ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.86
Committed: Thu Jan 21 04:30:32 2010 UTC (14 years, 4 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.85: +1 -1 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 pcg 1.69 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69     void // c++ requires external linkage here, apparently :(
70     rs_child_cb (ev::child &w, int revents)
71     {
72     w.stop ();
73    
74     if (rs_queue.empty ())
75     return;
76    
77     pid_t pid = run_script (*rs_queue.front ().first, false);
78     if (pid)
79     {
80     w.set (pid);
81     w.start ();
82     }
83     else
84     slog (L_WARN, rs_queue.front ().second);
85    
86     delete rs_queue.front ().first;
87     rs_queue.pop ();
88     }
89    
90     // despite the fancy name, this is quite a hack
91     static void
92     run_script_queued (run_script_cb *cb, const char *warnmsg)
93     {
94     rs_queue.push (std::make_pair (cb, warnmsg));
95    
96     if (!rs_child_ev.is_active ())
97     {
98     rs_child_ev.set<rs_child_cb> ();
99     rs_child_ev ();
100     }
101     }
102    
103     //////////////////////////////////////////////////////////////////////////////
104    
105 pcg 1.1 struct crypto_ctx
106     {
107     EVP_CIPHER_CTX cctx;
108     HMAC_CTX hctx;
109    
110     crypto_ctx (const rsachallenge &challenge, int enc);
111     ~crypto_ctx ();
112     };
113    
114     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
115     {
116     EVP_CIPHER_CTX_init (&cctx);
117 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
118 pcg 1.1 HMAC_CTX_init (&hctx);
119     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
120     }
121    
122     crypto_ctx::~crypto_ctx ()
123     {
124 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
125 pcg 1.1 HMAC_CTX_cleanup (&hctx);
126     }
127    
128     static void
129     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
130     {
131     EVP_MD_CTX ctx;
132    
133     EVP_MD_CTX_init (&ctx);
134 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
135     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
136     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
137     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
138 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
139     }
140    
141 pcg 1.63 struct rsa_entry
142     {
143 pcg 1.1 tstamp expire;
144     rsaid id;
145     rsachallenge chg;
146     };
147    
148     struct rsa_cache : list<rsa_entry>
149     {
150 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
151 pcg 1.1
152     bool find (const rsaid &id, rsachallenge &chg)
153 pcg 1.51 {
154     for (iterator i = begin (); i != end (); ++i)
155     {
156 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
157 pcg 1.51 {
158     memcpy (&chg, &i->chg, sizeof chg);
159 pcg 1.1
160 pcg 1.51 erase (i);
161     return true;
162     }
163     }
164 pcg 1.1
165 pcg 1.60 if (!cleaner.is_active ())
166     cleaner.again ();
167 pcg 1.1
168 pcg 1.51 return false;
169     }
170 pcg 1.1
171     void gen (rsaid &id, rsachallenge &chg)
172 pcg 1.51 {
173     rsa_entry e;
174 pcg 1.1
175 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
176     RAND_bytes ((unsigned char *)&chg, sizeof chg);
177 pcg 1.1
178 pcg 1.62 e.expire = ev_now () + RSA_TTL;
179 pcg 1.51 e.id = id;
180     memcpy (&e.chg, &chg, sizeof chg);
181 pcg 1.1
182 pcg 1.51 push_back (e);
183 pcg 1.1
184 pcg 1.60 if (!cleaner.is_active ())
185     cleaner.again ();
186 pcg 1.51 }
187 pcg 1.1
188     rsa_cache ()
189 pcg 1.60 {
190 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
191 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
192     }
193 pcg 1.1
194     } rsa_cache;
195    
196 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
197 pcg 1.1 {
198 pcg 1.60 if (empty ())
199     w.stop ();
200     else
201 pcg 1.1 {
202     for (iterator i = begin (); i != end (); )
203 pcg 1.62 if (i->expire <= ev_now ())
204 pcg 1.1 i = erase (i);
205     else
206     ++i;
207     }
208     }
209    
210     //////////////////////////////////////////////////////////////////////////////
211    
212 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
213     : max_ttl (max_ttl), max_queue (max_queue)
214 pcg 1.1 {
215 pcg 1.67 queue = new pkt [max_queue];
216    
217     i = 0;
218     j = 0;
219    
220     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
221     }
222 pcg 1.1
223 pcg 1.67 pkt_queue::~pkt_queue ()
224     {
225     while (net_packet *p = get ())
226     delete p;
227 pcg 1.1
228 pcg 1.67 delete [] queue;
229 pcg 1.1 }
230    
231 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
232 pcg 1.1 {
233 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
234 pcg 1.1
235 pcg 1.67 for (;;)
236 pcg 1.1 {
237 pcg 1.67 if (empty ())
238     break;
239    
240     double diff = queue[j].tstamp - expire;
241    
242     if (diff >= 0.)
