     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
577     digest_nid = htonl (EVP_MD_type (RSA_HASH));
578     hmac_nid = htonl (EVP_MD_type (DIGEST));
579    
580     len = sizeof (*this) - sizeof (net_packet);
581     set_hdr (type, dst);
582     }
583    
584     bool config_packet::chk_config () const
585     {
586 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
587 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
588 pcg 1.15 else if (randsize != RAND_SIZE)
589 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
590 pcg 1.15 else if (hmaclen != HMACLENGTH)
591 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
592 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
593 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
594 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
595 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
596 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
597 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
598 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
599 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
600 pcg 1.15 else
601     return true;
602    
603     return false;
604 pcg 1.1 }
605    
606     struct auth_req_packet : config_packet
607     {
608     char magic[8];
609     u8 initiate; // false if this is just an automatic reply
610 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
611 pcg 1.1 u8 pad2, pad3;
612     rsaid id;
613     rsaencrdata encr;
614    
615     auth_req_packet (int dst, bool initiate_, u8 protocols_)
616     {
617     config_packet::setup (PT_AUTH_REQ, dst);
618     strncpy (magic, MAGIC, 8);
619     initiate = !!initiate_;
620     protocols = protocols_;
621    
622     len = sizeof (*this) - sizeof (net_packet);
623     }
624     };
625    
626     struct auth_res_packet : config_packet
627     {
628     rsaid id;
629     u8 pad1, pad2, pad3;
630     u8 response_len; // encrypted length
631     rsaresponse response;
632    
633     auth_res_packet (int dst)
634     {
635     config_packet::setup (PT_AUTH_RES, dst);
636    
637     len = sizeof (*this) - sizeof (net_packet);
638     }
639     };
640    
641     struct connect_req_packet : vpn_packet
642     {
643     u8 id, protocols;
644     u8 pad1, pad2;
645    
646     connect_req_packet (int dst, int id_, u8 protocols_)
647     : id(id_)
648     , protocols(protocols_)
649     {
650     set_hdr (PT_CONNECT_REQ, dst);
651     len = sizeof (*this) - sizeof (net_packet);
652     }
653     };
654    
655     struct connect_info_packet : vpn_packet
656     {
657     u8 id, protocols;
658     u8 pad1, pad2;
659     sockinfo si;
660    
661     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
662     : id(id_)
663     , protocols(protocols_)
664     , si(si_)
665     {
666     set_hdr (PT_CONNECT_INFO, dst);
667    
668     len = sizeof (*this) - sizeof (net_packet);
669     }
670     };
671    
672     /////////////////////////////////////////////////////////////////////////////
673    
674     void
675 pcg 1.10 connection::connection_established ()
676     {
677 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678 pcg 1.61
679 pcg 1.10 if (ictx && octx)
680     {
681 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
682 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
683     rekey.start (rekey_interval, rekey_interval);
684     keepalive.start (::conf.keepalive);
685 pcg 1.10
686     // send queued packets
687     if (ictx && octx)
688 pcg 1.12 {
689     while (tap_packet *p = (tap_packet *)data_queue.get ())
690     {
691 pcg 1.67 if (p->len) send_data_packet (p);
692 pcg 1.12 delete p;
693     }
694    
695     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
696     {
697 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
698 pcg 1.12 delete p;
699     }
700     }
701 pcg 1.73
702     vpn->connection_established (this);
703 pcg 1.10 }
704     else
705     {
706     retry_cnt = 0;
707 pcg 1.60 establish_connection.start (5);
708 pcg 1.25 keepalive.stop ();
709     rekey.stop ();
710 pcg 1.10 }
711     }
712    
713     void
714 pcg 1.8 connection::reset_si ()
715 pcg 1.1 {
716 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
717     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
718     else
719 pcg 1.59 {
720 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
