ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.93
Committed: Tue Feb 15 13:31:23 2011 UTC (13 years, 3 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.92: +23 -17 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.93 Copyright (C) 2003-2008,2010,2011 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69 root 1.90 namespace
70 pcg 1.70 {
71 root 1.90 void // c++ requires external linkage here, apparently :(
72     rs_child_cb (ev::child &w, int revents)
73     {
74     w.stop ();
75 pcg 1.70
76 root 1.90 if (rs_queue.empty ())
77     return;
78 pcg 1.70
79 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
80     if (pid)
81     {
82     w.set (pid);
83     w.start ();
84     }
85     else
86     slog (L_WARN, rs_queue.front ().second);
87 pcg 1.70
88 root 1.90 delete rs_queue.front ().first;
89     rs_queue.pop ();
90     }
91     };
92 pcg 1.70
93     // despite the fancy name, this is quite a hack
94     static void
95     run_script_queued (run_script_cb *cb, const char *warnmsg)
96     {
97     rs_queue.push (std::make_pair (cb, warnmsg));
98    
99     if (!rs_child_ev.is_active ())
100     {
101     rs_child_ev.set<rs_child_cb> ();
102     rs_child_ev ();
103     }
104     }
105    
106     //////////////////////////////////////////////////////////////////////////////
107    
108 pcg 1.1 struct crypto_ctx
109     {
110     EVP_CIPHER_CTX cctx;
111     HMAC_CTX hctx;
112    
113     crypto_ctx (const rsachallenge &challenge, int enc);
114     ~crypto_ctx ();
115     };
116    
117     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
118     {
119     EVP_CIPHER_CTX_init (&cctx);
120 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
121 pcg 1.1 HMAC_CTX_init (&hctx);
122     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
123     }
124    
125     crypto_ctx::~crypto_ctx ()
126     {
127 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
128 pcg 1.1 HMAC_CTX_cleanup (&hctx);
129     }
130    
131     static void
132     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
133     {
134     EVP_MD_CTX ctx;
135    
136     EVP_MD_CTX_init (&ctx);
137 pcg 1.29 require (EVP_DigestInit (&ctx, RSA_HASH));
138     require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
139     require (EVP_DigestUpdate(&ctx, &id, sizeof id));
140     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
141 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
142     }
143    
144 pcg 1.63 struct rsa_entry
145     {
146 pcg 1.1 tstamp expire;
147     rsaid id;
148     rsachallenge chg;
149     };
150    
151     struct rsa_cache : list<rsa_entry>
152     {
153 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
154 pcg 1.1
155     bool find (const rsaid &id, rsachallenge &chg)
156 pcg 1.51 {
157     for (iterator i = begin (); i != end (); ++i)
158     {
159 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
160 pcg 1.51 {
161     memcpy (&chg, &i->chg, sizeof chg);
162 pcg 1.1
163 pcg 1.51 erase (i);
164     return true;
165     }
166     }
167 pcg 1.1
168 pcg 1.60 if (!cleaner.is_active ())
169     cleaner.again ();
170 pcg 1.1
171 pcg 1.51 return false;
172     }
173 pcg 1.1
174     void gen (rsaid &id, rsachallenge &chg)
175 pcg 1.51 {
176     rsa_entry e;
177 pcg 1.1
178 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
179     RAND_bytes ((unsigned char *)&chg, sizeof chg);
180 pcg 1.1
181 pcg 1.62 e.expire = ev_now () + RSA_TTL;
182 pcg 1.51 e.id = id;
183     memcpy (&e.chg, &chg, sizeof chg);
184 pcg 1.1
185 pcg 1.51 push_back (e);
186 pcg 1.1
187 pcg 1.60 if (!cleaner.is_active ())
188     cleaner.again ();
189 pcg 1.51 }
190 pcg 1.1
191     rsa_cache ()
192 pcg 1.60 {
193 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
194 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
195     }
196 pcg 1.1
197     } rsa_cache;
198    
199 root 1.90 void
200     rsa_cache::cleaner_cb (ev::timer &w, int revents)
201 pcg 1.1 {
202 pcg 1.60 if (empty ())
203     w.stop ();
204     else
205 pcg 1.1 {
206     for (iterator i = begin (); i != end (); )
207 pcg 1.62 if (i->expire <= ev_now ())
208 pcg 1.1 i = erase (i);
209     else
210     ++i;
211     }
212     }
213    
214     //////////////////////////////////////////////////////////////////////////////
215    
216 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
217     : max_ttl (max_ttl), max_queue (max_queue)
218 pcg 1.1 {
219 pcg 1.67 queue = new pkt [max_queue];
220    
221     i = 0;
222     j = 0;
223    
224     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
225     }
226 pcg 1.1
227 pcg 1.67 pkt_queue::~pkt_queue ()
228     {
229     while (net_packet *p = get ())
230     delete p;
231 pcg 1.1
232 pcg 1.67 delete [] queue;
233 pcg 1.1 }
234    
235 root 1.90 void
236     pkt_queue::expire_cb (ev::timer &w, int revents)
237 pcg 1.1 {
238 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
239 pcg 1.1
240 pcg 1.67 for (;;)
241 pcg 1.1 {
242 pcg 1.67 if (empty ())
243     break;
244    
245     double diff = queue[j].tstamp - expire;
246    
247     if (diff >= 0.)