243     {
244     w.start (diff > 0.5 ? diff : 0.5);
245     break;
246     }
247    
248     delete get ();
249 pcg 1.1 }
250     }
251    
252 pcg 1.67 void pkt_queue::put (net_packet *p)
253 pcg 1.1 {
254 pcg 1.67 ev_tstamp now = ev_now ();
255    
256     // start expiry timer
257     if (empty ())
258     expire.start (max_ttl);
259    
260     int ni = i + 1 == max_queue ? 0 : i + 1;
261    
262     if (ni == j)
263     delete get ();
264    
265     queue[i].pkt = p;
266     queue[i].tstamp = now;
267    
268     i = ni;
269 pcg 1.1 }
270    
271 pcg 1.67 net_packet *pkt_queue::get ()
272 pcg 1.1 {
273 pcg 1.67 if (empty ())
274     return 0;
275    
276     net_packet *p = queue[j].pkt;
277     queue[j].pkt = 0;
278    
279     j = j + 1 == max_queue ? 0 : j + 1;
280    
281     return p;
282 pcg 1.1 }
283    
284 pcg 1.63 struct net_rateinfo
285     {
286 pcg 1.1 u32 host;
287     double pcnt, diff;
288     tstamp last;
289     };
290    
291     // only do action once every x seconds per host whole allowing bursts.
292     // this implementation ("splay list" ;) is inefficient,
293     // but low on resources.
294     struct net_rate_limiter : list<net_rateinfo>
295     {
296 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
297     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
298     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
299     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
300 pcg 1.1
301 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
302 pcg 1.1 bool can (u32 host);
303     };
304    
305     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
306    
307     bool net_rate_limiter::can (u32 host)
308     {
309     iterator i;
310    
311     for (i = begin (); i != end (); )
312     if (i->host == host)
313     break;
314 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
315 pcg 1.1 i = erase (i);
316     else
317     i++;
318    
319     if (i == end ())
320     {
321     net_rateinfo ri;
322    
323     ri.host = host;
324     ri.pcnt = 1.;
325 pcg 1.34 ri.diff = NRL_MAXDIF;
326 pcg 1.62 ri.last = ev_now ();
327 pcg 1.1
328     push_front (ri);
329    
330     return true;
331     }
332     else
333     {
334     net_rateinfo ri (*i);
335     erase (i);
336    
337 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
338 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
339 pcg 1.1
340 pcg 1.62 ri.last = ev_now ();
341 pcg 1.1
342 pcg 1.10 double dif = ri.diff / ri.pcnt;
343 pcg 1.1
344 pcg 1.34 bool send = dif > NRL_CUTOFF;
345 pcg 1.10
346 pcg 1.34 if (dif > NRL_MAXDIF)
347 pcg 1.10 {
348     ri.pcnt = 1.;
349 pcg 1.34 ri.diff = NRL_MAXDIF;
350 pcg 1.10 }
351     else if (send)
352 pcg 1.1 ri.pcnt++;
353    
354     push_front (ri);
355    
356     return send;
357     }
358     }
359    
360     /////////////////////////////////////////////////////////////////////////////
361    
362     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
363    
364     void hmac_packet::hmac_gen (crypto_ctx *ctx)
365     {
366     unsigned int xlen;
367    
368     HMAC_CTX *hctx = &ctx->hctx;
369    
370     HMAC_Init_ex (hctx, 0, 0, 0, 0);
371     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
372     len - sizeof (hmac_packet));
373     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
374     }
375    
376     void
377     hmac_packet::hmac_set (crypto_ctx *ctx)
378     {
379     hmac_gen (ctx);
380    
381     memcpy (hmac, hmac_digest, HMACLENGTH);
382     }
383    
384     bool
385     hmac_packet::hmac_chk (crypto_ctx *ctx)
386     {
387     hmac_gen (ctx);
388    
389     return !memcmp (hmac, hmac_digest, HMACLENGTH);
390     }
391    
392 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
393 pcg 1.1 {
394 pcg 1.6 type = type_;
395 pcg 1.1
396     int src = THISNODE->id;
397    
398     src1 = src;
399     srcdst = ((src >> 8) << 4) | (dst >> 8);
400     dst1 = dst;
401     }
402    
403     #define MAXVPNDATA (MAX_MTU - 6 - 6)
404     #define DATAHDR (sizeof (u32) + RAND_SIZE)
405    
406 pcg 1.28 struct vpndata_packet : vpn_packet
407 pcg 1.1 {
408     u8 data[MAXVPNDATA + DATAHDR]; // seqno
409    
410     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
411     tap_packet *unpack (connection *conn, u32 &seqno);
412     private:
413    
414     const u32 data_hdr_size () const
415     {
416     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
417     }
418     };
419    
420     void
421     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
422     {
423     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
424     int outl = 0, outl2;
425     ptype type = PT_DATA_UNCOMPRESSED;
426    
427     #if ENABLE_COMPRESSION
428     u8 cdata[MAX_MTU];
429    
430 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
431 pcg 1.1 {
432 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
433 pcg 1.1
434 pcg 1.31 if (cl)
435     {
436     type = PT_DATA_COMPRESSED;
437     d = cdata;
438     l = cl + 2;
439    
440     d[0] = cl >> 8;
441     d[1] = cl;
442     }
443 pcg 1.1 }
444     #endif
445    