721 pcg 1.59 protocol = 0;
722     }
723 pcg 1.6
724     si.set (conf, protocol);
725 pcg 1.73
726     is_direct = si.valid ();
727 pcg 1.1 }
728    
729 pcg 1.8 // ensure sockinfo is valid, forward if necessary
730     const sockinfo &
731     connection::forward_si (const sockinfo &si) const
732     {
733     if (!si.valid ())
734     {
735 pcg 1.73 connection *r = vpn->find_router_for (this);
736 pcg 1.8
737     if (r)
738     {
739 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
740     conf->nodename, r->conf->nodename);
741 pcg 1.8 return r->si;
742     }
743     else
744 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
745 pcg 1.8 conf->nodename);
746     }
747    
748     return si;
749     }
750    
751 pcg 1.1 void
752 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
753     {
754 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
755 pcg 1.10 reset_connection ();
756     }
757    
758     void
759 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
760     {
761     ping_packet *pkt = new ping_packet;
762    
763     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764 pcg 1.73
765 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766 pcg 1.73
767 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
768 pcg 1.1
769     delete pkt;
770     }
771    
772     void
773     connection::send_reset (const sockinfo &si)
774     {
775     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
776     {
777     config_packet *pkt = new config_packet;
778    
779     pkt->setup (vpn_packet::PT_RESET, conf->id);
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
781 pcg 1.1
782     delete pkt;
783     }
784     }
785    
786     void
787     connection::send_auth_request (const sockinfo &si, bool initiate)
788     {
789     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
790    
791 pcg 1.6 rsachallenge chg;
792     rsa_cache.gen (pkt->id, chg);
793 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
794 pcg 1.1
795 pcg 1.79 slog (L_TRACE, "%s >> PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
796 pcg 1.1
797 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
798 pcg 1.1
799 pcg 1.6 delete pkt;
800 pcg 1.1 }
801    
802     void
803     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
804     {
805     auth_res_packet *pkt = new auth_res_packet (conf->id);
806    
807     pkt->id = id;
808    
809     rsa_hash (id, chg, pkt->response);
810    
811     pkt->hmac_set (octx);
812    
813 pcg 1.79 slog (L_TRACE, "%s >> PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
814 pcg 1.1
815 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
816 pcg 1.1
817     delete pkt;
818     }
819    
820     void
821     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
822     {
823 pcg 1.79 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s)", conf->nodename,
824     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
825 pcg 1.1
826     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
827    
828     r->hmac_set (octx);
829 pcg 1.10 send_vpn_packet (r, si);
830 pcg 1.1
831     delete r;
832     }
833    
834 pcg 1.66 inline void
835 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
836 pcg 1.1 {
837 pcg 1.25 if (!ictx
838     && conf != THISNODE
839     && connectmode != conf_node::C_NEVER
840     && connectmode != conf_node::C_DISABLED
841 pcg 1.60 && !w.is_active ())
842 pcg 1.1 {
843 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
844     // and stop trying. should probably be handled by a per-connection expire handler.
845     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846     {
847     reset_connection ();
848     return;
849     }
850    
851 pcg 1.68 last_establish_attempt = ev_now ();
852    
853 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854     ? (retry_cnt & 3) + 1
855     : 1 << (retry_cnt >> 2));
856 pcg 1.1
857 pcg 1.47 reset_si ();
858 pcg 1.1
859 pcg 1.47 bool slow = si.prot & PROT_SLOW;
860 pcg 1.8
861 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
862 pcg 1.60 {
863     /*TODO*/ /* start the timer so we don't recurse endlessly */
864     w.start (1);
865 pcg 1.74 vpn->send_connect_request (this);
866 pcg 1.60 }
867 pcg 1.8 else
868 pcg 1.1 {
869 pcg 1.73 if (si.valid ())
870     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