248     {
249     w.start (diff > 0.5 ? diff : 0.5);
250     break;
251     }
252    
253     delete get ();
254 pcg 1.1 }
255     }
256    
257 root 1.90 void
258     pkt_queue::put (net_packet *p)
259 pcg 1.1 {
260 pcg 1.67 ev_tstamp now = ev_now ();
261    
262     // start expiry timer
263     if (empty ())
264     expire.start (max_ttl);
265    
266     int ni = i + 1 == max_queue ? 0 : i + 1;
267    
268     if (ni == j)
269     delete get ();
270    
271     queue[i].pkt = p;
272     queue[i].tstamp = now;
273    
274     i = ni;
275 pcg 1.1 }
276    
277 root 1.90 net_packet *
278     pkt_queue::get ()
279 pcg 1.1 {
280 pcg 1.67 if (empty ())
281     return 0;
282    
283     net_packet *p = queue[j].pkt;
284     queue[j].pkt = 0;
285    
286     j = j + 1 == max_queue ? 0 : j + 1;
287    
288     return p;
289 pcg 1.1 }
290    
291 pcg 1.63 struct net_rateinfo
292     {
293 pcg 1.1 u32 host;
294     double pcnt, diff;
295     tstamp last;
296     };
297    
298     // only do action once every x seconds per host whole allowing bursts.
299     // this implementation ("splay list" ;) is inefficient,
300     // but low on resources.
301     struct net_rate_limiter : list<net_rateinfo>
302     {
303 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
304     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
305     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
306     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
307 pcg 1.1
308 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
309 pcg 1.1 bool can (u32 host);
310     };
311    
312 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
313 pcg 1.1
314 root 1.90 bool
315     net_rate_limiter::can (u32 host)
316 pcg 1.1 {
317     iterator i;
318    
319     for (i = begin (); i != end (); )
320     if (i->host == host)
321     break;
322 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
323 pcg 1.1 i = erase (i);
324     else
325     i++;
326    
327     if (i == end ())
328     {
329     net_rateinfo ri;
330    
331     ri.host = host;
332     ri.pcnt = 1.;
333 pcg 1.34 ri.diff = NRL_MAXDIF;
334 pcg 1.62 ri.last = ev_now ();
335 pcg 1.1
336     push_front (ri);
337    
338     return true;
339     }
340     else
341     {
342     net_rateinfo ri (*i);
343     erase (i);
344    
345 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
346 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
347 pcg 1.1
348 pcg 1.62 ri.last = ev_now ();
349 pcg 1.1
350 pcg 1.10 double dif = ri.diff / ri.pcnt;
351 pcg 1.1
352 pcg 1.34 bool send = dif > NRL_CUTOFF;
353 pcg 1.10
354 pcg 1.34 if (dif > NRL_MAXDIF)
355 pcg 1.10 {
356     ri.pcnt = 1.;
357 pcg 1.34 ri.diff = NRL_MAXDIF;
358 pcg 1.10 }
359     else if (send)
360 pcg 1.1 ri.pcnt++;
361    
362     push_front (ri);
363    
364     return send;
365     }
366     }
367    
368     /////////////////////////////////////////////////////////////////////////////
369    
370     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
371    
372 root 1.90 void
373     hmac_packet::hmac_gen (crypto_ctx *ctx)
374 pcg 1.1 {
375     unsigned int xlen;
376    
377     HMAC_CTX *hctx = &ctx->hctx;
378    
379     HMAC_Init_ex (hctx, 0, 0, 0, 0);
380     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
381     len - sizeof (hmac_packet));
382     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
383     }
384    
385     void
386     hmac_packet::hmac_set (crypto_ctx *ctx)
387     {
388     hmac_gen (ctx);
389    
390     memcpy (hmac, hmac_digest, HMACLENGTH);
391     }
392    
393     bool
394     hmac_packet::hmac_chk (crypto_ctx *ctx)
395     {
396     hmac_gen (ctx);
397    
398     return !memcmp (hmac, hmac_digest, HMACLENGTH);
399     }
400    
401 root 1.90 void
402     vpn_packet::set_hdr (ptype type_, unsigned int dst)
403 pcg 1.1 {
404 pcg 1.6 type = type_;
405 pcg 1.1
406     int src = THISNODE->id;
407    
408     src1 = src;
409     srcdst = ((src >> 8) << 4) | (dst >> 8);
410     dst1 = dst;
411     }
412    
413     #define MAXVPNDATA (MAX_MTU - 6 - 6)
414     #define DATAHDR (sizeof (u32) + RAND_SIZE)
415    
416 pcg 1.28 struct vpndata_packet : vpn_packet
417 root 1.90 {
418     u8 data[MAXVPNDATA + DATAHDR]; // seqno
419    
420     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
421     tap_packet *unpack (connection *conn, u32 &seqno);
422 pcg 1.1
423     private:
424 root 1.90 const u32 data_hdr_size () const
425     {
426     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
427     }
428     };
429 pcg 1.1
430     void
431     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
432     {
433     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
434     int outl = 0, outl2;
435     ptype type = PT_DATA_UNCOMPRESSED;
436    
437     #if ENABLE_COMPRESSION
438     u8 cdata[MAX_MTU];
439    
440 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
441 pcg 1.1 {
442 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
443 pcg 1.1
444 pcg 1.31 if (cl)
445     {
446     type = PT_DATA_COMPRESSED;
447     d = cdata;
448     l = cl + 2;
449    
450     d[0] = cl >> 8;
451     d[1] = cl;
452     }
453 pcg 1.1 }
454     #endif
455    
456 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
457 pcg 1.1
458     struct {
