ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.92
Committed: Thu Feb 10 03:59:51 2011 UTC (13 years, 3 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.91: +1 -1 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.88 Copyright (C) 2003-2008,2010 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69 root 1.90 namespace
70 pcg 1.70 {
71 root 1.90 void // c++ requires external linkage here, apparently :(
72     rs_child_cb (ev::child &w, int revents)
73     {
74     w.stop ();
75 pcg 1.70
76 root 1.90 if (rs_queue.empty ())
77     return;
78 pcg 1.70
79 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
80     if (pid)
81     {
82     w.set (pid);
83     w.start ();
84     }
85     else
86     slog (L_WARN, rs_queue.front ().second);
87 pcg 1.70
88 root 1.90 delete rs_queue.front ().first;
89     rs_queue.pop ();
90     }
91     };
92 pcg 1.70
93     // despite the fancy name, this is quite a hack
94     static void
95     run_script_queued (run_script_cb *cb, const char *warnmsg)
96     {
97     rs_queue.push (std::make_pair (cb, warnmsg));
98    
99     if (!rs_child_ev.is_active ())
100     {
101     rs_child_ev.set<rs_child_cb> ();
102     rs_child_ev ();
103     }
104     }
105    
106     //////////////////////////////////////////////////////////////////////////////
107    
108 pcg 1.1 struct crypto_ctx
109     {
110     EVP_CIPHER_CTX cctx;
111     HMAC_CTX hctx;
112    
113     crypto_ctx (const rsachallenge &challenge, int enc);
114     ~crypto_ctx ();
115     };
116    
117     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
118     {
119     EVP_CIPHER_CTX_init (&cctx);
120 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
121 pcg 1.1 HMAC_CTX_init (&hctx);
122     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
123     }
124    
125     crypto_ctx::~crypto_ctx ()
126     {
127 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
128 pcg 1.1 HMAC_CTX_cleanup (&hctx);
129     }
130    
131     static void
132     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
133     {
134     EVP_MD_CTX ctx;
135    
136     EVP_MD_CTX_init (&ctx);
137 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
138     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
139     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
140     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
141 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
142     }
143    
144 pcg 1.63 struct rsa_entry
145     {
146 pcg 1.1 tstamp expire;
147     rsaid id;
148     rsachallenge chg;
149     };
150    
151     struct rsa_cache : list<rsa_entry>
152     {
153 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
154 pcg 1.1
155     bool find (const rsaid &id, rsachallenge &chg)
156 pcg 1.51 {
157     for (iterator i = begin (); i != end (); ++i)
158     {
159 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
160 pcg 1.51 {
161     memcpy (&chg, &i->chg, sizeof chg);
162 pcg 1.1
163 pcg 1.51 erase (i);
164     return true;
165     }
166     }
167 pcg 1.1
168 pcg 1.60 if (!cleaner.is_active ())
169     cleaner.again ();
170 pcg 1.1
171 pcg 1.51 return false;
172     }
173 pcg 1.1
174     void gen (rsaid &id, rsachallenge &chg)
175 pcg 1.51 {
176     rsa_entry e;
177 pcg 1.1
178 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
179     RAND_bytes ((unsigned char *)&chg, sizeof chg);
180 pcg 1.1
181 pcg 1.62 e.expire = ev_now () + RSA_TTL;
182 pcg 1.51 e.id = id;
183     memcpy (&e.chg, &chg, sizeof chg);
184 pcg 1.1
185 pcg 1.51 push_back (e);
186 pcg 1.1
187 pcg 1.60 if (!cleaner.is_active ())
188     cleaner.again ();
189 pcg 1.51 }
190 pcg 1.1
191     rsa_cache ()
192 pcg 1.60 {
193 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
194 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
195     }
196 pcg 1.1
197     } rsa_cache;
198    
199 root 1.90 void
200     rsa_cache::cleaner_cb (ev::timer &w, int revents)
201 pcg 1.1 {
202 pcg 1.60 if (empty ())
203     w.stop ();
204     else
205 pcg 1.1 {
206     for (iterator i = begin (); i != end (); )
207 pcg 1.62 if (i->expire <= ev_now ())
208 pcg 1.1 i = erase (i);
209     else
210     ++i;
211     }
212     }
213    
214     //////////////////////////////////////////////////////////////////////////////
215    
216 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
217     : max_ttl (max_ttl), max_queue (max_queue)
218 pcg 1.1 {
219 pcg 1.67 queue = new pkt [max_queue];
220    
221     i = 0;
222     j = 0;
223    
224     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
225     }
226 pcg 1.1
227 pcg 1.67 pkt_queue::~pkt_queue ()
228     {
229     while (net_packet *p = get ())
230     delete p;
231 pcg 1.1
232 pcg 1.67 delete [] queue;
233 pcg 1.1 }
234    
235 root 1.90 void
236     pkt_queue::expire_cb (ev::timer &w, int revents)
237 pcg 1.1 {
238 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
239 pcg 1.1
240 pcg 1.67 for (;;)
241 pcg 1.1 {
242 pcg 1.67 if (empty ())
243     break;
244    
245     double diff = queue[j].tstamp - expire;
246    
247     if (diff >= 0.)
