ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.89
Committed: Thu Dec 2 08:15:09 2010 UTC (13 years, 5 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.88: +6 -2 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.88 Copyright (C) 2003-2008,2010 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69     void // c++ requires external linkage here, apparently :(
70     rs_child_cb (ev::child &w, int revents)
71     {
72     w.stop ();
73    
74     if (rs_queue.empty ())
75     return;
76    
77     pid_t pid = run_script (*rs_queue.front ().first, false);
78     if (pid)
79     {
80     w.set (pid);
81     w.start ();
82     }
83     else
84     slog (L_WARN, rs_queue.front ().second);
85    
86     delete rs_queue.front ().first;
87     rs_queue.pop ();
88     }
89    
90     // despite the fancy name, this is quite a hack
91     static void
92     run_script_queued (run_script_cb *cb, const char *warnmsg)
93     {
94     rs_queue.push (std::make_pair (cb, warnmsg));
95    
96     if (!rs_child_ev.is_active ())
97     {
98     rs_child_ev.set<rs_child_cb> ();
99     rs_child_ev ();
100     }
101     }
102    
103     //////////////////////////////////////////////////////////////////////////////
104    
105 pcg 1.1 struct crypto_ctx
106     {
107     EVP_CIPHER_CTX cctx;
108     HMAC_CTX hctx;
109    
110     crypto_ctx (const rsachallenge &challenge, int enc);
111     ~crypto_ctx ();
112     };
113    
114     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
115     {
116     EVP_CIPHER_CTX_init (&cctx);
117 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
118 pcg 1.1 HMAC_CTX_init (&hctx);
119     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
120     }
121    
122     crypto_ctx::~crypto_ctx ()
123     {
124 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
125 pcg 1.1 HMAC_CTX_cleanup (&hctx);
126     }
127    
128     static void
129     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
130     {
131     EVP_MD_CTX ctx;
132    
133     EVP_MD_CTX_init (&ctx);
134 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
135     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
136     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
137     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
138 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
139     }
140    
141 pcg 1.63 struct rsa_entry
142     {
143 pcg 1.1 tstamp expire;
144     rsaid id;
145     rsachallenge chg;
146     };
147    
148     struct rsa_cache : list<rsa_entry>
149     {
150 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
151 pcg 1.1
152     bool find (const rsaid &id, rsachallenge &chg)
153 pcg 1.51 {
154     for (iterator i = begin (); i != end (); ++i)
155     {
156 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
157 pcg 1.51 {
158     memcpy (&chg, &i->chg, sizeof chg);
159 pcg 1.1
160 pcg 1.51 erase (i);
161     return true;
162     }
163     }
164 pcg 1.1
165 pcg 1.60 if (!cleaner.is_active ())
166     cleaner.again ();
167 pcg 1.1
168 pcg 1.51 return false;
169     }
170 pcg 1.1
171     void gen (rsaid &id, rsachallenge &chg)
172 pcg 1.51 {
173     rsa_entry e;
174 pcg 1.1
175 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
176     RAND_bytes ((unsigned char *)&chg, sizeof chg);
177 pcg 1.1
178 pcg 1.62 e.expire = ev_now () + RSA_TTL;
179 pcg 1.51 e.id = id;
180     memcpy (&e.chg, &chg, sizeof chg);
181 pcg 1.1
182 pcg 1.51 push_back (e);
183 pcg 1.1
184 pcg 1.60 if (!cleaner.is_active ())
185     cleaner.again ();
186 pcg 1.51 }
187 pcg 1.1
188     rsa_cache ()
189 pcg 1.60 {
190 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
191 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
192     }
193 pcg 1.1
194     } rsa_cache;
195    
196 pcg 1.60 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
197 pcg 1.1 {
198 pcg 1.60 if (empty ())
199     w.stop ();
200     else
201 pcg 1.1 {
202     for (iterator i = begin (); i != end (); )
203 pcg 1.62 if (i->expire <= ev_now ())
204 pcg 1.1 i = erase (i);
205     else
206     ++i;
207     }
208     }
209    
210     //////////////////////////////////////////////////////////////////////////////
211    
212 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
213     : max_ttl (max_ttl), max_queue (max_queue)
214 pcg 1.1 {
215 pcg 1.67 queue = new pkt [max_queue];
216    
217     i = 0;
218     j = 0;
219    
220     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
221     }
222 pcg 1.1
223 pcg 1.67 pkt_queue::~pkt_queue ()
224     {
225     while (net_packet *p = get ())
226     delete p;
227 pcg 1.1
228 pcg 1.67 delete [] queue;
229 pcg 1.1 }
230    
231 pcg 1.67 void pkt_queue::expire_cb (ev::timer &w, int revents)
232 pcg 1.1 {
233 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
234 pcg 1.1
235 pcg 1.67 for (;;)
236 pcg 1.1 {
237 pcg 1.67 if (empty ())
238     break;
239    
240     double diff = queue[j].tstamp - expire;
241    
242     if (diff >= 0.)