459     #if RAND_SIZE
460     u8 rnd[RAND_SIZE];
461     #endif
462     u32 seqno;
463     } datahdr;
464    
465     datahdr.seqno = ntohl (seqno);
466     #if RAND_SIZE
467     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
468     #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508     d = &(*p)[6 + 6 - DATAHDR];
509    
510     /* this overwrites part of the src mac, but we fix that later */
511 pcg 1.29 require (EVP_DecryptUpdate (cctx,
512 pcg 1.1 d, &outl2,
513 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
514 pcg 1.1 outl += outl2;
515    
516 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
517 pcg 1.1 outl += outl2;
518    
519     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
520    
521     id2mac (dst () ? dst() : THISNODE->id, p->dst);
522     id2mac (src (), p->src);
523    
524     #if ENABLE_COMPRESSION
525     if (type == PT_DATA_COMPRESSED)
526     {
527     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
528    
529     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
530     &(*p)[6 + 6], MAX_MTU)
531     + 6 + 6;
532     }
533     else
534     p->len = outl + (6 + 6 - DATAHDR);
535     #endif
536    
537     return p;
538     }
539    
540     struct ping_packet : vpn_packet
541     {
542     void setup (int dst, ptype type)
543     {
544     set_hdr (type, dst);
545     len = sizeof (*this) - sizeof (net_packet);
546     }
547     };
548    
549     struct config_packet : vpn_packet
550     {
551     // actually, hmaclen cannot be checked because the hmac
552     // field comes before this data, so peers with other
553     // hmacs simply will not work.
554     u8 prot_major, prot_minor, randsize, hmaclen;
555 pcg 1.31 u8 flags, challengelen, features, pad3;
556 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
557    
558     void setup (ptype type, int dst);
559     bool chk_config () const;
560 pcg 1.32
561     static u8 get_features ()
562     {
563     u8 f = 0;
564     #if ENABLE_COMPRESSION
565     f |= FEATURE_COMPRESSION;
566     #endif
567     #if ENABLE_ROHC
568     f |= FEATURE_ROHC;
569     #endif
570 pcg 1.59 #if ENABLE_BRIDGING
571     f |= FEATURE_BRIDGING;
572     #endif
573 pcg 1.32 return f;
574     }
575 pcg 1.1 };
576    
577 root 1.90 void
578     config_packet::setup (ptype type, int dst)
579 pcg 1.1 {
580     prot_major = PROTOCOL_MAJOR;
581     prot_minor = PROTOCOL_MINOR;
582     randsize = RAND_SIZE;
583     hmaclen = HMACLENGTH;
584 pcg 1.48 flags = 0;
585 pcg 1.1 challengelen = sizeof (rsachallenge);
586 pcg 1.32 features = get_features ();
587 pcg 1.1
588     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
589     digest_nid = htonl (EVP_MD_type (RSA_HASH));
590     hmac_nid = htonl (EVP_MD_type (DIGEST));
591    
592     len = sizeof (*this) - sizeof (net_packet);
593     set_hdr (type, dst);
594     }
595    
596 root 1.90 bool
597     config_packet::chk_config () const
598 pcg 1.1 {
599 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
600 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
601 pcg 1.15 else if (randsize != RAND_SIZE)
602 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
603 pcg 1.15 else if (hmaclen != HMACLENGTH)
604 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
605 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
606 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
607 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
608 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
609 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
610 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
611 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
612 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
613 pcg 1.15 else
614     return true;
615    
616     return false;
617 pcg 1.1 }
618    
619     struct auth_req_packet : config_packet
620     {
621     char magic[8];
622     u8 initiate; // false if this is just an automatic reply
623 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
624 pcg 1.1 u8 pad2, pad3;
625     rsaid id;
626     rsaencrdata encr;
627    
628     auth_req_packet (int dst, bool initiate_, u8 protocols_)
629     {
630     config_packet::setup (PT_AUTH_REQ, dst);
631 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
632 pcg 1.1 initiate = !!initiate_;
633     protocols = protocols_;
634    
635     len = sizeof (*this) - sizeof (net_packet);
636     }
637     };
638    
639     struct auth_res_packet : config_packet
640     {
641     rsaid id;
642     u8 pad1, pad2, pad3;
643     u8 response_len; // encrypted length
644     rsaresponse response;
645    
646     auth_res_packet (int dst)
647     {
648     config_packet::setup (PT_AUTH_RES, dst);
649    
650     len = sizeof (*this) - sizeof (net_packet);
651     }
652     };
653    
654     struct connect_req_packet : vpn_packet
655     {
656     u8 id, protocols;
657     u8 pad1, pad2;
658    
659     connect_req_packet (int dst, int id_, u8 protocols_)
660     : id(id_)
661     , protocols(protocols_)
662     {
663     set_hdr (PT_CONNECT_REQ, dst);
664     len = sizeof (*this) - sizeof (net_packet);
665     }
666     };
667    
668     struct connect_info_packet : vpn_packet
669     {
670     u8 id, protocols;