446 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
447 pcg 1.1
448     struct {
449     #if RAND_SIZE
450     u8 rnd[RAND_SIZE];
451     #endif
452     u32 seqno;
453     } datahdr;
454    
455     datahdr.seqno = ntohl (seqno);
456     #if RAND_SIZE
457     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
458     #endif
459    
460 pcg 1.29 require (EVP_EncryptUpdate (cctx,
461 pcg 1.1 (unsigned char *) data + outl, &outl2,
462 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
463 pcg 1.1 outl += outl2;
464    
465 pcg 1.29 require (EVP_EncryptUpdate (cctx,
466 pcg 1.1 (unsigned char *) data + outl, &outl2,
467 pcg 1.29 (unsigned char *) d, l));
468 pcg 1.1 outl += outl2;
469    
470 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
471 pcg 1.1 outl += outl2;
472    
473     len = outl + data_hdr_size ();
474    
475     set_hdr (type, dst);
476    
477     hmac_set (conn->octx);
478     }
479    
480     tap_packet *
481     vpndata_packet::unpack (connection *conn, u32 &seqno)
482     {
483     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
484     int outl = 0, outl2;
485     tap_packet *p = new tap_packet;
486     u8 *d;
487     u32 l = len - data_hdr_size ();
488    
489 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
490 pcg 1.1
491     #if ENABLE_COMPRESSION
492     u8 cdata[MAX_MTU];
493    
494     if (type == PT_DATA_COMPRESSED)
495     d = cdata;
496     else
497     #endif
498     d = &(*p)[6 + 6 - DATAHDR];
499    
500     /* this overwrites part of the src mac, but we fix that later */
501 pcg 1.29 require (EVP_DecryptUpdate (cctx,
502 pcg 1.1 d, &outl2,
503 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
504 pcg 1.1 outl += outl2;
505    
506 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
507 pcg 1.1 outl += outl2;
508    
509     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
510    
511     id2mac (dst () ? dst() : THISNODE->id, p->dst);
512     id2mac (src (), p->src);
513    
514     #if ENABLE_COMPRESSION
515     if (type == PT_DATA_COMPRESSED)
516     {
517     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
518    
519     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
520     &(*p)[6 + 6], MAX_MTU)
521     + 6 + 6;
522     }
523     else
524     p->len = outl + (6 + 6 - DATAHDR);
525     #endif
526    
527     return p;
528     }
529    
530     struct ping_packet : vpn_packet
531     {
532     void setup (int dst, ptype type)
533     {
534     set_hdr (type, dst);
535     len = sizeof (*this) - sizeof (net_packet);
536     }
537     };
538    
539     struct config_packet : vpn_packet
540     {
541     // actually, hmaclen cannot be checked because the hmac
542     // field comes before this data, so peers with other
543     // hmacs simply will not work.
544     u8 prot_major, prot_minor, randsize, hmaclen;
545 pcg 1.31 u8 flags, challengelen, features, pad3;
546 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
547    
548     void setup (ptype type, int dst);
549     bool chk_config () const;
550 pcg 1.32
551     static u8 get_features ()
552     {
553     u8 f = 0;
554     #if ENABLE_COMPRESSION
555     f |= FEATURE_COMPRESSION;
556     #endif
557     #if ENABLE_ROHC
558     f |= FEATURE_ROHC;
559     #endif
560 pcg 1.59 #if ENABLE_BRIDGING
561     f |= FEATURE_BRIDGING;
562     #endif
563 pcg 1.32 return f;
564     }
565 pcg 1.1 };
566    
567     void config_packet::setup (ptype type, int dst)
568     {
569     prot_major = PROTOCOL_MAJOR;
570     prot_minor = PROTOCOL_MINOR;
571     randsize = RAND_SIZE;
572     hmaclen = HMACLENGTH;
573 pcg 1.48 flags = 0;
574 pcg 1.1 challengelen = sizeof (rsachallenge);
575 pcg 1.32 features = get_features ();
576 pcg 1.1
577     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
578     digest_nid = htonl (EVP_MD_type (RSA_HASH));
579     hmac_nid = htonl (EVP_MD_type (DIGEST));
580    
581     len = sizeof (*this) - sizeof (net_packet);
582     set_hdr (type, dst);
583     }
584    
585     bool config_packet::chk_config () const
586     {
587 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
588 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
589 pcg 1.15 else if (randsize != RAND_SIZE)
590 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
591 pcg 1.15 else if (hmaclen != HMACLENGTH)
592 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
593 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
594 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
595 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
596 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
597 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
598 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
599 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
600 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
601 pcg 1.15 else
602     return true;
603    
604     return false;
605 pcg 1.1 }
606    
607     struct auth_req_packet : config_packet
608     {
609     char magic[8];
610     u8 initiate; // false if this is just an automatic reply