243     {
244     w.start (diff > 0.5 ? diff : 0.5);
245     break;
246     }
247    
248     delete get ();
249 pcg 1.1 }
250     }
251    
252 pcg 1.67 void pkt_queue::put (net_packet *p)
253 pcg 1.1 {
254 pcg 1.67 ev_tstamp now = ev_now ();
255    
256     // start expiry timer
257     if (empty ())
258     expire.start (max_ttl);
259    
260     int ni = i + 1 == max_queue ? 0 : i + 1;
261    
262     if (ni == j)
263     delete get ();
264    
265     queue[i].pkt = p;
266     queue[i].tstamp = now;
267    
268     i = ni;
269 pcg 1.1 }
270    
271 pcg 1.67 net_packet *pkt_queue::get ()
272 pcg 1.1 {
273 pcg 1.67 if (empty ())
274     return 0;
275    
276     net_packet *p = queue[j].pkt;
277     queue[j].pkt = 0;
278    
279     j = j + 1 == max_queue ? 0 : j + 1;
280    
281     return p;
282 pcg 1.1 }
283    
284 pcg 1.63 struct net_rateinfo
285     {
286 pcg 1.1 u32 host;
287     double pcnt, diff;
288     tstamp last;
289     };
290    
291     // only do action once every x seconds per host whole allowing bursts.
292     // this implementation ("splay list" ;) is inefficient,
293     // but low on resources.
294     struct net_rate_limiter : list<net_rateinfo>
295     {
296 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
297     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
298     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
299     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
300 pcg 1.1
301 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
302 pcg 1.1 bool can (u32 host);
303     };
304    
305     net_rate_limiter auth_rate_limiter, reset_rate_limiter;
306    
307     bool net_rate_limiter::can (u32 host)
308     {
309     iterator i;
310    
311     for (i = begin (); i != end (); )
312     if (i->host == host)
313     break;
314 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
315 pcg 1.1 i = erase (i);
316     else
317     i++;
318    
319     if (i == end ())
320     {
321     net_rateinfo ri;
322    
323     ri.host = host;
324     ri.pcnt = 1.;
325 pcg 1.34 ri.diff = NRL_MAXDIF;
326 pcg 1.62 ri.last = ev_now ();
327 pcg 1.1
328     push_front (ri);
329    
330     return true;
331     }
332     else
333     {
334     net_rateinfo ri (*i);
335     erase (i);
336    
337 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
338 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
339 pcg 1.1
340 pcg 1.62 ri.last = ev_now ();
341 pcg 1.1
342 pcg 1.10 double dif = ri.diff / ri.pcnt;
343 pcg 1.1
344 pcg 1.34 bool send = dif > NRL_CUTOFF;
345 pcg 1.10
346 pcg 1.34 if (dif > NRL_MAXDIF)
347 pcg 1.10 {
348     ri.pcnt = 1.;
349 pcg 1.34 ri.diff = NRL_MAXDIF;
350 pcg 1.10 }
351     else if (send)
352 pcg 1.1 ri.pcnt++;
353    
354     push_front (ri);
355    
356     return send;
357     }
358     }
359    
360     /////////////////////////////////////////////////////////////////////////////
361    
362     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
363    
364     void hmac_packet::hmac_gen (crypto_ctx *ctx)
365     {
366     unsigned int xlen;
367    
368     HMAC_CTX *hctx = &ctx->hctx;
369    
370     HMAC_Init_ex (hctx, 0, 0, 0, 0);
371     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
372     len - sizeof (hmac_packet));
373     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
374     }
375    
376     void
377     hmac_packet::hmac_set (crypto_ctx *ctx)
378     {
379     hmac_gen (ctx);
380    
381     memcpy (hmac, hmac_digest, HMACLENGTH);
382     }
383    
384     bool
385     hmac_packet::hmac_chk (crypto_ctx *ctx)
386     {
387     hmac_gen (ctx);
388    
389     return !memcmp (hmac, hmac_digest, HMACLENGTH);
390     }
391    
392 pcg 1.6 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
393 pcg 1.1 {
394 pcg 1.6 type = type_;
395 pcg 1.1
396     int src = THISNODE->id;
397    
398     src1 = src;
399     srcdst = ((src >> 8) << 4) | (dst >> 8);
400     dst1 = dst;
401     }
402    