671     u8 pad1, pad2;
672     sockinfo si;
673    
674     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
675     : id(id_)
676     , protocols(protocols_)
677     , si(si_)
678     {
679     set_hdr (PT_CONNECT_INFO, dst);
680    
681     len = sizeof (*this) - sizeof (net_packet);
682     }
683     };
684    
685     /////////////////////////////////////////////////////////////////////////////
686    
687     void
688 pcg 1.10 connection::connection_established ()
689     {
690 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
691 pcg 1.61
692 pcg 1.10 if (ictx && octx)
693     {
694 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
695 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
696     rekey.start (rekey_interval, rekey_interval);
697     keepalive.start (::conf.keepalive);
698 pcg 1.10
699     // send queued packets
700     if (ictx && octx)
701 pcg 1.12 {
702     while (tap_packet *p = (tap_packet *)data_queue.get ())
703     {
704 pcg 1.67 if (p->len) send_data_packet (p);
705 pcg 1.12 delete p;
706     }
707    
708     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
709     {
710 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
711 pcg 1.12 delete p;
712     }
713     }
714 pcg 1.73
715     vpn->connection_established (this);
716 pcg 1.10 }
717     else
718     {
719     retry_cnt = 0;
720 pcg 1.60 establish_connection.start (5);
721 pcg 1.25 keepalive.stop ();
722     rekey.stop ();
723 pcg 1.10 }
724     }
725    
726     void
727 pcg 1.8 connection::reset_si ()
728 pcg 1.1 {
729 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
730     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
731     else
732 pcg 1.59 {
733 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
734 pcg 1.59 protocol = 0;
735     }
736 pcg 1.6
737     si.set (conf, protocol);
738 pcg 1.73
739     is_direct = si.valid ();
740 pcg 1.1 }
741    
742 pcg 1.8 // ensure sockinfo is valid, forward if necessary
743     const sockinfo &
744     connection::forward_si (const sockinfo &si) const
745     {
746     if (!si.valid ())
747     {
748 pcg 1.73 connection *r = vpn->find_router_for (this);
749 pcg 1.8
750     if (r)
751     {
752 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
753     conf->nodename, r->conf->nodename);
754 pcg 1.8 return r->si;
755     }
756     else
757 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
758 pcg 1.8 conf->nodename);
759     }
760    
761     return si;
762     }
763    
764 pcg 1.1 void
765 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
766     {
767 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
768 pcg 1.10 reset_connection ();
769     }
770    
771     void
772 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
773     {
774     ping_packet *pkt = new ping_packet;
775    
776     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
777 pcg 1.73
778 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
779 pcg 1.73
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
781 pcg 1.1
782     delete pkt;
783     }
784    
785     void
786     connection::send_reset (const sockinfo &si)
787     {
788     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
789     {
790     config_packet *pkt = new config_packet;
791    
792     pkt->setup (vpn_packet::PT_RESET, conf->id);
793 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
794 pcg 1.1
795     delete pkt;
796     }
797     }
798    
799     void
800     connection::send_auth_request (const sockinfo &si, bool initiate)
801     {
802     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
803    
804 pcg 1.6 rsachallenge chg;
805     rsa_cache.gen (pkt->id, chg);
806 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
807 pcg 1.1
808 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
809 pcg 1.1
810 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
811 pcg 1.1
812 pcg 1.6 delete pkt;
813 pcg 1.1 }
814    
815     void
816     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
817     {
818     auth_res_packet *pkt = new auth_res_packet (conf->id);
819    
820     pkt->id = id;
821    
822     rsa_hash (id, chg, pkt->response);
823    
824     pkt->hmac_set (octx);
825    
826 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
827 pcg 1.1
828 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
829 pcg 1.1
830     delete pkt;
831     }
832    
833     void
834     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
835     {
836 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
837     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
838     conf->protocols);
839 pcg 1.1
840     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
841    
842     r->hmac_set (octx);
843 pcg 1.10 send_vpn_packet (r, si);
844 pcg 1.1
845     delete r;
846     }
847    
848 pcg 1.66 inline void
849 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
850 pcg 1.1 {
851 root 1.92 if (!(ictx && octx)
852 pcg 1.25 && conf != THISNODE
853     && connectmode != conf_node::C_NEVER
854     && connectmode != conf_node::C_DISABLED
855 pcg 1.60 && !w.is_active ())
856 pcg 1.1 {
857 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
858     // and stop trying. should probably be handled by a per-connection expire handler.