871     conf->nodename, (const char *)si);
872 pcg 1.61
873 pcg 1.8 const sockinfo &dsi = forward_si (si);
874 pcg 1.6
875 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
876    
877 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
878     {
879     if (retry_cnt < 4)
880     send_auth_request (dsi, true);
881     else
882     send_ping (dsi, 0);
883     }
884 pcg 1.1 }
885 pcg 1.47
886 pcg 1.68 retry_int *= slow ? 8. : 0.9;
887 pcg 1.47
888     if (retry_int < conf->max_retry)
889     retry_cnt++;
890     else
891     retry_int = conf->max_retry;
892    
893 pcg 1.60 w.start (retry_int);
894 pcg 1.1 }
895     }
896    
897     void
898     connection::reset_connection ()
899     {
900     if (ictx && octx)
901     {
902     slog (L_INFO, _("%s(%s): connection lost"),
903     conf->nodename, (const char *)si);
904    
905     if (::conf.script_node_down)
906 pcg 1.64 {
907 pcg 1.70 run_script_cb *cb = new run_script_cb;
908     cb->set<connection, &connection::script_node_down> (this);
909     run_script_queued (cb, _("node-down command execution failed, continuing."));
910 pcg 1.64 }
911 pcg 1.1 }
912    
913     delete ictx; ictx = 0;
914     delete octx; octx = 0;
915 pcg 1.44 #if ENABLE_DNS
916 pcg 1.45 dnsv4_reset_connection ();
917 pcg 1.44 #endif
918 pcg 1.1
919 pcg 1.38 si.host = 0;
920 pcg 1.1
921 pcg 1.73 last_activity = 0.;
922     //last_si_change = 0.;
923 pcg 1.1 retry_cnt = 0;
924    
925 pcg 1.25 rekey.stop ();
926     keepalive.stop ();
927     establish_connection.stop ();
928 pcg 1.1 }
929    
930     void
931     connection::shutdown ()
932     {
933     if (ictx && octx)
934     send_reset (si);
935    
936     reset_connection ();
937     }
938    
939 pcg 1.73 // poor-man's rekeying
940 pcg 1.66 inline void
941 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
942 pcg 1.1 {
943     reset_connection ();
944     establish_connection ();
945     }
946    
947     void
948 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
949 pcg 1.1 {
950     vpndata_packet *p = new vpndata_packet;
951     int tos = 0;
952    
953 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
954 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
955 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
956    
957 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
958 pcg 1.10 send_vpn_packet (p, si, tos);
959 pcg 1.1
960     delete p;
961    
962     if (oseqno > MAX_SEQNO)
963     rekey ();
964     }
965    
966     void
967 pcg 1.68 connection::post_inject_queue ()
968     {
969     // force a connection every now and when when packets are sent (max 1/s)
970     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
971     establish_connection.stop ();
972    
973     establish_connection ();
974     }
975    
976     void
977     connection::inject_data_packet (tap_packet *pkt)
978 pcg 1.1 {
979     if (ictx && octx)
980 pcg 1.21 send_data_packet (pkt);
981 pcg 1.1 else
982     {
983 pcg 1.68 data_queue.put (new tap_packet (*pkt));
984     post_inject_queue ();
985 pcg 1.1 }
986     }
987    
988 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
989     {
990     if (ictx && octx)
991 pcg 1.10 send_vpn_packet (pkt, si, tos);
992 pcg 1.8 else
993 pcg 1.12 {
994 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
995 pcg 1.68 post_inject_queue ();
996 pcg 1.12 }
997 pcg 1.8 }
998    
999 pcg 1.1 void
1000     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1001     {
1002 pcg 1.62 last_activity = ev_now ();
1003 pcg 1.1
1004 pcg 1.79 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1005     conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1006 pcg 1.1
1007 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1008     return;
1009    
1010 pcg 1.1 switch (pkt->typ ())
1011     {
1012 pcg 1.3 case vpn_packet::PT_PING:
1013 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1014    
1015 pcg 1.3 // we send pings instead of auth packets after some retries,
1016     // so reset the retry counter and establish a connection
1017     // when we receive a ping.
1018     if (!ictx)
1019     {
1020     if (auth_rate_limiter.can (rsi))
1021     send_auth_request (rsi, true);
1022     }
1023     else
1024 pcg 1.73 // we would love to change thre socket address here, but ping's aren't
1025     // authenticated, so we best ignore it.