403     #define MAXVPNDATA (MAX_MTU - 6 - 6)
404     #define DATAHDR (sizeof (u32) + RAND_SIZE)
405    
406 pcg 1.28 struct vpndata_packet : vpn_packet
407 pcg 1.1 {
408     u8 data[MAXVPNDATA + DATAHDR]; // seqno
409    
410     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
411     tap_packet *unpack (connection *conn, u32 &seqno);
412     private:
413    
414     const u32 data_hdr_size () const
415     {
416     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
417     }
418     };
419    
420     void
421     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
422     {
423     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
424     int outl = 0, outl2;
425     ptype type = PT_DATA_UNCOMPRESSED;
426    
427     #if ENABLE_COMPRESSION
428     u8 cdata[MAX_MTU];
429    
430 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
431 pcg 1.1 {
432 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
433 pcg 1.1
434 pcg 1.31 if (cl)
435     {
436     type = PT_DATA_COMPRESSED;
437     d = cdata;
438     l = cl + 2;
439    
440     d[0] = cl >> 8;
441     d[1] = cl;
442     }
443 pcg 1.1 }
444     #endif
445    
446 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
447 pcg 1.1
448     struct {
449     #if RAND_SIZE
450     u8 rnd[RAND_SIZE];
451     #endif
452     u32 seqno;
453     } datahdr;
454    
455     datahdr.seqno = ntohl (seqno);
456     #if RAND_SIZE
457     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
458     #endif
459    
460 pcg 1.29 require (EVP_EncryptUpdate (cctx,
461 pcg 1.1 (unsigned char *) data + outl, &outl2,
462 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
463 pcg 1.1 outl += outl2;
464    
465 pcg 1.29 require (EVP_EncryptUpdate (cctx,
466 pcg 1.1 (unsigned char *) data + outl, &outl2,
467 pcg 1.29 (unsigned char *) d, l));
468 pcg 1.1 outl += outl2;
469    
470 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
471 pcg 1.1 outl += outl2;
472    
473     len = outl + data_hdr_size ();
474    
475     set_hdr (type, dst);
476    
477     hmac_set (conn->octx);
478     }
479    
480     tap_packet *
481     vpndata_packet::unpack (connection *conn, u32 &seqno)
482     {
483     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
484     int outl = 0, outl2;
485     tap_packet *p = new tap_packet;
486     u8 *d;
487     u32 l = len - data_hdr_size ();
488    
489 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
490 pcg 1.1
491     #if ENABLE_COMPRESSION
492     u8 cdata[MAX_MTU];
493    
494     if (type == PT_DATA_COMPRESSED)
495     d = cdata;
496     else
497     #endif
498     d = &(*p)[6 + 6 - DATAHDR];
499    
500     /* this overwrites part of the src mac, but we fix that later */
501 pcg 1.29 require (EVP_DecryptUpdate (cctx,
502 pcg 1.1 d, &outl2,
503 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
504 pcg 1.1 outl += outl2;
505    
506 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
507 pcg 1.1 outl += outl2;
508    
509     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
510    
511     id2mac (dst () ? dst() : THISNODE->id, p->dst);
512     id2mac (src (), p->src);
513    
514     #if ENABLE_COMPRESSION
515     if (type == PT_DATA_COMPRESSED)
516     {
517     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
518    
519     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
520     &(*p)[6 + 6], MAX_MTU)
521     + 6 + 6;
522     }
523     else
524     p->len = outl + (6 + 6 - DATAHDR);
525     #endif
526    
527     return p;
528     }
529    
530     struct ping_packet : vpn_packet
531     {
532     void setup (int dst, ptype type)
533     {
534     set_hdr (type, dst);
535     len = sizeof (*this) - sizeof (net_packet);
536     }
537     };
538    
539     struct config_packet : vpn_packet
540     {
541     // actually, hmaclen cannot be checked because the hmac
542     // field comes before this data, so peers with other
543     // hmacs simply will not work.