248     {
249     w.start (diff > 0.5 ? diff : 0.5);
250     break;
251     }
252    
253     delete get ();
254 pcg 1.1 }
255     }
256    
257 root 1.90 void
258     pkt_queue::put (net_packet *p)
259 pcg 1.1 {
260 pcg 1.67 ev_tstamp now = ev_now ();
261    
262     // start expiry timer
263     if (empty ())
264     expire.start (max_ttl);
265    
266     int ni = i + 1 == max_queue ? 0 : i + 1;
267    
268     if (ni == j)
269     delete get ();
270    
271     queue[i].pkt = p;
272     queue[i].tstamp = now;
273    
274     i = ni;
275 pcg 1.1 }
276    
277 root 1.90 net_packet *
278     pkt_queue::get ()
279 pcg 1.1 {
280 pcg 1.67 if (empty ())
281     return 0;
282    
283     net_packet *p = queue[j].pkt;
284     queue[j].pkt = 0;
285    
286     j = j + 1 == max_queue ? 0 : j + 1;
287    
288     return p;
289 pcg 1.1 }
290    
291 pcg 1.63 struct net_rateinfo
292     {
293 pcg 1.1 u32 host;
294     double pcnt, diff;
295     tstamp last;
296     };
297    
298     // only do action once every x seconds per host whole allowing bursts.
299     // this implementation ("splay list" ;) is inefficient,
300     // but low on resources.
301     struct net_rate_limiter : list<net_rateinfo>
302     {
303 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
304     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
305     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
306     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
307 pcg 1.1
308 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
309 pcg 1.1 bool can (u32 host);
310     };
311    
312 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
313 pcg 1.1
314 root 1.90 bool
315     net_rate_limiter::can (u32 host)
316 pcg 1.1 {
317     iterator i;
318    
319     for (i = begin (); i != end (); )
320     if (i->host == host)
321     break;
322 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
323 pcg 1.1 i = erase (i);
324     else
325     i++;
326    
327     if (i == end ())
328     {
329     net_rateinfo ri;
330    
331     ri.host = host;
332     ri.pcnt = 1.;
333 pcg 1.34 ri.diff = NRL_MAXDIF;
334 pcg 1.62 ri.last = ev_now ();
335 pcg 1.1
336     push_front (ri);
337    
338     return true;
339     }
340     else
341     {
342     net_rateinfo ri (*i);
343     erase (i);
344    
345 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
346 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
347 pcg 1.1
348 pcg 1.62 ri.last = ev_now ();
349 pcg 1.1
350 pcg 1.10 double dif = ri.diff / ri.pcnt;
351 pcg 1.1
352 pcg 1.34 bool send = dif > NRL_CUTOFF;
353 pcg 1.10
354 pcg 1.34 if (dif > NRL_MAXDIF)
355 pcg 1.10 {
356     ri.pcnt = 1.;
357 pcg 1.34 ri.diff = NRL_MAXDIF;
358 pcg 1.10 }
359     else if (send)
360 pcg 1.1 ri.pcnt++;
361    
362     push_front (ri);
363    
364     return send;
365     }
366     }
367    
368     /////////////////////////////////////////////////////////////////////////////
369    
370     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
371    
372 root 1.90 void
373     hmac_packet::hmac_gen (crypto_ctx *ctx)
374 pcg 1.1 {
375     unsigned int xlen;
376    
377     HMAC_CTX *hctx = &ctx->hctx;
378    
379     HMAC_Init_ex (hctx, 0, 0, 0, 0);
380     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
381     len - sizeof (hmac_packet));
382     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
383     }
384    
385     void
386     hmac_packet::hmac_set (crypto_ctx *ctx)
387     {
388     hmac_gen (ctx);
389    
390     memcpy (hmac, hmac_digest, HMACLENGTH);
391     }
392    
393     bool
394     hmac_packet::hmac_chk (crypto_ctx *ctx)
395     {
396     hmac_gen (ctx);
397    
398     return !memcmp (hmac, hmac_digest, HMACLENGTH);
399     }
400    
401 root 1.90 void
402     vpn_packet::set_hdr (ptype type_, unsigned int dst)
403 pcg 1.1 {
404 pcg 1.6 type = type_;
405 pcg 1.1
406     int src = THISNODE->id;
407    
408     src1 = src;
409     srcdst = ((src >> 8) << 4) | (dst >> 8);
410     dst1 = dst;
411     }
412    
413     #define MAXVPNDATA (MAX_MTU - 6 - 6)
414     #define DATAHDR (sizeof (u32) + RAND_SIZE)
415    
416 pcg 1.28 struct vpndata_packet : vpn_packet
417 root 1.90 {
418     u8 data[MAXVPNDATA + DATAHDR]; // seqno
419    
420     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
421     tap_packet *unpack (connection *conn, u32 &seqno);
422 pcg 1.1
423     private:
424 root 1.90 const u32 data_hdr_size () const
425     {
426     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
427     }
428     };
429 pcg 1.1
430     void
431     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
432     {
433     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
434     int outl = 0, outl2;
435     ptype type = PT_DATA_UNCOMPRESSED;
436    
437     #if ENABLE_COMPRESSION
438     u8 cdata[MAX_MTU];
439    
440 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
441 pcg 1.1 {
442 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
443 pcg 1.1
444 pcg 1.31 if (cl)
445     {
446     type = PT_DATA_COMPRESSED;
447     d = cdata;
448     l = cl + 2;
449    
450     d[0] = cl >> 8;
451     d[1] = cl;
452     }
453 pcg 1.1 }
454     #endif
455    
456 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
457 pcg 1.1