611 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
612 pcg 1.1 u8 pad2, pad3;
613     rsaid id;
614     rsaencrdata encr;
615    
616     auth_req_packet (int dst, bool initiate_, u8 protocols_)
617     {
618     config_packet::setup (PT_AUTH_REQ, dst);
619 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
620 pcg 1.1 initiate = !!initiate_;
621     protocols = protocols_;
622    
623     len = sizeof (*this) - sizeof (net_packet);
624     }
625     };
626    
627     struct auth_res_packet : config_packet
628     {
629     rsaid id;
630     u8 pad1, pad2, pad3;
631     u8 response_len; // encrypted length
632     rsaresponse response;
633    
634     auth_res_packet (int dst)
635     {
636     config_packet::setup (PT_AUTH_RES, dst);
637    
638     len = sizeof (*this) - sizeof (net_packet);
639     }
640     };
641    
642     struct connect_req_packet : vpn_packet
643     {
644     u8 id, protocols;
645     u8 pad1, pad2;
646    
647     connect_req_packet (int dst, int id_, u8 protocols_)
648     : id(id_)
649     , protocols(protocols_)
650     {
651     set_hdr (PT_CONNECT_REQ, dst);
652     len = sizeof (*this) - sizeof (net_packet);
653     }
654     };
655    
656     struct connect_info_packet : vpn_packet
657     {
658     u8 id, protocols;
659     u8 pad1, pad2;
660     sockinfo si;
661    
662     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
663     : id(id_)
664     , protocols(protocols_)
665     , si(si_)
666     {
667     set_hdr (PT_CONNECT_INFO, dst);
668    
669     len = sizeof (*this) - sizeof (net_packet);
670     }
671     };
672    
673     /////////////////////////////////////////////////////////////////////////////
674    
675     void
676 pcg 1.10 connection::connection_established ()
677     {
678 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
679 pcg 1.61
680 pcg 1.10 if (ictx && octx)
681     {
682 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
683 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
684     rekey.start (rekey_interval, rekey_interval);
685     keepalive.start (::conf.keepalive);
686 pcg 1.10
687     // send queued packets
688     if (ictx && octx)
689 pcg 1.12 {
690     while (tap_packet *p = (tap_packet *)data_queue.get ())
691     {
692 pcg 1.67 if (p->len) send_data_packet (p);
693 pcg 1.12 delete p;
694     }
695    
696     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
697     {
698 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
699 pcg 1.12 delete p;
700     }
701     }
702 pcg 1.73
703     vpn->connection_established (this);
704 pcg 1.10 }
705     else
706     {
707     retry_cnt = 0;
708 pcg 1.60 establish_connection.start (5);
709 pcg 1.25 keepalive.stop ();
710     rekey.stop ();
711 pcg 1.10 }
712     }
713    
714     void
715 pcg 1.8 connection::reset_si ()
716 pcg 1.1 {
717 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
718     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
719     else
720 pcg 1.59 {
721 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
722 pcg 1.59 protocol = 0;
723     }
724 pcg 1.6
725     si.set (conf, protocol);
726 pcg 1.73
727     is_direct = si.valid ();
728 pcg 1.1 }
729    
730 pcg 1.8 // ensure sockinfo is valid, forward if necessary
731     const sockinfo &
732     connection::forward_si (const sockinfo &si) const
733     {
734     if (!si.valid ())
735     {
736 pcg 1.73 connection *r = vpn->find_router_for (this);
737 pcg 1.8
738     if (r)
739     {
740 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
741     conf->nodename, r->conf->nodename);
742 pcg 1.8 return r->si;
743     }
744     else
745 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
746 pcg 1.8 conf->nodename);
747     }
748    
749     return si;
750     }
751    
752 pcg 1.1 void
753 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
754     {
755 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
756 pcg 1.10 reset_connection ();
757     }
758    
759     void
760 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
761     {
762     ping_packet *pkt = new ping_packet;
763    
764     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
765 pcg 1.73
766 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
767 pcg 1.73
768 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
769 pcg 1.1
770     delete pkt;
771     }
772    
773     void
774     connection::send_reset (const sockinfo &si)
775     {
776     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
777     {
778     config_packet *pkt = new config_packet;
779    
780     pkt->setup (vpn_packet::PT_RESET, conf->id);
781 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
782 pcg 1.1
783     delete pkt;
784     }
785     }
786    
787     void
788     connection::send_auth_request (const sockinfo &si, bool initiate)
789     {
790     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
791    
792 pcg 1.6 rsachallenge chg;
793     rsa_cache.gen (pkt->id, chg);
794 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
795 pcg 1.1
796 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
797 pcg 1.1