544     u8 prot_major, prot_minor, randsize, hmaclen;
545 pcg 1.31 u8 flags, challengelen, features, pad3;
546 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
547    
548     void setup (ptype type, int dst);
549     bool chk_config () const;
550 pcg 1.32
551     static u8 get_features ()
552     {
553     u8 f = 0;
554     #if ENABLE_COMPRESSION
555     f |= FEATURE_COMPRESSION;
556     #endif
557     #if ENABLE_ROHC
558     f |= FEATURE_ROHC;
559     #endif
560 pcg 1.59 #if ENABLE_BRIDGING
561     f |= FEATURE_BRIDGING;
562     #endif
563 pcg 1.32 return f;
564     }
565 pcg 1.1 };
566    
567     void config_packet::setup (ptype type, int dst)
568     {
569     prot_major = PROTOCOL_MAJOR;
570     prot_minor = PROTOCOL_MINOR;
571     randsize = RAND_SIZE;
572     hmaclen = HMACLENGTH;
573 pcg 1.48 flags = 0;
574 pcg 1.1 challengelen = sizeof (rsachallenge);
575 pcg 1.32 features = get_features ();
576 pcg 1.1
577     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
578     digest_nid = htonl (EVP_MD_type (RSA_HASH));
579     hmac_nid = htonl (EVP_MD_type (DIGEST));
580    
581     len = sizeof (*this) - sizeof (net_packet);
582     set_hdr (type, dst);
583     }
584    
585     bool config_packet::chk_config () const
586     {
587 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
588 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
589 pcg 1.15 else if (randsize != RAND_SIZE)
590 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
591 pcg 1.15 else if (hmaclen != HMACLENGTH)
592 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
593 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
594 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
595 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
596 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
597 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
598 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
599 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
600 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
601 pcg 1.15 else
602     return true;
603    
604     return false;
605 pcg 1.1 }
606    
607     struct auth_req_packet : config_packet
608     {
609     char magic[8];
610     u8 initiate; // false if this is just an automatic reply
611 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
612 pcg 1.1 u8 pad2, pad3;
613     rsaid id;
614     rsaencrdata encr;
615    
616     auth_req_packet (int dst, bool initiate_, u8 protocols_)
617     {
618     config_packet::setup (PT_AUTH_REQ, dst);
619 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
620 pcg 1.1 initiate = !!initiate_;
621     protocols = protocols_;
622    
623     len = sizeof (*this) - sizeof (net_packet);
624     }
625     };
626    
627     struct auth_res_packet : config_packet
628     {
629     rsaid id;
630     u8 pad1, pad2, pad3;
631     u8 response_len; // encrypted length
632     rsaresponse response;
633    
634     auth_res_packet (int dst)
635     {
636     config_packet::setup (PT_AUTH_RES, dst);
637    
638     len = sizeof (*this) - sizeof (net_packet);
639     }
640     };
641    
642     struct connect_req_packet : vpn_packet
643     {
644     u8 id, protocols;
645     u8 pad1, pad2;
646    
647     connect_req_packet (int dst, int id_, u8 protocols_)
648     : id(id_)
649     , protocols(protocols_)
650     {
651     set_hdr (PT_CONNECT_REQ, dst);
652     len = sizeof (*this) - sizeof (net_packet);
653     }
654     };
655    
656     struct connect_info_packet : vpn_packet
657     {
658     u8 id, protocols;
659     u8 pad1, pad2;
660     sockinfo si;
661    
662     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
663     : id(id_)
664     , protocols(protocols_)
665     , si(si_)
666     {
667     set_hdr (PT_CONNECT_INFO, dst);
668    
669     len = sizeof (*this) - sizeof (net_packet);
670     }
671     };
672    
673     /////////////////////////////////////////////////////////////////////////////
674    
675     void
676 pcg 1.10 connection::connection_established ()
677     {
678 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
679 pcg 1.61
680 pcg 1.10 if (ictx && octx)
681     {
682 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
683 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
684     rekey.start (rekey_interval, rekey_interval);
685     keepalive.start (::conf.keepalive);
686 pcg 1.10
687     // send queued packets
688     if (ictx && octx)
689 pcg 1.12 {
690     while (tap_packet *p = (tap_packet *)data_queue.get ())
691     {
692 pcg 1.67 if (p->len) send_data_packet (p);
693 pcg 1.12 delete p;
694     }
695    
696     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
697     {
698 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
699 pcg 1.12 delete p;
700     }
701     }
702 pcg 1.73
703     vpn->connection_established (this);
704 pcg 1.10 }
705     else
706     {
707     retry_cnt = 0;
708 pcg 1.60 establish_connection.start (5);
709 pcg 1.25 keepalive.stop ();
710     rekey.stop ();
711 pcg 1.10 }
712     }
713    
714     void
715 pcg 1.8 connection::reset_si ()
716 pcg 1.1 {
717 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
718     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
719     else
720 pcg 1.59 {
721 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
722 pcg 1.59 protocol = 0;
723     }
724 pcg 1.6
725     si.set (conf, protocol);
726 pcg 1.73
727     is_direct = si.valid ();
728 pcg 1.1 }
729    
730 pcg 1.8 // ensure sockinfo is valid, forward if necessary
731     const sockinfo &