458     struct {
459     #if RAND_SIZE
460     u8 rnd[RAND_SIZE];
461     #endif
462     u32 seqno;
463     } datahdr;
464    
465     datahdr.seqno = ntohl (seqno);
466     #if RAND_SIZE
467     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
468     #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508     d = &(*p)[6 + 6 - DATAHDR];
509    
510     /* this overwrites part of the src mac, but we fix that later */
511 pcg 1.29 require (EVP_DecryptUpdate (cctx,
512 pcg 1.1 d, &outl2,
513 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
514 pcg 1.1 outl += outl2;
515    
516 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
517 pcg 1.1 outl += outl2;
518    
519     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
520    
521     id2mac (dst () ? dst() : THISNODE->id, p->dst);
522     id2mac (src (), p->src);
523    
524     #if ENABLE_COMPRESSION
525     if (type == PT_DATA_COMPRESSED)
526     {
527     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
528    
529     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
530     &(*p)[6 + 6], MAX_MTU)
531     + 6 + 6;
532     }
533     else
534     p->len = outl + (6 + 6 - DATAHDR);
535     #endif
536    
537     return p;
538     }
539    
540     struct ping_packet : vpn_packet
541     {
542     void setup (int dst, ptype type)
543     {
544     set_hdr (type, dst);
545     len = sizeof (*this) - sizeof (net_packet);
546     }
547     };
548    
549     struct config_packet : vpn_packet
550     {
551     // actually, hmaclen cannot be checked because the hmac
552     // field comes before this data, so peers with other
553     // hmacs simply will not work.
554     u8 prot_major, prot_minor, randsize, hmaclen;
555 pcg 1.31 u8 flags, challengelen, features, pad3;
556 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
557    
558     void setup (ptype type, int dst);
559     bool chk_config () const;
560 pcg 1.32
561     static u8 get_features ()
562     {
563     u8 f = 0;
564     #if ENABLE_COMPRESSION
565     f |= FEATURE_COMPRESSION;
566     #endif
567     #if ENABLE_ROHC
568     f |= FEATURE_ROHC;
569     #endif
570 pcg 1.59 #if ENABLE_BRIDGING
571     f |= FEATURE_BRIDGING;
572     #endif
573 pcg 1.32 return f;
574     }
575 pcg 1.1 };
576    
577 root 1.90 void
578     config_packet::setup (ptype type, int dst)
579 pcg 1.1 {
580     prot_major = PROTOCOL_MAJOR;
581     prot_minor = PROTOCOL_MINOR;
582     randsize = RAND_SIZE;
583     hmaclen = HMACLENGTH;
584 pcg 1.48 flags = 0;
585 pcg 1.1 challengelen = sizeof (rsachallenge);
586 pcg 1.32 features = get_features ();
587 pcg 1.1
588     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
589     digest_nid = htonl (EVP_MD_type (RSA_HASH));
590     hmac_nid = htonl (EVP_MD_type (DIGEST));
591    
592     len = sizeof (*this) - sizeof (net_packet);
593     set_hdr (type, dst);
594     }
595    
596 root 1.90 bool
597     config_packet::chk_config () const
598 pcg 1.1 {
599 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
600 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
601 pcg 1.15 else if (randsize != RAND_SIZE)
602 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
603 pcg 1.15 else if (hmaclen != HMACLENGTH)
604 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
605 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
606 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
607 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
608 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
609 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
610 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
611 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
612 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
613 pcg 1.15 else
614     return true;
615    
616     return false;
617 pcg 1.1 }
618    
619     struct auth_req_packet : config_packet
620     {
621     char magic[8];
622     u8 initiate; // false if this is just an automatic reply
623 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
624 pcg 1.1 u8 pad2, pad3;
625     rsaid id;
626     rsaencrdata encr;
627    
628     auth_req_packet (int dst, bool initiate_, u8 protocols_)
629     {
630     config_packet::setup (PT_AUTH_REQ, dst);
631 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
632 pcg 1.1 initiate = !!initiate_;
633     protocols = protocols_;
634    
635     len = sizeof (*this) - sizeof (net_packet);
636     }
637     };
638    
639     struct auth_res_packet : config_packet
640     {
641     rsaid id;
642     u8 pad1, pad2, pad3;
643     u8 response_len; // encrypted length
644     rsaresponse response;
645    
646     auth_res_packet (int dst)
647     {
648     config_packet::setup (PT_AUTH_RES, dst);
649    
650     len = sizeof (*this) - sizeof (net_packet);
651     }
652     };
653    
654     struct connect_req_packet : vpn_packet
655     {
656     u8 id, protocols;
657     u8 pad1, pad2;
658    
659     connect_req_packet (int dst, int id_, u8 protocols_)
660     : id(id_)
661     , protocols(protocols_)
662     {
663     set_hdr (PT_CONNECT_REQ, dst);
664     len = sizeof (*this) - sizeof (net_packet);
665     }
666     };
667    
668     struct connect_info_packet : vpn_packet
669     {
670     u8 id, protocols;