1026 pcg 1.3 send_ping (rsi, 1); // pong
1027    
1028     break;
1029    
1030     case vpn_packet::PT_PONG:
1031 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1032 pcg 1.3 break;
1033    
1034     case vpn_packet::PT_RESET:
1035 pcg 1.1 {
1036 pcg 1.3 reset_connection ();
1037    
1038     config_packet *p = (config_packet *) pkt;
1039    
1040     if (!p->chk_config ())
1041     {
1042 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1043 pcg 1.3 conf->nodename, (const char *)rsi);
1044     connectmode = conf_node::C_DISABLED;
1045     }
1046     else if (connectmode == conf_node::C_ALWAYS)
1047     establish_connection ();
1048 pcg 1.1 }
1049 pcg 1.3 break;
1050    
1051     case vpn_packet::PT_AUTH_REQ:
1052     if (auth_rate_limiter.can (rsi))
1053     {
1054     auth_req_packet *p = (auth_req_packet *) pkt;
1055    
1056 pcg 1.79 slog (L_TRACE, "%s << PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
1057 pcg 1.1
1058 pcg 1.3 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
1059     {
1060     if (p->prot_minor != PROTOCOL_MINOR)
1061     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1062     conf->nodename, (const char *)rsi,
1063     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1064    
1065     if (p->initiate)
1066     send_auth_request (rsi, false);
1067    
1068     rsachallenge k;
1069    
1070 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1071 pcg 1.23 {
1072     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1073     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1074     break;
1075     }
1076 pcg 1.3 else
1077     {
1078     delete octx;
1079 pcg 1.1
1080 pcg 1.3 octx = new crypto_ctx (k, 1);
1081     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1082 pcg 1.1
1083 pcg 1.3 conf->protocols = p->protocols;
1084 pcg 1.32 features = p->features & config_packet::get_features ();
1085 pcg 1.10
1086 pcg 1.3 send_auth_response (rsi, p->id, k);
1087    
1088 pcg 1.10 connection_established ();
1089    
1090 pcg 1.3 break;
1091     }
1092     }
1093 pcg 1.15 else
1094 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1095 pcg 1.15 conf->nodename, (const char *)rsi);
1096 pcg 1.3
1097     send_reset (rsi);
1098 pcg 1.1 }
1099    
1100 pcg 1.3 break;
1101    
1102     case vpn_packet::PT_AUTH_RES:
1103 pcg 1.1 {
1104 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1105 pcg 1.1
1106 pcg 1.79 slog (L_TRACE, "%s << PT_AUTH_RES", conf->nodename);
1107 pcg 1.1
1108 pcg 1.3 if (p->chk_config ())
1109 pcg 1.1 {
1110     if (p->prot_minor != PROTOCOL_MINOR)
1111     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1112     conf->nodename, (const char *)rsi,
1113     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1114    
1115 pcg 1.3 rsachallenge chg;
1116 pcg 1.1
1117 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1118 pcg 1.13 {
1119 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1120 pcg 1.13 conf->nodename, (const char *)rsi);
1121     break;
1122     }
1123 pcg 1.1 else
1124     {
1125 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1126    
1127     if (!p->hmac_chk (cctx))
1128 pcg 1.18 {
1129     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1130 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1131 pcg 1.18 conf->nodename, (const char *)rsi);
1132     break;
1133     }
1134 pcg 1.3 else
1135     {
1136     rsaresponse h;
1137    
1138     rsa_hash (p->id, chg, h);
1139    
1140     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1141     {
1142     prot_minor = p->prot_minor;
1143    
1144     delete ictx; ictx = cctx;
1145    
1146     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1147    
1148     si = rsi;
1149 pcg 1.7 protocol = rsi.prot;
1150 pcg 1.3
1151 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1152 pcg 1.3 conf->nodename, (const char *)rsi,
1153 pcg 1.76 is_direct ? "direct" : "routed",
1154 pcg 1.3 p->prot_major, p->prot_minor);
1155 pcg 1.1
1156 pcg 1.73 connection_established ();
1157    
1158 pcg 1.3 if (::conf.script_node_up)
1159 pcg 1.64 {
1160 pcg 1.70 run_script_cb *cb = new run_script_cb;
1161     cb->set<connection, &connection::script_node_up> (this);
1162     run_script_queued (cb, _("node-up command execution failed, continuing."));
1163 pcg 1.64 }
1164 pcg 1.1
1165 pcg 1.3 break;
1166     }
1167     else