859     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
860     {
861     reset_connection ();
862     return;
863     }
864    
865 pcg 1.68 last_establish_attempt = ev_now ();
866    
867 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
868     ? (retry_cnt & 3) + 1
869     : 1 << (retry_cnt >> 2));
870 pcg 1.1
871 pcg 1.47 reset_si ();
872 pcg 1.1
873 pcg 1.47 bool slow = si.prot & PROT_SLOW;
874 pcg 1.8
875 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
876 pcg 1.60 {
877     /*TODO*/ /* start the timer so we don't recurse endlessly */
878     w.start (1);
879 pcg 1.74 vpn->send_connect_request (this);
880 pcg 1.60 }
881 pcg 1.8 else
882 pcg 1.1 {
883 pcg 1.73 if (si.valid ())
884     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
885     conf->nodename, (const char *)si);
886 pcg 1.61
887 pcg 1.8 const sockinfo &dsi = forward_si (si);
888 pcg 1.6
889 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
890    
891 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
892     {
893     if (retry_cnt < 4)
894     send_auth_request (dsi, true);
895     else
896     send_ping (dsi, 0);
897     }
898 pcg 1.1 }
899 pcg 1.47
900 pcg 1.68 retry_int *= slow ? 8. : 0.9;
901 pcg 1.47
902     if (retry_int < conf->max_retry)
903     retry_cnt++;
904     else
905     retry_int = conf->max_retry;
906    
907 pcg 1.60 w.start (retry_int);
908 pcg 1.1 }
909     }
910    
911     void
912     connection::reset_connection ()
913     {
914     if (ictx && octx)
915     {
916     slog (L_INFO, _("%s(%s): connection lost"),
917     conf->nodename, (const char *)si);
918    
919     if (::conf.script_node_down)
920 pcg 1.64 {
921 pcg 1.70 run_script_cb *cb = new run_script_cb;
922     cb->set<connection, &connection::script_node_down> (this);
923     run_script_queued (cb, _("node-down command execution failed, continuing."));
924 pcg 1.64 }
925 pcg 1.1 }
926    
927     delete ictx; ictx = 0;
928     delete octx; octx = 0;
929 pcg 1.44 #if ENABLE_DNS
930 pcg 1.45 dnsv4_reset_connection ();
931 pcg 1.44 #endif
932 pcg 1.1
933 pcg 1.38 si.host = 0;
934 pcg 1.1
935 pcg 1.73 last_activity = 0.;
936     //last_si_change = 0.;
937 pcg 1.1 retry_cnt = 0;
938    
939 pcg 1.25 rekey.stop ();
940     keepalive.stop ();
941     establish_connection.stop ();
942 pcg 1.1 }
943    
944     void
945     connection::shutdown ()
946     {
947     if (ictx && octx)
948     send_reset (si);
949    
950     reset_connection ();
951     }
952    
953 pcg 1.73 // poor-man's rekeying
954 pcg 1.66 inline void
955 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
956 pcg 1.1 {
957     reset_connection ();
958     establish_connection ();
959     }
960    
961     void
962 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
963 pcg 1.1 {
964     vpndata_packet *p = new vpndata_packet;
965     int tos = 0;
966    
967 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
968 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
969 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
970    
971 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
972 pcg 1.10 send_vpn_packet (p, si, tos);
973 pcg 1.1
974     delete p;
975    
976     if (oseqno > MAX_SEQNO)
977     rekey ();
978     }
979    
980     void
981 pcg 1.68 connection::post_inject_queue ()
982     {
983     // force a connection every now and when when packets are sent (max 1/s)
984     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
985     establish_connection.stop ();
986    
987     establish_connection ();
988     }
989    
990     void
991     connection::inject_data_packet (tap_packet *pkt)
992 pcg 1.1 {
993     if (ictx && octx)
994 pcg 1.21 send_data_packet (pkt);
995 pcg 1.1 else
996     {
997 pcg 1.68 data_queue.put (new tap_packet (*pkt));
998     post_inject_queue ();
999 pcg 1.1 }
1000     }
1001    
1002 root 1.90 void
1003     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1004 pcg 1.8 {
1005     if (ictx && octx)
1006 pcg 1.10 send_vpn_packet (pkt, si, tos);
1007 pcg 1.8 else
1008 pcg 1.12 {
1009 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1010 pcg 1.68 post_inject_queue ();
1011 pcg 1.12 }
1012 pcg 1.8 }
1013    
1014 pcg 1.1 void
1015     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1016     {
1017 pcg 1.62 last_activity = ev_now ();
1018 pcg 1.1
1019 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1020 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1021 pcg 1.1
1022 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1023     return;
1024    
1025 pcg 1.1 switch (pkt->typ ())
1026     {
1027 pcg 1.3 case vpn_packet::PT_PING:
1028 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1029    
1030 pcg 1.3 // we send pings instead of auth packets after some retries,
1031     // so reset the retry counter and establish a connection
1032     // when we receive a ping.