732     connection::forward_si (const sockinfo &si) const
733     {
734     if (!si.valid ())
735     {
736 pcg 1.73 connection *r = vpn->find_router_for (this);
737 pcg 1.8
738     if (r)
739     {
740 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
741     conf->nodename, r->conf->nodename);
742 pcg 1.8 return r->si;
743     }
744     else
745 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
746 pcg 1.8 conf->nodename);
747     }
748    
749     return si;
750     }
751    
752 pcg 1.1 void
753 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
754     {
755 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
756 pcg 1.10 reset_connection ();
757     }
758    
759     void
760 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
761     {
762     ping_packet *pkt = new ping_packet;
763    
764     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
765 pcg 1.73
766 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
767 pcg 1.73
768 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
769 pcg 1.1
770     delete pkt;
771     }
772    
773     void
774     connection::send_reset (const sockinfo &si)
775     {
776     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
777     {
778     config_packet *pkt = new config_packet;
779    
780     pkt->setup (vpn_packet::PT_RESET, conf->id);
781 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
782 pcg 1.1
783     delete pkt;
784     }
785     }
786    
787     void
788     connection::send_auth_request (const sockinfo &si, bool initiate)
789     {
790     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
791    
792 pcg 1.6 rsachallenge chg;
793     rsa_cache.gen (pkt->id, chg);
794 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
795 pcg 1.1
796 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
797 pcg 1.1
798 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
799 pcg 1.1
800 pcg 1.6 delete pkt;
801 pcg 1.1 }
802    
803     void
804     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
805     {
806     auth_res_packet *pkt = new auth_res_packet (conf->id);
807    
808     pkt->id = id;
809    
810     rsa_hash (id, chg, pkt->response);
811    
812     pkt->hmac_set (octx);
813    
814 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
815 pcg 1.1
816 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
817 pcg 1.1
818     delete pkt;
819     }
820    
821     void
822     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
823     {
824 pcg 1.80 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
825 pcg 1.79 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
826 pcg 1.1
827     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
828    
829     r->hmac_set (octx);
830 pcg 1.10 send_vpn_packet (r, si);
831 pcg 1.1
832     delete r;
833     }
834    
835 pcg 1.66 inline void
836 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
837 pcg 1.1 {
838 pcg 1.25 if (!ictx
839     && conf != THISNODE
840     && connectmode != conf_node::C_NEVER
841     && connectmode != conf_node::C_DISABLED
842 pcg 1.60 && !w.is_active ())
843 pcg 1.1 {
844 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
845     // and stop trying. should probably be handled by a per-connection expire handler.
846     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
847     {
848     reset_connection ();
849     return;
850     }
851    
852 pcg 1.68 last_establish_attempt = ev_now ();
853    
854 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
855     ? (retry_cnt & 3) + 1
856     : 1 << (retry_cnt >> 2));
857 pcg 1.1
858 pcg 1.47 reset_si ();
859 pcg 1.1
860 pcg 1.47 bool slow = si.prot & PROT_SLOW;
861 pcg 1.8
862 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
863 pcg 1.60 {
864     /*TODO*/ /* start the timer so we don't recurse endlessly */
865     w.start (1);
866 pcg 1.74 vpn->send_connect_request (this);
867 pcg 1.60 }
868 pcg 1.8 else
869 pcg 1.1 {
870 pcg 1.73 if (si.valid ())
871     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
872     conf->nodename, (const char *)si);
873 pcg 1.61
874 pcg 1.8 const sockinfo &dsi = forward_si (si);
875 pcg 1.6
876 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
877    
878 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
879     {
880     if (retry_cnt < 4)
881     send_auth_request (dsi, true);
882     else
883     send_ping (dsi, 0);
884     }
885 pcg 1.1 }
886 pcg 1.47
887 pcg 1.68 retry_int *= slow ? 8. : 0.9;
888 pcg 1.47
889     if (retry_int < conf->max_retry)
890     retry_cnt++;
891     else
892     retry_int = conf->max_retry;
893    
894 pcg 1.60 w.start (retry_int);
895 pcg 1.1 }
896     }
897    
898     void
899     connection::reset_connection ()
900     {
901     if (ictx && octx)
902     {
903     slog (L_INFO, _("%s(%s): connection lost"),
904     conf->nodename, (const char *)si);
905    
906     if (::conf.script_node_down)
907 pcg 1.64 {
908 pcg 1.70 run_script_cb *cb = new run_script_cb;
909     cb->set<connection, &connection::script_node_down> (this);
910     run_script_queued (cb, _("node-down command execution failed, continuing."));
911 pcg 1.64 }
912 pcg 1.1 }
913    
914     delete ictx; ictx = 0;
915     delete octx; octx = 0;
916 pcg 1.44 #if ENABLE_DNS
917 pcg 1.45 dnsv4_reset_connection ();
918 pcg 1.44 #endif
919 pcg 1.1
920 pcg 1.38 si.host = 0;
921 pcg 1.1
922 pcg 1.73 last_activity = 0.;
923     //last_si_change = 0.;
924 pcg 1.1 retry_cnt = 0;
925    
926 pcg 1.25 rekey.stop ();
927     keepalive.stop ();
928     establish_connection.stop ();
929 pcg 1.1 }
930    
931     void
932     connection::shutdown ()