671     u8 pad1, pad2;
672     sockinfo si;
673    
674     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
675     : id(id_)
676     , protocols(protocols_)
677     , si(si_)
678     {
679     set_hdr (PT_CONNECT_INFO, dst);
680    
681     len = sizeof (*this) - sizeof (net_packet);
682     }
683     };
684    
685     /////////////////////////////////////////////////////////////////////////////
686    
687     void
688 pcg 1.10 connection::connection_established ()
689     {
690 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
691 pcg 1.61
692 pcg 1.10 if (ictx && octx)
693     {
694 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
695 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
696     rekey.start (rekey_interval, rekey_interval);
697     keepalive.start (::conf.keepalive);
698 pcg 1.10
699     // send queued packets
700     if (ictx && octx)
701 pcg 1.12 {
702     while (tap_packet *p = (tap_packet *)data_queue.get ())
703     {
704 pcg 1.67 if (p->len) send_data_packet (p);
705 pcg 1.12 delete p;
706     }
707    
708     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
709     {
710 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
711 pcg 1.12 delete p;
712     }
713     }
714 pcg 1.73
715     vpn->connection_established (this);
716 pcg 1.10 }
717     else
718     {
719     retry_cnt = 0;
720 pcg 1.60 establish_connection.start (5);
721 pcg 1.25 keepalive.stop ();
722     rekey.stop ();
723 pcg 1.10 }
724     }
725    
726     void
727 pcg 1.8 connection::reset_si ()
728 pcg 1.1 {
729 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
730     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
731     else
732 pcg 1.59 {
733 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
734 pcg 1.59 protocol = 0;
735     }
736 pcg 1.6
737     si.set (conf, protocol);
738 pcg 1.73
739     is_direct = si.valid ();
740 pcg 1.1 }
741    
742 pcg 1.8 // ensure sockinfo is valid, forward if necessary
743     const sockinfo &
744     connection::forward_si (const sockinfo &si) const
745     {
746     if (!si.valid ())
747     {
748 pcg 1.73 connection *r = vpn->find_router_for (this);
749 pcg 1.8
750     if (r)
751     {
752 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
753     conf->nodename, r->conf->nodename);
754 pcg 1.8 return r->si;
755     }
756     else
757 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
758 pcg 1.8 conf->nodename);
759     }
760    
761     return si;
762     }
763    
764 pcg 1.1 void
765 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
766     {
767 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
768 pcg 1.10 reset_connection ();
769     }
770    
771     void
772 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
773     {
774     ping_packet *pkt = new ping_packet;
775    
776     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
777 pcg 1.73
778 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
779 pcg 1.73
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
781 pcg 1.1
782     delete pkt;
783     }
784    
785     void
786     connection::send_reset (const sockinfo &si)
787     {
788     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
789     {
790     config_packet *pkt = new config_packet;
791    
792     pkt->setup (vpn_packet::PT_RESET, conf->id);
793 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
794 pcg 1.1
795     delete pkt;
796     }
797     }
798    
799     void
800     connection::send_auth_request (const sockinfo &si, bool initiate)
801     {
802     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
803    
804 pcg 1.6 rsachallenge chg;
805     rsa_cache.gen (pkt->id, chg);
806 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
807 pcg 1.1
808 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
809 pcg 1.1
810 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
811 pcg 1.1
812 pcg 1.6 delete pkt;
813 pcg 1.1 }
814    
815     void
816     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
817     {
818     auth_res_packet *pkt = new auth_res_packet (conf->id);
819    
820     pkt->id = id;
821    
822     rsa_hash (id, chg, pkt->response);
823    
824     pkt->hmac_set (octx);
825    
826 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
827 pcg 1.1
828 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
829 pcg 1.1
830     delete pkt;
831     }
832    
833     void
834     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
835     {
836 pcg 1.80 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
837 pcg 1.79 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
838 pcg 1.1
839     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
840    
841     r->hmac_set (octx);
842 pcg 1.10 send_vpn_packet (r, si);
843 pcg 1.1
844     delete r;
845     }
846    
847 pcg 1.66 inline void
848 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
849 pcg 1.1 {
850 root 1.92 if (!(ictx && octx)
851 pcg 1.25 && conf != THISNODE
852     && connectmode != conf_node::C_NEVER
853     && connectmode != conf_node::C_DISABLED
854 pcg 1.60 && !w.is_active ())
855 pcg 1.1 {
856 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
857     // and stop trying. should probably be handled by a per-connection expire handler.