1033 root 1.89 if (!ictx)
1034 pcg 1.3 {
1035     if (auth_rate_limiter.can (rsi))
1036     send_auth_request (rsi, true);
1037     }
1038     else
1039 root 1.89 // we would love to change the socket address here, but ping's aren't
1040 pcg 1.73 // authenticated, so we best ignore it.
1041 pcg 1.3 send_ping (rsi, 1); // pong
1042    
1043     break;
1044    
1045     case vpn_packet::PT_PONG:
1046 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1047 root 1.89
1048     // a PONG might mean that the other side doesn't really know
1049     // about our desire for communication.
1050     establish_connection ();
1051 pcg 1.3 break;
1052    
1053     case vpn_packet::PT_RESET:
1054 pcg 1.1 {
1055 pcg 1.3 reset_connection ();
1056    
1057     config_packet *p = (config_packet *) pkt;
1058    
1059     if (!p->chk_config ())
1060     {
1061 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1062 pcg 1.3 conf->nodename, (const char *)rsi);
1063     connectmode = conf_node::C_DISABLED;
1064     }
1065     else if (connectmode == conf_node::C_ALWAYS)
1066     establish_connection ();
1067 pcg 1.1 }
1068 pcg 1.3 break;
1069    
1070     case vpn_packet::PT_AUTH_REQ:
1071     if (auth_rate_limiter.can (rsi))
1072     {
1073 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1074 pcg 1.3
1075 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1076     conf->nodename, p->initiate ? "initiate" : "reply",
1077     p->protocols, p->features);
1078 pcg 1.1
1079 pcg 1.85 if (p->chk_config ()
1080 root 1.93 && (!memcmp (p->magic, MAGIC_OLD, 8) || !memcmp (p->magic, MAGIC, 8)))
1081 pcg 1.3 {
1082     if (p->prot_minor != PROTOCOL_MINOR)
1083     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1084     conf->nodename, (const char *)rsi,
1085     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1086    
1087     if (p->initiate)
1088     send_auth_request (rsi, false);
1089    
1090     rsachallenge k;
1091    
1092 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1093 pcg 1.23 {
1094     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1095     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1096     break;
1097     }
1098 pcg 1.3 else
1099     {
1100     delete octx;
1101 pcg 1.1
1102 pcg 1.3 octx = new crypto_ctx (k, 1);
1103     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1104 pcg 1.1
1105 pcg 1.3 conf->protocols = p->protocols;
1106 pcg 1.32 features = p->features & config_packet::get_features ();
1107 pcg 1.10
1108 pcg 1.3 send_auth_response (rsi, p->id, k);
1109    
1110 pcg 1.10 connection_established ();
1111    
1112 pcg 1.3 break;
1113     }
1114     }
1115 pcg 1.15 else
1116 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1117 pcg 1.15 conf->nodename, (const char *)rsi);
1118 pcg 1.3
1119     send_reset (rsi);
1120 pcg 1.1 }
1121    
1122 pcg 1.3 break;
1123    
1124     case vpn_packet::PT_AUTH_RES:
1125 pcg 1.1 {
1126 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1127 pcg 1.1
1128 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1129 pcg 1.1
1130 pcg 1.3 if (p->chk_config ())
1131 pcg 1.1 {
1132     if (p->prot_minor != PROTOCOL_MINOR)
1133     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1134     conf->nodename, (const char *)rsi,
1135     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1136    
1137 pcg 1.3 rsachallenge chg;
1138 pcg 1.1
1139 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1140 pcg 1.13 {
1141 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1142 pcg 1.13 conf->nodename, (const char *)rsi);
1143     break;
1144     }
1145 pcg 1.1 else
1146     {
1147 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1148    
1149     if (!p->hmac_chk (cctx))
1150 pcg 1.18 {
1151     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1152 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1153 pcg 1.18 conf->nodename, (const char *)rsi);
1154     break;
1155     }
1156 pcg 1.3 else
1157     {
1158     rsaresponse h;
1159    
1160     rsa_hash (p->id, chg, h);
1161    
1162     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1163     {
1164     prot_minor = p->prot_minor;
1165    
1166     delete ictx; ictx = cctx;
1167    
1168     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1169    
1170     si = rsi;
1171 pcg 1.7 protocol = rsi.prot;
1172 pcg 1.3
1173 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1174 pcg 1.3 conf->nodename, (const char *)rsi,
1175 pcg 1.82 is_direct ? "direct" : "forwarded",
1176 pcg 1.3 p->prot_major, p->prot_minor);
1177 pcg 1.1
1178 pcg 1.73 connection_established ();
1179    
1180 pcg 1.3 if (::conf.script_node_up)
1181 pcg 1.64 {
1182 pcg 1.70 run_script_cb *cb = new run_script_cb;
1183     cb->set<connection, &connection::script_node_up> (this);
1184     run_script_queued (cb, _("node-up command execution failed, continuing."));