933     {
934     if (ictx && octx)
935     send_reset (si);
936    
937     reset_connection ();
938     }
939    
940 pcg 1.73 // poor-man's rekeying
941 pcg 1.66 inline void
942 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
943 pcg 1.1 {
944     reset_connection ();
945     establish_connection ();
946     }
947    
948     void
949 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
950 pcg 1.1 {
951     vpndata_packet *p = new vpndata_packet;
952     int tos = 0;
953    
954 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
955 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
956 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
957    
958 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
959 pcg 1.10 send_vpn_packet (p, si, tos);
960 pcg 1.1
961     delete p;
962    
963     if (oseqno > MAX_SEQNO)
964     rekey ();
965     }
966    
967     void
968 pcg 1.68 connection::post_inject_queue ()
969     {
970     // force a connection every now and when when packets are sent (max 1/s)
971     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
972     establish_connection.stop ();
973    
974     establish_connection ();
975     }
976    
977     void
978     connection::inject_data_packet (tap_packet *pkt)
979 pcg 1.1 {
980     if (ictx && octx)
981 pcg 1.21 send_data_packet (pkt);
982 pcg 1.1 else
983     {
984 pcg 1.68 data_queue.put (new tap_packet (*pkt));
985     post_inject_queue ();
986 pcg 1.1 }
987     }
988    
989 pcg 1.8 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
990     {
991     if (ictx && octx)
992 pcg 1.10 send_vpn_packet (pkt, si, tos);
993 pcg 1.8 else
994 pcg 1.12 {
995 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
996 pcg 1.68 post_inject_queue ();
997 pcg 1.12 }
998 pcg 1.8 }
999    
1000 pcg 1.1 void
1001     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1002     {
1003 pcg 1.62 last_activity = ev_now ();
1004 pcg 1.1
1005 pcg 1.79 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1006     conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1007 pcg 1.1
1008 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1009     return;
1010    
1011 pcg 1.1 switch (pkt->typ ())
1012     {
1013 pcg 1.3 case vpn_packet::PT_PING:
1014 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1015    
1016 pcg 1.3 // we send pings instead of auth packets after some retries,
1017     // so reset the retry counter and establish a connection
1018     // when we receive a ping.
1019 root 1.89 if (!ictx)
1020 pcg 1.3 {
1021     if (auth_rate_limiter.can (rsi))
1022     send_auth_request (rsi, true);
1023     }
1024     else
1025 root 1.89 // we would love to change the socket address here, but ping's aren't
1026 pcg 1.73 // authenticated, so we best ignore it.
1027 pcg 1.3 send_ping (rsi, 1); // pong
1028    
1029     break;
1030    
1031     case vpn_packet::PT_PONG:
1032 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1033 root 1.89
1034     // a PONG might mean that the other side doesn't really know
1035     // about our desire for communication.
1036     establish_connection ();
1037 pcg 1.3 break;
1038    
1039     case vpn_packet::PT_RESET:
1040 pcg 1.1 {
1041 pcg 1.3 reset_connection ();
1042    
1043     config_packet *p = (config_packet *) pkt;
1044    
1045     if (!p->chk_config ())
1046     {
1047 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1048 pcg 1.3 conf->nodename, (const char *)rsi);
1049     connectmode = conf_node::C_DISABLED;
1050     }
1051     else if (connectmode == conf_node::C_ALWAYS)
1052     establish_connection ();
1053 pcg 1.1 }
1054 pcg 1.3 break;
1055    
1056     case vpn_packet::PT_AUTH_REQ:
1057     if (auth_rate_limiter.can (rsi))
1058     {
1059     auth_req_packet *p = (auth_req_packet *) pkt;
1060    
1061 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
1062 pcg 1.1
1063 pcg 1.85 if (p->chk_config ()
1064     && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
1065 pcg 1.3 {
1066     if (p->prot_minor != PROTOCOL_MINOR)
1067     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1068     conf->nodename, (const char *)rsi,
1069     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1070    
1071     if (p->initiate)
1072     send_auth_request (rsi, false);
1073    
1074     rsachallenge k;
1075    
1076 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1077 pcg 1.23 {
1078     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1079     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1080     break;
1081     }
1082 pcg 1.3 else
1083     {
1084     delete octx;
1085 pcg 1.1
1086 pcg 1.3 octx = new crypto_ctx (k, 1);
1087     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1088 pcg 1.1
1089 pcg 1.3 conf->protocols = p->protocols;
1090 pcg 1.32 features = p->features & config_packet::get_features ();
1091 pcg 1.10
1092 pcg 1.3 send_auth_response (rsi, p->id, k);
1093    
1094 pcg 1.10 connection_established ();
1095    
1096 pcg 1.3 break;
1097     }
1098     }
1099 pcg 1.15 else
1100 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1101 pcg 1.15 conf->nodename, (const char *)rsi);
1102 pcg 1.3
1103     send_reset (rsi);
1104 pcg 1.1 }
1105    
1106 pcg 1.3 break;
1107    
1108     case vpn_packet::PT_AUTH_RES:
1109 pcg 1.1 {
1110 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1111 pcg 1.1
1112 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1113 pcg 1.1
1114 pcg 1.3 if (p->chk_config ())
1115 pcg 1.1 {
1116     if (p->prot_minor != PROTOCOL_MINOR)
1117     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1118     conf->nodename, (const char *)rsi,