1168 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1169 pcg 1.3 conf->nodename, (const char *)rsi);
1170     }
1171 pcg 1.1
1172 pcg 1.3 delete cctx;
1173 pcg 1.1 }
1174     }
1175     }
1176    
1177 pcg 1.3 send_reset (rsi);
1178     break;
1179 pcg 1.1
1180 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1181     #if !ENABLE_COMPRESSION
1182     send_reset (rsi);
1183     break;
1184     #endif
1185 pcg 1.1
1186 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1187 pcg 1.1
1188 pcg 1.3 if (ictx && octx)
1189 pcg 1.1 {
1190 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1191 pcg 1.1
1192 pcg 1.10 if (!p->hmac_chk (ictx))
1193     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1194 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1195 pcg 1.10 conf->nodename, (const char *)rsi);
1196     else
1197 pcg 1.1 {
1198 pcg 1.10 u32 seqno;
1199     tap_packet *d = p->unpack (this, seqno);
1200 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1201 pcg 1.10
1202 pcg 1.73 if (seqclass == 0) // ok
1203 pcg 1.1 {
1204 pcg 1.10 vpn->tap->send (d);
1205 pcg 1.1
1206 pcg 1.10 if (si != rsi)
1207 pcg 1.1 {
1208 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1209 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1210     // {
1211 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1212     conf->nodename, (const char *)si, (const char *)rsi);
1213    
1214 pcg 1.73 si = rsi;
1215     // }
1216     //else
1217     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1218     // conf->nodename, (const char *)si, (const char *)rsi);
1219 pcg 1.10 }
1220 pcg 1.32 }
1221 pcg 1.75 else if (seqclass == 1) // far history
1222     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1223     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1224     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1225     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1226     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1227     else if (seqclass == 3) // reset
1228 pcg 1.73 {
1229 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1230     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1231 pcg 1.73 send_reset (rsi);
1232     }
1233 pcg 1.3
1234 pcg 1.32 delete d;
1235     break;
1236 pcg 1.1 }
1237     }
1238    
1239 pcg 1.3 send_reset (rsi);
1240     break;
1241 pcg 1.1
1242 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1243     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1244     {
1245     connect_req_packet *p = (connect_req_packet *) pkt;
1246 pcg 1.1
1247 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1248     {
1249     connection *c = vpn->conns[p->id - 1];
1250     conf->protocols = p->protocols;
1251 pcg 1.1
1252 pcg 1.79 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s) [%d]",
1253     conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1254 pcg 1.1
1255 pcg 1.57 if (c->ictx && c->octx)
1256     {
1257     // send connect_info packets to both sides, in case one is
1258     // behind a nat firewall (or both ;)
1259     c->send_connect_info (conf->id, si, conf->protocols);
1260     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1261     }
1262     else
1263     c->establish_connection ();
1264 pcg 1.3 }
1265 pcg 1.11 else
1266 pcg 1.57 slog (L_WARN,
1267     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1268     p->id);
1269 pcg 1.3 }
1270 pcg 1.1
1271 pcg 1.3 break;
1272 pcg 1.1
1273 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1274     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1275     {
1276 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1277 pcg 1.1
1278 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1279 pcg 1.39 {
1280     connection *c = vpn->conns[p->id - 1];
1281 pcg 1.7
1282 pcg 1.39 c->conf->protocols = p->protocols;
1283     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1284     p->si.upgrade_protocol (protocol, c->conf);
1285 pcg 1.1
1286 pcg 1.79 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s) [%d]",
1287     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1288     (const char *)p->si, !c->ictx && !c->octx);
1289 pcg 1.7
1290 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1291 pcg 1.1
1292 pcg 1.39 if (dsi.valid ())
1293     c->send_auth_request (dsi, true);
1294     }
1295 pcg 1.57 else
1296     slog (L_WARN,
1297     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298     p->id);