798 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
799 pcg 1.1
800 pcg 1.6 delete pkt;
801 pcg 1.1 }
802    
803     void
804     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
805     {
806     auth_res_packet *pkt = new auth_res_packet (conf->id);
807    
808     pkt->id = id;
809    
810     rsa_hash (id, chg, pkt->response);
811    
812     pkt->hmac_set (octx);
813    
814 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
815 pcg 1.1
816 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
817 pcg 1.1
818     delete pkt;
819     }
820    
821     void
822     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
823     {
824 pcg 1.80 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
825 pcg 1.79 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
826 pcg 1.1
827     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
828    
829     r->hmac_set (octx);
830 pcg 1.10 send_vpn_packet (r, si);
831 pcg 1.1
832     delete r;
833     }
834    
835 pcg 1.66 inline void
836 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
837 pcg 1.1 {
838 pcg 1.25 if (!ictx
839     && conf != THISNODE
840     && connectmode != conf_node::C_NEVER
841     && connectmode != conf_node::C_DISABLED
842 pcg 1.60 && !w.is_active ())
843 pcg 1.1 {
844 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
845     // and stop trying. should probably be handled by a per-connection expire handler.
846     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
847     {
848     reset_connection ();
849     return;
850     }
851    
852 pcg 1.68 last_establish_attempt = ev_now ();
853    
854 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
855     ? (retry_cnt & 3) + 1
856     : 1 << (retry_cnt >> 2));
857 pcg 1.1
858 pcg 1.47 reset_si ();
859 pcg 1.1
860 pcg 1.47 bool slow = si.prot & PROT_SLOW;
861 pcg 1.8
862 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
863 pcg 1.60 {
864     /*TODO*/ /* start the timer so we don't recurse endlessly */
865     w.start (1);
866 pcg 1.74 vpn->send_connect_request (this);
867 pcg 1.60 }
868 pcg 1.8 else
869 pcg 1.1 {
870 pcg 1.73 if (si.valid ())
871     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
872     conf->nodename, (const char *)si);
873 pcg 1.61
874 pcg 1.8 const sockinfo &dsi = forward_si (si);
875 pcg 1.6
876 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
877    
878 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
879     {
880     if (retry_cnt < 4)
881     send_auth_request (dsi, true);
882     else
883     send_ping (dsi, 0);
884     }
885 pcg 1.1 }
886 pcg 1.47
887 pcg 1.68 retry_int *= slow ? 8. : 0.9;
888 pcg 1.47
889     if (retry_int < conf->max_retry)
890     retry_cnt++;
891     else
892     retry_int = conf->max_retry;
893    
894 pcg 1.60 w.start (retry_int);
895 pcg 1.1 }
896     }
897    
898     void
899     connection::reset_connection ()
900     {
901     if (ictx && octx)
902     {
903     slog (L_INFO, _("%s(%s): connection lost"),
904     conf->nodename, (const char *)si);
905    
906     if (::conf.script_node_down)
907 pcg 1.64 {
908 pcg 1.70 run_script_cb *cb = new run_script_cb;
909     cb->set<connection, &connection::script_node_down> (this);
910     run_script_queued (cb, _("node-down command execution failed, continuing."));
911 pcg 1.64 }
912 pcg 1.1 }
913    
914     delete ictx; ictx = 0;
915     delete octx; octx = 0;
916 pcg 1.44 #if ENABLE_DNS
917 pcg 1.45 dnsv4_reset_connection ();
918 pcg 1.44 #endif
919 pcg 1.1
920 pcg 1.38 si.host = 0;
921 pcg 1.1
922 pcg 1.73 last_activity = 0.;
923     //last_si_change = 0.;
924 pcg 1.1 retry_cnt = 0;
925    
926 pcg 1.25 rekey.stop ();
927     keepalive.stop ();
928     establish_connection.stop ();
929 pcg 1.1 }
930    
931     void
932     connection::shutdown ()
933     {
934     if (ictx && octx)
935     send_reset (si);
936    
937     reset_connection ();
938     }
939    
940 pcg 1.73 // poor-man's rekeying
941 pcg 1.66 inline void
942 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
943 pcg 1.1 {
944     reset_connection ();
945     establish_connection ();
946     }
947    
948     void
949 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
950 pcg 1.1 {
951     vpndata_packet *p = new vpndata_packet;
952     int tos = 0;
953    
954 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
955 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
956 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
957    
958 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
959 pcg 1.10 send_vpn_packet (p, si, tos);
960 pcg 1.1
961     delete p;
962    
963     if (oseqno > MAX_SEQNO)
964     rekey ();
965     }
966    
967     void
968 pcg 1.68 connection::post_inject_queue ()
969     {
970     // force a connection every now and when when packets are sent (max 1/s)
971     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
972     establish_connection.stop ();
973    
974     establish_connection ();
975     }
976    
977     void
978     connection::inject_data_packet (tap_packet *pkt)
979 pcg 1.1 {
980     if (ictx && octx)