1185 pcg 1.64 }
1186 pcg 1.1
1187 pcg 1.3 break;
1188     }
1189     else
1190 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1191 pcg 1.3 conf->nodename, (const char *)rsi);
1192     }
1193 pcg 1.1
1194 pcg 1.3 delete cctx;
1195 pcg 1.1 }
1196     }
1197     }
1198    
1199 pcg 1.3 send_reset (rsi);
1200     break;
1201 pcg 1.1
1202 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1203     #if !ENABLE_COMPRESSION
1204     send_reset (rsi);
1205     break;
1206     #endif
1207 pcg 1.1
1208 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1209 pcg 1.1
1210 pcg 1.3 if (ictx && octx)
1211 pcg 1.1 {
1212 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1213 pcg 1.1
1214 pcg 1.10 if (!p->hmac_chk (ictx))
1215     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1216 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1217 pcg 1.10 conf->nodename, (const char *)rsi);
1218     else
1219 pcg 1.1 {
1220 pcg 1.10 u32 seqno;
1221     tap_packet *d = p->unpack (this, seqno);
1222 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1223 pcg 1.10
1224 pcg 1.73 if (seqclass == 0) // ok
1225 pcg 1.1 {
1226 pcg 1.10 vpn->tap->send (d);
1227 pcg 1.1
1228 pcg 1.10 if (si != rsi)
1229 pcg 1.1 {
1230 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1231 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1232     // {
1233 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1234     conf->nodename, (const char *)si, (const char *)rsi);
1235    
1236 pcg 1.73 si = rsi;
1237 pcg 1.84
1238     if (::conf.script_node_change)
1239     {
1240     run_script_cb *cb = new run_script_cb;
1241     cb->set<connection, &connection::script_node_change> (this);
1242     run_script_queued (cb, _("node-change command execution failed, continuing."));
1243     }
1244    
1245 pcg 1.73 // }
1246     //else
1247     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1248     // conf->nodename, (const char *)si, (const char *)rsi);
1249 pcg 1.10 }
1250 pcg 1.32 }
1251 pcg 1.75 else if (seqclass == 1) // far history
1252     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1253     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1254     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1255     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1256     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1257     else if (seqclass == 3) // reset
1258 pcg 1.73 {
1259 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1260     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1261 pcg 1.73 send_reset (rsi);
1262     }
1263 pcg 1.3
1264 pcg 1.32 delete d;
1265     break;
1266 pcg 1.1 }
1267     }
1268    
1269 pcg 1.3 send_reset (rsi);
1270     break;
1271 pcg 1.1
1272 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1273     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1274     {
1275 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1276 pcg 1.1
1277 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1278     {
1279     connection *c = vpn->conns[p->id - 1];
1280     conf->protocols = p->protocols;
1281 pcg 1.1
1282 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1283     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1284     p->protocols,
1285     c->ictx && c->octx);
1286 pcg 1.1
1287 pcg 1.57 if (c->ictx && c->octx)
1288     {
1289     // send connect_info packets to both sides, in case one is
1290     // behind a nat firewall (or both ;)
1291     c->send_connect_info (conf->id, si, conf->protocols);
1292     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1293     }
1294     else
1295     c->establish_connection ();
1296 pcg 1.3 }
1297 pcg 1.11 else
1298 pcg 1.57 slog (L_WARN,
1299     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1300     p->id);
1301 pcg 1.3 }
1302 pcg 1.1
1303 pcg 1.3 break;
1304 pcg 1.1
1305 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1306     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1307     {
1308 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1309 pcg 1.1
1310 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1311 pcg 1.39 {
1312     connection *c = vpn->conns[p->id - 1];
1313 pcg 1.7
1314 pcg 1.39 c->conf->protocols = p->protocols;
1315     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1316     p->si.upgrade_protocol (protocol, c->conf);
1317 pcg 1.1
1318 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,p%02x) [%d]",
1319     conf->nodename,
1320     vpn->conns[p->id - 1]->conf->nodename,
1321     (const char *)p->si,
1322     p->protocols,
1323     !c->ictx && !c->octx);
1324 pcg 1.7
1325 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1326 pcg 1.1
1327 pcg 1.39 if (dsi.valid ())
1328     c->send_auth_request (dsi, true);
1329     }
1330 pcg 1.57 else
1331     slog (L_WARN,