858     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
859     {
860     reset_connection ();
861     return;
862     }
863    
864 pcg 1.68 last_establish_attempt = ev_now ();
865    
866 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
867     ? (retry_cnt & 3) + 1
868     : 1 << (retry_cnt >> 2));
869 pcg 1.1
870 pcg 1.47 reset_si ();
871 pcg 1.1
872 pcg 1.47 bool slow = si.prot & PROT_SLOW;
873 pcg 1.8
874 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
875 pcg 1.60 {
876     /*TODO*/ /* start the timer so we don't recurse endlessly */
877     w.start (1);
878 pcg 1.74 vpn->send_connect_request (this);
879 pcg 1.60 }
880 pcg 1.8 else
881 pcg 1.1 {
882 pcg 1.73 if (si.valid ())
883     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
884     conf->nodename, (const char *)si);
885 pcg 1.61
886 pcg 1.8 const sockinfo &dsi = forward_si (si);
887 pcg 1.6
888 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
889    
890 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
891     {
892     if (retry_cnt < 4)
893     send_auth_request (dsi, true);
894     else
895     send_ping (dsi, 0);
896     }
897 pcg 1.1 }
898 pcg 1.47
899 pcg 1.68 retry_int *= slow ? 8. : 0.9;
900 pcg 1.47
901     if (retry_int < conf->max_retry)
902     retry_cnt++;
903     else
904     retry_int = conf->max_retry;
905    
906 pcg 1.60 w.start (retry_int);
907 pcg 1.1 }
908     }
909    
910     void
911     connection::reset_connection ()
912     {
913     if (ictx && octx)
914     {
915     slog (L_INFO, _("%s(%s): connection lost"),
916     conf->nodename, (const char *)si);
917    
918     if (::conf.script_node_down)
919 pcg 1.64 {
920 pcg 1.70 run_script_cb *cb = new run_script_cb;
921     cb->set<connection, &connection::script_node_down> (this);
922     run_script_queued (cb, _("node-down command execution failed, continuing."));
923 pcg 1.64 }
924 pcg 1.1 }
925    
926     delete ictx; ictx = 0;
927     delete octx; octx = 0;
928 pcg 1.44 #if ENABLE_DNS
929 pcg 1.45 dnsv4_reset_connection ();
930 pcg 1.44 #endif
931 pcg 1.1
932 pcg 1.38 si.host = 0;
933 pcg 1.1
934 pcg 1.73 last_activity = 0.;
935     //last_si_change = 0.;
936 pcg 1.1 retry_cnt = 0;
937    
938 pcg 1.25 rekey.stop ();
939     keepalive.stop ();
940     establish_connection.stop ();
941 pcg 1.1 }
942    
943     void
944     connection::shutdown ()
945     {
946     if (ictx && octx)
947     send_reset (si);
948    
949     reset_connection ();
950     }
951    
952 pcg 1.73 // poor-man's rekeying
953 pcg 1.66 inline void
954 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
955 pcg 1.1 {
956     reset_connection ();
957     establish_connection ();
958     }
959    
960     void
961 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
962 pcg 1.1 {
963     vpndata_packet *p = new vpndata_packet;
964     int tos = 0;
965    
966 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
967 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
968 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
969    
970 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
971 pcg 1.10 send_vpn_packet (p, si, tos);
972 pcg 1.1
973     delete p;
974    
975     if (oseqno > MAX_SEQNO)
976     rekey ();
977     }
978    
979     void
980 pcg 1.68 connection::post_inject_queue ()
981     {
982     // force a connection every now and when when packets are sent (max 1/s)
983     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
984     establish_connection.stop ();
985    
986     establish_connection ();
987     }
988    
989     void
990     connection::inject_data_packet (tap_packet *pkt)
991 pcg 1.1 {
992     if (ictx && octx)
993 pcg 1.21 send_data_packet (pkt);
994 pcg 1.1 else
995     {
996 pcg 1.68 data_queue.put (new tap_packet (*pkt));
997     post_inject_queue ();
998 pcg 1.1 }
999     }
1000    
1001 root 1.90 void
1002     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1003 pcg 1.8 {
1004     if (ictx && octx)
1005 pcg 1.10 send_vpn_packet (pkt, si, tos);
1006 pcg 1.8 else
1007 pcg 1.12 {
1008 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1009 pcg 1.68 post_inject_queue ();
1010 pcg 1.12 }
1011 pcg 1.8 }
1012    
1013 pcg 1.1 void
1014     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1015     {
1016 pcg 1.62 last_activity = ev_now ();
1017 pcg 1.1
1018 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1019 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1020 pcg 1.1
1021 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1022     return;
1023    
1024 pcg 1.1 switch (pkt->typ ())
1025     {
1026 pcg 1.3 case vpn_packet::PT_PING:
1027 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1028    
1029 pcg 1.3 // we send pings instead of auth packets after some retries,
1030     // so reset the retry counter and establish a connection
1031     // when we receive a ping.