981 pcg 1.21 send_data_packet (pkt);
982 pcg 1.1 else
983     {
984 pcg 1.68 data_queue.put (new tap_packet (*pkt));
985     post_inject_queue ();
986 pcg 1.1 }
987     }
988    
989 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
990     {
991     if (ictx && octx)
992 pcg 1.10 send_vpn_packet (pkt, si, tos);
993 pcg 1.8 else
994 pcg 1.12 {
995 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
996 pcg 1.68 post_inject_queue ();
997 pcg 1.12 }
998 pcg 1.8 }
999    
1000 pcg 1.1 void
1001     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1002     {
1003 pcg 1.62 last_activity = ev_now ();
1004 pcg 1.1
1005 pcg 1.79 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1006     conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1007 pcg 1.1
1008 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1009     return;
1010    
1011 pcg 1.1 switch (pkt->typ ())
1012     {
1013 pcg 1.3 case vpn_packet::PT_PING:
1014 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1015    
1016 pcg 1.3 // we send pings instead of auth packets after some retries,
1017     // so reset the retry counter and establish a connection
1018     // when we receive a ping.
1019     if (!ictx)
1020     {
1021     if (auth_rate_limiter.can (rsi))
1022     send_auth_request (rsi, true);
1023     }
1024     else
1025 pcg 1.73 // we would love to change thre socket address here, but ping's aren't
1026     // authenticated, so we best ignore it.
1027 pcg 1.3 send_ping (rsi, 1); // pong
1028    
1029     break;
1030    
1031     case vpn_packet::PT_PONG:
1032 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1033 pcg 1.3 break;
1034    
1035     case vpn_packet::PT_RESET:
1036 pcg 1.1 {
1037 pcg 1.3 reset_connection ();
1038    
1039     config_packet *p = (config_packet *) pkt;
1040    
1041     if (!p->chk_config ())
1042     {
1043 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1044 pcg 1.3 conf->nodename, (const char *)rsi);
1045     connectmode = conf_node::C_DISABLED;
1046     }
1047     else if (connectmode == conf_node::C_ALWAYS)
1048     establish_connection ();
1049 pcg 1.1 }
1050 pcg 1.3 break;
1051    
1052     case vpn_packet::PT_AUTH_REQ:
1053     if (auth_rate_limiter.can (rsi))
1054     {
1055     auth_req_packet *p = (auth_req_packet *) pkt;
1056    
1057 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
1058 pcg 1.1
1059 pcg 1.85 if (p->chk_config ()
1060     && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
1061 pcg 1.3 {
1062     if (p->prot_minor != PROTOCOL_MINOR)
1063     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1064     conf->nodename, (const char *)rsi,
1065     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1066    
1067     if (p->initiate)
1068     send_auth_request (rsi, false);
1069    
1070     rsachallenge k;
1071    
1072 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1073 pcg 1.23 {
1074     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1075     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1076     break;
1077     }
1078 pcg 1.3 else
1079     {
1080     delete octx;
1081 pcg 1.1
1082 pcg 1.3 octx = new crypto_ctx (k, 1);
1083     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1084 pcg 1.1
1085 pcg 1.3 conf->protocols = p->protocols;
1086 pcg 1.32 features = p->features & config_packet::get_features ();
1087 pcg 1.10
1088 pcg 1.3 send_auth_response (rsi, p->id, k);
1089    
1090 pcg 1.10 connection_established ();
1091    
1092 pcg 1.3 break;
1093     }
1094     }
1095 pcg 1.15 else
1096 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1097 pcg 1.15 conf->nodename, (const char *)rsi);
1098 pcg 1.3
1099     send_reset (rsi);
1100 pcg 1.1 }
1101    
1102 pcg 1.3 break;
1103    
1104     case vpn_packet::PT_AUTH_RES:
1105 pcg 1.1 {
1106 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1107 pcg 1.1
1108 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1109 pcg 1.1
1110 pcg 1.3 if (p->chk_config ())
1111 pcg 1.1 {
1112     if (p->prot_minor != PROTOCOL_MINOR)
1113     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1114     conf->nodename, (const char *)rsi,
1115     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1116    
1117 pcg 1.3 rsachallenge chg;
1118 pcg 1.1
1119 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1120 pcg 1.13 {
1121 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1122 pcg 1.13 conf->nodename, (const char *)rsi);
1123     break;
1124     }
1125 pcg 1.1 else
1126     {
1127 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1128    
1129     if (!p->hmac_chk (cctx))
1130 pcg 1.18 {
1131     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1132 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1133 pcg 1.18 conf->nodename, (const char *)rsi);
1134     break;
1135     }
1136 pcg 1.3 else
1137     {
1138     rsaresponse h;
1139    
1140     rsa_hash (p->id, chg, h);
1141    
1142     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1143     {
1144     prot_minor = p->prot_minor;
1145    
1146     delete ictx; ictx = cctx;
1147    