1332     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1333     p->id);
1334 pcg 1.3 }
1335 pcg 1.1
1336 pcg 1.3 break;
1337 pcg 1.1
1338 pcg 1.3 default:
1339     send_reset (rsi);
1340     break;
1341 pcg 1.1 }
1342     }
1343    
1344 pcg 1.66 inline void
1345     connection::keepalive_cb (ev::timer &w, int revents)
1346 pcg 1.1 {
1347 pcg 1.83 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1348 pcg 1.1 {
1349     reset_connection ();
1350     establish_connection ();
1351     }
1352 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1353 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1354 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1355     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1356     {
1357     send_ping (si);
1358 pcg 1.83 w.start (3);
1359 pcg 1.1 }
1360 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1361 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1362     // should delete octx, though, or something like that ;)
1363 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1364 pcg 1.1 else
1365     reset_connection ();
1366     }
1367    
1368 root 1.90 void
1369     connection::send_connect_request (int id)
1370 pcg 1.1 {
1371 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1372 pcg 1.1
1373 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1374     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1375     THISNODE->protocols);
1376 pcg 1.1 p->hmac_set (octx);
1377 pcg 1.10 send_vpn_packet (p, si);
1378 pcg 1.1
1379     delete p;
1380     }
1381    
1382 root 1.90 void
1383     connection::script_init_env (const char *ext)
1384 pcg 1.53 {
1385     char *env;
1386     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1387 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1388 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1389     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1390 pcg 1.84 conf->id & 0xff); putenv (env);
1391 pcg 1.53 }
1392    
1393 root 1.90 void
1394     connection::script_init_connect_env ()
1395 pcg 1.1 {
1396 pcg 1.52 vpn->script_init_env ();
1397 pcg 1.1
1398     char *env;
1399 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1400     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1401     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1402     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1403     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1404 pcg 1.1 }
1405    
1406 pcg 1.66 inline const char *
1407     connection::script_node_up ()
1408 pcg 1.1 {
1409 pcg 1.53 script_init_connect_env ();
1410 pcg 1.1
1411 pcg 1.60 putenv ((char *)"STATE=up");
1412 pcg 1.1
1413 pcg 1.52 char *filename;
1414     asprintf (&filename,
1415     "%s/%s",
1416     confbase,
1417     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1418 pcg 1.54
1419     return filename;
1420 pcg 1.1 }
1421    
1422 pcg 1.66 inline const char *
1423 pcg 1.84 connection::script_node_change ()
1424     {
1425     script_init_connect_env ();
1426    
1427     putenv ((char *)"STATE=change");
1428    
1429     char *filename;
1430     asprintf (&filename,
1431     "%s/%s",
1432     confbase,
1433     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1434    
1435     return filename;
1436     }
1437    
1438     inline const char *
1439 pcg 1.66 connection::script_node_down ()
1440 pcg 1.1 {
1441 pcg 1.53 script_init_connect_env ();
1442 pcg 1.1
1443 pcg 1.60 putenv ((char *)"STATE=down");
1444 pcg 1.1
1445 pcg 1.52 char *filename;
1446     asprintf (&filename,
1447     "%s/%s",
1448     confbase,
1449     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1450 pcg 1.54
1451     return filename;
1452 pcg 1.1 }
1453    
1454 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1455 pcg 1.67 : vpn(vpn), conf(conf),
1456 pcg 1.40 #if ENABLE_DNS
1457 pcg 1.67 dns (0),
1458 pcg 1.40 #endif
1459 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1460     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1461 pcg 1.1 {
1462 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1463     keepalive .set<connection, &connection::keepalive_cb > (this);
1464     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1465    
1466 pcg 1.68 last_establish_attempt = 0.;
1467 pcg 1.1 octx = ictx = 0;
1468    
1469 pcg 1.67 connectmode = conf->connectmode;
1470    
1471     // queue a dummy packet to force an initial connection attempt
1472     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1473 pcg 1.68 vpn_queue.put (new net_packet);
1474 pcg 1.67
1475 pcg 1.1 reset_connection ();
1476     }
1477    
1478     connection::~connection ()
1479     {
1480     shutdown ();
1481     }
1482    
1483 root 1.90 void
1484     connection_init ()
1485 pcg 1.1 {
1486     auth_rate_limiter.clear ();
1487     reset_rate_limiter.clear ();
1488     }
1489