1032 root 1.89 if (!ictx)
1033 pcg 1.3 {
1034     if (auth_rate_limiter.can (rsi))
1035     send_auth_request (rsi, true);
1036     }
1037     else
1038 root 1.89 // we would love to change the socket address here, but ping's aren't
1039 pcg 1.73 // authenticated, so we best ignore it.
1040 pcg 1.3 send_ping (rsi, 1); // pong
1041    
1042     break;
1043    
1044     case vpn_packet::PT_PONG:
1045 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1046 root 1.89
1047     // a PONG might mean that the other side doesn't really know
1048     // about our desire for communication.
1049     establish_connection ();
1050 pcg 1.3 break;
1051    
1052     case vpn_packet::PT_RESET:
1053 pcg 1.1 {
1054 pcg 1.3 reset_connection ();
1055    
1056     config_packet *p = (config_packet *) pkt;
1057    
1058     if (!p->chk_config ())
1059     {
1060 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1061 pcg 1.3 conf->nodename, (const char *)rsi);
1062     connectmode = conf_node::C_DISABLED;
1063     }
1064     else if (connectmode == conf_node::C_ALWAYS)
1065     establish_connection ();
1066 pcg 1.1 }
1067 pcg 1.3 break;
1068    
1069     case vpn_packet::PT_AUTH_REQ:
1070     if (auth_rate_limiter.can (rsi))
1071     {
1072     auth_req_packet *p = (auth_req_packet *) pkt;
1073    
1074 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
1075 pcg 1.1
1076 pcg 1.85 if (p->chk_config ()
1077     && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
1078 pcg 1.3 {
1079     if (p->prot_minor != PROTOCOL_MINOR)
1080     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1081     conf->nodename, (const char *)rsi,
1082     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1083    
1084     if (p->initiate)
1085     send_auth_request (rsi, false);
1086    
1087     rsachallenge k;
1088    
1089 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1090 pcg 1.23 {
1091     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1092     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1093     break;
1094     }
1095 pcg 1.3 else
1096     {
1097     delete octx;
1098 pcg 1.1
1099 pcg 1.3 octx = new crypto_ctx (k, 1);
1100     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1101 pcg 1.1
1102 pcg 1.3 conf->protocols = p->protocols;
1103 pcg 1.32 features = p->features & config_packet::get_features ();
1104 pcg 1.10
1105 pcg 1.3 send_auth_response (rsi, p->id, k);
1106    
1107 pcg 1.10 connection_established ();
1108    
1109 pcg 1.3 break;
1110     }
1111     }
1112 pcg 1.15 else
1113 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1114 pcg 1.15 conf->nodename, (const char *)rsi);
1115 pcg 1.3
1116     send_reset (rsi);
1117 pcg 1.1 }
1118    
1119 pcg 1.3 break;
1120    
1121     case vpn_packet::PT_AUTH_RES:
1122 pcg 1.1 {
1123 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1124 pcg 1.1
1125 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1126 pcg 1.1
1127 pcg 1.3 if (p->chk_config ())
1128 pcg 1.1 {
1129     if (p->prot_minor != PROTOCOL_MINOR)
1130     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1131     conf->nodename, (const char *)rsi,
1132     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1133    
1134 pcg 1.3 rsachallenge chg;
1135 pcg 1.1
1136 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1137 pcg 1.13 {
1138 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1139 pcg 1.13 conf->nodename, (const char *)rsi);
1140     break;
1141     }
1142 pcg 1.1 else
1143     {
1144 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1145    
1146     if (!p->hmac_chk (cctx))
1147 pcg 1.18 {
1148     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1149 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1150 pcg 1.18 conf->nodename, (const char *)rsi);
1151     break;
1152     }
1153 pcg 1.3 else
1154     {
1155     rsaresponse h;
1156    
1157     rsa_hash (p->id, chg, h);
1158    
1159     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1160     {
1161     prot_minor = p->prot_minor;
1162    
1163     delete ictx; ictx = cctx;
1164    
1165     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1166    
1167     si = rsi;
1168 pcg 1.7 protocol = rsi.prot;
1169 pcg 1.3
1170 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1171 pcg 1.3 conf->nodename, (const char *)rsi,
1172 pcg 1.82 is_direct ? "direct" : "forwarded",
1173 pcg 1.3 p->prot_major, p->prot_minor);
1174 pcg 1.1
1175 pcg 1.73 connection_established ();
1176    
1177 pcg 1.3 if (::conf.script_node_up)
1178 pcg 1.64 {
1179 pcg 1.70 run_script_cb *cb = new run_script_cb;
1180     cb->set<connection, &connection::script_node_up> (this);
1181     run_script_queued (cb, _("node-up command execution failed, continuing."));
1182 pcg 1.64 }
1183 pcg 1.1
1184 pcg 1.3 break;
1185     }