1119     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1120    
1121 pcg 1.3 rsachallenge chg;
1122 pcg 1.1
1123 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1124 pcg 1.13 {
1125 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1126 pcg 1.13 conf->nodename, (const char *)rsi);
1127     break;
1128     }
1129 pcg 1.1 else
1130     {
1131 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1132    
1133     if (!p->hmac_chk (cctx))
1134 pcg 1.18 {
1135     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1136 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1137 pcg 1.18 conf->nodename, (const char *)rsi);
1138     break;
1139     }
1140 pcg 1.3 else
1141     {
1142     rsaresponse h;
1143    
1144     rsa_hash (p->id, chg, h);
1145    
1146     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1147     {
1148     prot_minor = p->prot_minor;
1149    
1150     delete ictx; ictx = cctx;
1151    
1152     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1153    
1154     si = rsi;
1155 pcg 1.7 protocol = rsi.prot;
1156 pcg 1.3
1157 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1158 pcg 1.3 conf->nodename, (const char *)rsi,
1159 pcg 1.82 is_direct ? "direct" : "forwarded",
1160 pcg 1.3 p->prot_major, p->prot_minor);
1161 pcg 1.1
1162 pcg 1.73 connection_established ();
1163    
1164 pcg 1.3 if (::conf.script_node_up)
1165 pcg 1.64 {
1166 pcg 1.70 run_script_cb *cb = new run_script_cb;
1167     cb->set<connection, &connection::script_node_up> (this);
1168     run_script_queued (cb, _("node-up command execution failed, continuing."));
1169 pcg 1.64 }
1170 pcg 1.1
1171 pcg 1.3 break;
1172     }
1173     else
1174 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1175 pcg 1.3 conf->nodename, (const char *)rsi);
1176     }
1177 pcg 1.1
1178 pcg 1.3 delete cctx;
1179 pcg 1.1 }
1180     }
1181     }
1182    
1183 pcg 1.3 send_reset (rsi);
1184     break;
1185 pcg 1.1
1186 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1187     #if !ENABLE_COMPRESSION
1188     send_reset (rsi);
1189     break;
1190     #endif
1191 pcg 1.1
1192 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1193 pcg 1.1
1194 pcg 1.3 if (ictx && octx)
1195 pcg 1.1 {
1196 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1197 pcg 1.1
1198 pcg 1.10 if (!p->hmac_chk (ictx))
1199     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1200 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1201 pcg 1.10 conf->nodename, (const char *)rsi);
1202     else
1203 pcg 1.1 {
1204 pcg 1.10 u32 seqno;
1205     tap_packet *d = p->unpack (this, seqno);
1206 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1207 pcg 1.10
1208 pcg 1.73 if (seqclass == 0) // ok
1209 pcg 1.1 {
1210 pcg 1.10 vpn->tap->send (d);
1211 pcg 1.1
1212 pcg 1.10 if (si != rsi)
1213 pcg 1.1 {
1214 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1215 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1216     // {
1217 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1218     conf->nodename, (const char *)si, (const char *)rsi);
1219    
1220 pcg 1.73 si = rsi;
1221 pcg 1.84
1222     if (::conf.script_node_change)
1223     {
1224     run_script_cb *cb = new run_script_cb;
1225     cb->set<connection, &connection::script_node_change> (this);
1226     run_script_queued (cb, _("node-change command execution failed, continuing."));
1227     }
1228    
1229 pcg 1.73 // }
1230     //else
1231     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1232     // conf->nodename, (const char *)si, (const char *)rsi);
1233 pcg 1.10 }
1234 pcg 1.32 }
1235 pcg 1.75 else if (seqclass == 1) // far history
1236     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1237     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1238     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1239     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1240     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1241     else if (seqclass == 3) // reset
1242 pcg 1.73 {
1243 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1244     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1245 pcg 1.73 send_reset (rsi);
1246     }
1247 pcg 1.3
1248 pcg 1.32 delete d;
1249     break;
1250 pcg 1.1 }
1251     }
1252    
1253 pcg 1.3 send_reset (rsi);
1254     break;
1255 pcg 1.1
1256 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1257     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1258     {
1259 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1260 pcg 1.1
1261 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1262     {
1263     connection *c = vpn->conns[p->id - 1];
1264     conf->protocols = p->protocols;
1265 pcg 1.1
1266 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1267 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1268 pcg 1.1
1269 pcg 1.57 if (c->ictx && c->octx)
1270     {
1271     // send connect_info packets to both sides, in case one is
1272     // behind a nat firewall (or both ;)
1273     c->send_connect_info (conf->id, si, conf->protocols);
1274     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1275     }
1276     else
1277     c->establish_connection ();
1278 pcg 1.3 }
1279 pcg 1.11 else
1280 pcg 1.57 slog (L_WARN,
1281     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1282     p->id);
1283 pcg 1.3 }
1284 pcg 1.1
1285 pcg 1.3 break;
1286 pcg 1.1
1287 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1288     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1289     {
1290 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1291 pcg 1.1