1148     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1149    
1150     si = rsi;
1151 pcg 1.7 protocol = rsi.prot;
1152 pcg 1.3
1153 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1154 pcg 1.3 conf->nodename, (const char *)rsi,
1155 pcg 1.82 is_direct ? "direct" : "forwarded",
1156 pcg 1.3 p->prot_major, p->prot_minor);
1157 pcg 1.1
1158 pcg 1.73 connection_established ();
1159    
1160 pcg 1.3 if (::conf.script_node_up)
1161 pcg 1.64 {
1162 pcg 1.70 run_script_cb *cb = new run_script_cb;
1163     cb->set<connection, &connection::script_node_up> (this);
1164     run_script_queued (cb, _("node-up command execution failed, continuing."));
1165 pcg 1.64 }
1166 pcg 1.1
1167 pcg 1.3 break;
1168     }
1169     else
1170 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1171 pcg 1.3 conf->nodename, (const char *)rsi);
1172     }
1173 pcg 1.1
1174 pcg 1.3 delete cctx;
1175 pcg 1.1 }
1176     }
1177     }
1178    
1179 pcg 1.3 send_reset (rsi);
1180     break;
1181 pcg 1.1
1182 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1183     #if !ENABLE_COMPRESSION
1184     send_reset (rsi);
1185     break;
1186     #endif
1187 pcg 1.1
1188 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1189 pcg 1.1
1190 pcg 1.3 if (ictx && octx)
1191 pcg 1.1 {
1192 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1193 pcg 1.1
1194 pcg 1.10 if (!p->hmac_chk (ictx))
1195     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1196 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1197 pcg 1.10 conf->nodename, (const char *)rsi);
1198     else
1199 pcg 1.1 {
1200 pcg 1.10 u32 seqno;
1201     tap_packet *d = p->unpack (this, seqno);
1202 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1203 pcg 1.10
1204 pcg 1.73 if (seqclass == 0) // ok
1205 pcg 1.1 {
1206 pcg 1.10 vpn->tap->send (d);
1207 pcg 1.1
1208 pcg 1.10 if (si != rsi)
1209 pcg 1.1 {
1210 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1211 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1212     // {
1213 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1214     conf->nodename, (const char *)si, (const char *)rsi);
1215    
1216 pcg 1.73 si = rsi;
1217 pcg 1.84
1218     if (::conf.script_node_change)
1219     {
1220     run_script_cb *cb = new run_script_cb;
1221     cb->set<connection, &connection::script_node_change> (this);
1222     run_script_queued (cb, _("node-change command execution failed, continuing."));
1223     }
1224    
1225 pcg 1.73 // }
1226     //else
1227     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1228     // conf->nodename, (const char *)si, (const char *)rsi);
1229 pcg 1.10 }
1230 pcg 1.32 }
1231 pcg 1.75 else if (seqclass == 1) // far history
1232     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1233     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1234     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1235     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1236     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1237     else if (seqclass == 3) // reset
1238 pcg 1.73 {
1239 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1240     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1241 pcg 1.73 send_reset (rsi);
1242     }
1243 pcg 1.3
1244 pcg 1.32 delete d;
1245     break;
1246 pcg 1.1 }
1247     }
1248    
1249 pcg 1.3 send_reset (rsi);
1250     break;
1251 pcg 1.1
1252 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1253     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1254     {
1255 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1256 pcg 1.1
1257 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1258     {
1259     connection *c = vpn->conns[p->id - 1];
1260     conf->protocols = p->protocols;
1261 pcg 1.1
1262 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1263 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1264 pcg 1.1
1265 pcg 1.57 if (c->ictx && c->octx)
1266     {
1267     // send connect_info packets to both sides, in case one is
1268     // behind a nat firewall (or both ;)
1269     c->send_connect_info (conf->id, si, conf->protocols);
1270     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1271     }
1272     else
1273     c->establish_connection ();
1274 pcg 1.3 }
1275 pcg 1.11 else
1276 pcg 1.57 slog (L_WARN,
1277     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1278     p->id);
1279 pcg 1.3 }
1280 pcg 1.1
1281 pcg 1.3 break;
1282 pcg 1.1
1283 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1284     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1285     {
1286 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1287 pcg 1.1
1288 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1289 pcg 1.39 {
1290     connection *c = vpn->conns[p->id - 1];
1291 pcg 1.7
1292 pcg 1.39 c->conf->protocols = p->protocols;
1293     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1294     p->si.upgrade_protocol (protocol, c->conf);
1295 pcg 1.1
1296 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1297 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1298     (const char *)p->si, !c->ictx && !c->octx);