1186     else
1187 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1188 pcg 1.3 conf->nodename, (const char *)rsi);
1189     }
1190 pcg 1.1
1191 pcg 1.3 delete cctx;
1192 pcg 1.1 }
1193     }
1194     }
1195    
1196 pcg 1.3 send_reset (rsi);
1197     break;
1198 pcg 1.1
1199 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1200     #if !ENABLE_COMPRESSION
1201     send_reset (rsi);
1202     break;
1203     #endif
1204 pcg 1.1
1205 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1206 pcg 1.1
1207 pcg 1.3 if (ictx && octx)
1208 pcg 1.1 {
1209 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1210 pcg 1.1
1211 pcg 1.10 if (!p->hmac_chk (ictx))
1212     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1213 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1214 pcg 1.10 conf->nodename, (const char *)rsi);
1215     else
1216 pcg 1.1 {
1217 pcg 1.10 u32 seqno;
1218     tap_packet *d = p->unpack (this, seqno);
1219 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1220 pcg 1.10
1221 pcg 1.73 if (seqclass == 0) // ok
1222 pcg 1.1 {
1223 pcg 1.10 vpn->tap->send (d);
1224 pcg 1.1
1225 pcg 1.10 if (si != rsi)
1226 pcg 1.1 {
1227 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1228 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1229     // {
1230 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1231     conf->nodename, (const char *)si, (const char *)rsi);
1232    
1233 pcg 1.73 si = rsi;
1234 pcg 1.84
1235     if (::conf.script_node_change)
1236     {
1237     run_script_cb *cb = new run_script_cb;
1238     cb->set<connection, &connection::script_node_change> (this);
1239     run_script_queued (cb, _("node-change command execution failed, continuing."));
1240     }
1241    
1242 pcg 1.73 // }
1243     //else
1244     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1245     // conf->nodename, (const char *)si, (const char *)rsi);
1246 pcg 1.10 }
1247 pcg 1.32 }
1248 pcg 1.75 else if (seqclass == 1) // far history
1249     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1250     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1251     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1252     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1253     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1254     else if (seqclass == 3) // reset
1255 pcg 1.73 {
1256 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1257     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1258 pcg 1.73 send_reset (rsi);
1259     }
1260 pcg 1.3
1261 pcg 1.32 delete d;
1262     break;
1263 pcg 1.1 }
1264     }
1265    
1266 pcg 1.3 send_reset (rsi);
1267     break;
1268 pcg 1.1
1269 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1270     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1271     {
1272 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1273 pcg 1.1
1274 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1275     {
1276     connection *c = vpn->conns[p->id - 1];
1277     conf->protocols = p->protocols;
1278 pcg 1.1
1279 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1280 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1281 pcg 1.1
1282 pcg 1.57 if (c->ictx && c->octx)
1283     {
1284     // send connect_info packets to both sides, in case one is
1285     // behind a nat firewall (or both ;)
1286     c->send_connect_info (conf->id, si, conf->protocols);
1287     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1288     }
1289     else
1290     c->establish_connection ();
1291 pcg 1.3 }
1292 pcg 1.11 else
1293 pcg 1.57 slog (L_WARN,
1294     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1295     p->id);
1296 pcg 1.3 }
1297 pcg 1.1
1298 pcg 1.3 break;
1299 pcg 1.1
1300 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1301     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1302     {
1303 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1304 pcg 1.1
1305 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1306 pcg 1.39 {
1307     connection *c = vpn->conns[p->id - 1];
1308 pcg 1.7
1309 pcg 1.39 c->conf->protocols = p->protocols;
1310     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1311     p->si.upgrade_protocol (protocol, c->conf);
1312 pcg 1.1
1313 pcg 1.81 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1314 pcg 1.79 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1315     (const char *)p->si, !c->ictx && !c->octx);
1316 pcg 1.7
1317 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1318 pcg 1.1
1319 pcg 1.39 if (dsi.valid ())
1320     c->send_auth_request (dsi, true);
1321     }
1322 pcg 1.57 else
1323     slog (L_WARN,
1324     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1325     p->id);
1326 pcg 1.3 }
1327 pcg 1.1
1328 pcg 1.3 break;
1329 pcg 1.1
1330 pcg 1.3 default:
1331     send_reset (rsi);
1332     break;
1333 pcg 1.1 }
1334     }
1335    
1336 pcg 1.66 inline void
1337     connection::keepalive_cb (ev::timer &w, int revents)
1338 pcg 1.1 {
1339 pcg 1.83 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1340 pcg 1.1 {
1341     reset_connection ();
1342     establish_connection ();
1343     }
1344 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1345 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1346 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1347     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1348     {
1349     send_ping (si);
1350 pcg 1.83 w.start (3);
1351 pcg 1.1 }
1352 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1353 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1354     // should delete octx, though, or something like that ;)
1355 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1356 pcg 1.1 else
1357     reset_connection ();
1358     }
1359    
1360 root 1.90 void
1361     connection::send_connect_request (int id)
1362 pcg 1.1 {
1363     connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1364    
1365 pcg 1.81 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1366 pcg 1.79 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1367 pcg 1.1 p->hmac_set (octx);
1368 pcg 1.10 send_vpn_packet (p, si);
1369 pcg 1.1
1370     delete p;
1371     }
1372    
1373 root 1.90 void
1374     connection::script_init_env (const char *ext)
1375 pcg 1.53 {
1376     char *env;
1377     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1378 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1379 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1380     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1381 pcg 1.84 conf->id & 0xff); putenv (env);
1382 pcg 1.53 }
1383    
1384 root 1.90 void
1385     connection::script_init_connect_env ()
1386 pcg 1.1 {
1387 pcg 1.52 vpn->script_init_env ();
1388 pcg 1.1
1389     char *env;
1390 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1391     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1392     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1393     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1394     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1395 pcg 1.1 }
1396    
1397 pcg 1.66 inline const char *
1398     connection::script_node_up ()
1399 pcg 1.1 {
1400 pcg 1.53 script_init_connect_env ();
1401 pcg 1.1
1402 pcg 1.60 putenv ((char *)"STATE=up");
1403 pcg 1.1
1404 pcg 1.52 char *filename;
1405     asprintf (&filename,
1406     "%s/%s",
1407     confbase,
1408     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1409 pcg 1.54
1410     return filename;
1411 pcg 1.1 }
1412    
1413 pcg 1.66 inline const char *
1414 pcg 1.84 connection::script_node_change ()
1415     {
1416     script_init_connect_env ();
1417    
1418     putenv ((char *)"STATE=change");
1419    
1420     char *filename;
1421     asprintf (&filename,
1422     "%s/%s",
1423     confbase,
1424     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1425    
1426     return filename;
1427     }
1428    
1429     inline const char *
1430 pcg 1.66 connection::script_node_down ()
1431 pcg 1.1 {
1432 pcg 1.53 script_init_connect_env ();
1433 pcg 1.1
1434 pcg 1.60 putenv ((char *)"STATE=down");
1435 pcg 1.1
1436 pcg 1.52 char *filename;
1437     asprintf (&filename,
1438     "%s/%s",
1439     confbase,
1440     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1441 pcg 1.54
1442     return filename;
1443 pcg 1.1 }
1444    
1445 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1446 pcg 1.67 : vpn(vpn), conf(conf),
1447 pcg 1.40 #if ENABLE_DNS
1448 pcg 1.67 dns (0),
1449 pcg 1.40 #endif
1450 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1451     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1452 pcg 1.1 {
1453 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1454     keepalive .set<connection, &connection::keepalive_cb > (this);
1455     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1456    
1457 pcg 1.68 last_establish_attempt = 0.;
1458 pcg 1.1 octx = ictx = 0;
1459    
1460 pcg 1.40 if (!conf->protocols) // make sure some protocol is enabled
1461     conf->protocols = PROT_UDPv4;
1462    
1463 pcg 1.67 connectmode = conf->connectmode;
1464    
1465     // queue a dummy packet to force an initial connection attempt
1466     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1467 pcg 1.68 vpn_queue.put (new net_packet);
1468 pcg 1.67
1469 pcg 1.1 reset_connection ();
1470     }
1471    
1472     connection::~connection ()
1473     {
1474     shutdown ();
1475     }
1476    
1477 root 1.90 void
1478     connection_init ()
1479 pcg 1.1 {
1480     auth_rate_limiter.clear ();
1481     reset_rate_limiter.clear ();
1482     }
1483