1292 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1293 pcg 1.39 {
1294     connection *c = vpn->conns[p->id - 1];
1295 pcg 1.7
1296 pcg 1.39 c->conf->protocols = p->protocols;
1297     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1298     p->si.upgrade_protocol (protocol, c->conf);
1299 pcg 1.1
1300 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1301 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1302     (const char *)p->si, !c->ictx && !c->octx);
1303 pcg 1.7
1304 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1305 pcg 1.1
1306 pcg 1.39 if (dsi.valid ())
1307     c->send_auth_request (dsi, true);
1308     }
1309 pcg 1.57 else
1310     slog (L_WARN,
1311     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1312     p->id);
1313 pcg 1.3 }
1314 pcg 1.1
1315 pcg 1.3 break;
1316 pcg 1.1
1317 pcg 1.3 default:
1318     send_reset (rsi);
1319     break;
1320 pcg 1.1 }
1321     }
1322    
1323 pcg 1.66 inline void
1324     connection::keepalive_cb (ev::timer &w, int revents)
1325 pcg 1.1 {
1326 pcg 1.83 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1327 pcg 1.1 {
1328     reset_connection ();
1329     establish_connection ();
1330     }
1331 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1332 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1333 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1334     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1335     {
1336     send_ping (si);
1337 pcg 1.83 w.start (3);
1338 pcg 1.1 }
1339 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1340 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1341     // should delete octx, though, or something like that ;)
1342 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1343 pcg 1.1 else
1344     reset_connection ();
1345     }
1346    
1347 pcg 1.10 void connection::send_connect_request (int id)
1348 pcg 1.1 {
1349     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1350    
1351 pcg 1.81 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1352 pcg 1.79 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1353 pcg 1.1 p->hmac_set (octx);
1354 pcg 1.10 send_vpn_packet (p, si);
1355 pcg 1.1
1356     delete p;
1357     }
1358    
1359 pcg 1.53 void connection::script_init_env (const char *ext)
1360     {
1361     char *env;
1362     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1363 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1364 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1365     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1366 pcg 1.84 conf->id & 0xff); putenv (env);
1367 pcg 1.53 }
1368    
1369     void connection::script_init_connect_env ()
1370 pcg 1.1 {
1371 pcg 1.52 vpn->script_init_env ();
1372 pcg 1.1
1373     char *env;
1374 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1375     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1376     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1377     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1378     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1379 pcg 1.1 }
1380    
1381 pcg 1.66 inline const char *
1382     connection::script_node_up ()
1383 pcg 1.1 {
1384 pcg 1.53 script_init_connect_env ();
1385 pcg 1.1
1386 pcg 1.60 putenv ((char *)"STATE=up");
1387 pcg 1.1
1388 pcg 1.52 char *filename;
1389     asprintf (&filename,
1390     "%s/%s",
1391     confbase,
1392     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1393 pcg 1.54
1394     return filename;
1395 pcg 1.1 }
1396    
1397 pcg 1.66 inline const char *
1398 pcg 1.84 connection::script_node_change ()
1399     {
1400     script_init_connect_env ();
1401    
1402     putenv ((char *)"STATE=change");
1403    
1404     char *filename;
1405     asprintf (&filename,
1406     "%s/%s",
1407     confbase,
1408     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1409    
1410     return filename;
1411     }
1412    
1413     inline const char *
1414 pcg 1.66 connection::script_node_down ()
1415 pcg 1.1 {
1416 pcg 1.53 script_init_connect_env ();
1417 pcg 1.1
1418 pcg 1.60 putenv ((char *)"STATE=down");
1419 pcg 1.1
1420 pcg 1.52 char *filename;
1421     asprintf (&filename,
1422     "%s/%s",
1423     confbase,
1424     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1425 pcg 1.54
1426     return filename;
1427 pcg 1.1 }
1428    
1429 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1430 pcg 1.67 : vpn(vpn), conf(conf),
1431 pcg 1.40 #if ENABLE_DNS
1432 pcg 1.67 dns (0),
1433 pcg 1.40 #endif
1434 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1435     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1436 pcg 1.1 {
1437 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1438     keepalive .set<connection, &connection::keepalive_cb > (this);
1439     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1440    
1441 pcg 1.68 last_establish_attempt = 0.;
1442 pcg 1.1 octx = ictx = 0;
1443    
1444 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1445     conf->protocols = PROT_UDPv4;
1446    
1447 pcg 1.67 connectmode = conf->connectmode;
1448    
1449     // queue a dummy packet to force an initial connection attempt
1450     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1451 pcg 1.68 vpn_queue.put (new net_packet);
1452 pcg 1.67
1453 pcg 1.1 reset_connection ();
1454     }
1455    
1456     connection::~connection ()
1457     {
1458     shutdown ();
1459     }
1460    
1461     void connection_init ()
1462     {
1463     auth_rate_limiter.clear ();
1464     reset_rate_limiter.clear ();
1465     }
1466