1299 pcg 1.7
1300 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1301 pcg 1.1
1302 pcg 1.39 if (dsi.valid ())
1303     c->send_auth_request (dsi, true);
1304     }
1305 pcg 1.57 else
1306     slog (L_WARN,
1307     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1308     p->id);
1309 pcg 1.3 }
1310 pcg 1.1
1311 pcg 1.3 break;
1312 pcg 1.1
1313 pcg 1.3 default:
1314     send_reset (rsi);
1315     break;
1316 pcg 1.1 }
1317     }
1318    
1319 pcg 1.66 inline void
1320     connection::keepalive_cb (ev::timer &w, int revents)
1321 pcg 1.1 {
1322 pcg 1.83 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1323 pcg 1.1 {
1324     reset_connection ();
1325     establish_connection ();
1326     }
1327 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1328 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1329 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1330     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1331     {
1332     send_ping (si);
1333 pcg 1.83 w.start (3);
1334 pcg 1.1 }
1335 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1336 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1337     // should delete octx, though, or something like that ;)
1338 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1339 pcg 1.1 else
1340     reset_connection ();
1341     }
1342    
1343 pcg 1.10 void connection::send_connect_request (int id)
1344 pcg 1.1 {
1345     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1346    
1347 pcg 1.81 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1348 pcg 1.79 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1349 pcg 1.1 p->hmac_set (octx);
1350 pcg 1.10 send_vpn_packet (p, si);
1351 pcg 1.1
1352     delete p;
1353     }
1354    
1355 pcg 1.53 void connection::script_init_env (const char *ext)
1356     {
1357     char *env;
1358     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1359 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1360 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1361     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1362 pcg 1.84 conf->id & 0xff); putenv (env);
1363 pcg 1.53 }
1364    
1365     void connection::script_init_connect_env ()
1366 pcg 1.1 {
1367 pcg 1.52 vpn->script_init_env ();
1368 pcg 1.1
1369     char *env;
1370 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1371     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1372     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1373     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1374     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1375 pcg 1.1 }
1376    
1377 pcg 1.66 inline const char *
1378     connection::script_node_up ()
1379 pcg 1.1 {
1380 pcg 1.53 script_init_connect_env ();
1381 pcg 1.1
1382 pcg 1.60 putenv ((char *)"STATE=up");
1383 pcg 1.1
1384 pcg 1.52 char *filename;
1385     asprintf (&filename,
1386     "%s/%s",
1387     confbase,
1388     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1389 pcg 1.54
1390     return filename;
1391 pcg 1.1 }
1392    
1393 pcg 1.66 inline const char *
1394 pcg 1.84 connection::script_node_change ()
1395     {
1396     script_init_connect_env ();
1397    
1398     putenv ((char *)"STATE=change");
1399    
1400     char *filename;
1401     asprintf (&filename,
1402     "%s/%s",
1403     confbase,
1404     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1405    
1406     return filename;
1407     }
1408    
1409     inline const char *
1410 pcg 1.66 connection::script_node_down ()
1411 pcg 1.1 {
1412 pcg 1.53 script_init_connect_env ();
1413 pcg 1.1
1414 pcg 1.60 putenv ((char *)"STATE=down");
1415 pcg 1.1
1416 pcg 1.52 char *filename;
1417     asprintf (&filename,
1418     "%s/%s",
1419     confbase,
1420     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1421 pcg 1.54
1422     return filename;
1423 pcg 1.1 }
1424    
1425 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1426 pcg 1.67 : vpn(vpn), conf(conf),
1427 pcg 1.40 #if ENABLE_DNS
1428 pcg 1.67 dns (0),
1429 pcg 1.40 #endif
1430 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1431     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1432 pcg 1.1 {
1433 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1434     keepalive .set<connection, &connection::keepalive_cb > (this);
1435     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1436    
1437 pcg 1.68 last_establish_attempt = 0.;
1438 pcg 1.1 octx = ictx = 0;
1439    
1440 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1441     conf->protocols = PROT_UDPv4;
1442    
1443 pcg 1.67 connectmode = conf->connectmode;
1444    
1445     // queue a dummy packet to force an initial connection attempt
1446     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1447 pcg 1.68 vpn_queue.put (new net_packet);
1448 pcg 1.67
1449 pcg 1.1 reset_connection ();
1450     }
1451    
1452     connection::~connection ()
1453     {
1454     shutdown ();
1455     }
1456    
1457     void connection_init ()
1458     {
1459     auth_rate_limiter.clear ();
1460     reset_rate_limiter.clear ();
1461     }
1462