1299 pcg 1.3 }
1300 pcg 1.1
1301 pcg 1.3 break;
1302 pcg 1.1
1303 pcg 1.3 default:
1304     send_reset (rsi);
1305     break;
1306 pcg 1.1 }
1307     }
1308    
1309 pcg 1.66 inline void
1310     connection::keepalive_cb (ev::timer &w, int revents)
1311 pcg 1.1 {
1312 pcg 1.62 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1313 pcg 1.1 {
1314     reset_connection ();
1315     establish_connection ();
1316     }
1317 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1318 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1319 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1320     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1321     {
1322     send_ping (si);
1323 pcg 1.60 w.start (5);
1324 pcg 1.1 }
1325 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1326 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1327     // should delete octx, though, or something like that ;)
1328 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1329 pcg 1.1 else
1330     reset_connection ();
1331     }
1332    
1333 pcg 1.10 void connection::send_connect_request (int id)
1334 pcg 1.1 {
1335     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1336    
1337 pcg 1.79 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s)",
1338     conf->nodename, vpn->conns[id - 1]->conf->nodename);
1339 pcg 1.1 p->hmac_set (octx);
1340 pcg 1.10 send_vpn_packet (p, si);
1341 pcg 1.1
1342     delete p;
1343     }
1344    
1345 pcg 1.53 void connection::script_init_env (const char *ext)
1346     {
1347     char *env;
1348     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1349     asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1350     asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1351     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1352     conf->id & 0xff); putenv (env);
1353     }
1354    
1355     void connection::script_init_connect_env ()
1356 pcg 1.1 {
1357 pcg 1.52 vpn->script_init_env ();
1358 pcg 1.1
1359     char *env;
1360     asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1361     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1362     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1363     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1364     }
1365    
1366 pcg 1.66 inline const char *
1367     connection::script_node_up ()
1368 pcg 1.1 {
1369 pcg 1.53 script_init_connect_env ();
1370 pcg 1.1
1371 pcg 1.60 putenv ((char *)"STATE=up");
1372 pcg 1.1
1373 pcg 1.52 char *filename;
1374     asprintf (&filename,
1375     "%s/%s",
1376     confbase,
1377     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1378 pcg 1.54
1379     return filename;
1380 pcg 1.1 }
1381    
1382 pcg 1.66 inline const char *
1383     connection::script_node_down ()
1384 pcg 1.1 {
1385 pcg 1.53 script_init_connect_env ();
1386 pcg 1.1
1387 pcg 1.60 putenv ((char *)"STATE=down");
1388 pcg 1.1
1389 pcg 1.52 char *filename;
1390     asprintf (&filename,
1391     "%s/%s",
1392     confbase,
1393     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1394 pcg 1.54
1395     return filename;
1396 pcg 1.1 }
1397    
1398 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1399 pcg 1.67 : vpn(vpn), conf(conf),
1400 pcg 1.40 #if ENABLE_DNS
1401 pcg 1.67 dns (0),
1402 pcg 1.40 #endif
1403 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1404     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1405 pcg 1.1 {
1406 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1407     keepalive .set<connection, &connection::keepalive_cb > (this);
1408     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1409    
1410 pcg 1.68 last_establish_attempt = 0.;
1411 pcg 1.1 octx = ictx = 0;
1412    
1413 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1414     conf->protocols = PROT_UDPv4;
1415    
1416 pcg 1.67 connectmode = conf->connectmode;
1417    
1418     // queue a dummy packet to force an initial connection attempt
1419     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1420 pcg 1.68 vpn_queue.put (new net_packet);
1421 pcg 1.67
1422 pcg 1.1 reset_connection ();
1423     }
1424    
1425     connection::~connection ()
1426     {
1427     shutdown ();
1428     }
1429    
1430     void connection_init ()
1431     {
1432     auth_rate_limiter.clear ();
1433     reset_rate_limiter.clear ();
1434     }
1435