ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.95
Committed: Tue Mar 8 17:33:30 2011 UTC (13 years, 2 months ago) by root
Content type: text/plain
Branch: MAIN
Changes since 1.94: +4 -4 lines
Log Message: 
async functionality, unused

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.93 Copyright (C) 2003-2008,2010,2011 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69 root 1.90 namespace
70 pcg 1.70 {
71 root 1.90 void // c++ requires external linkage here, apparently :(
72     rs_child_cb (ev::child &w, int revents)
73     {
74     w.stop ();
75 pcg 1.70
76 root 1.90 if (rs_queue.empty ())
77     return;
78 pcg 1.70
79 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
80     if (pid)
81     {
82     w.set (pid);
83     w.start ();
84     }
85     else
86     slog (L_WARN, rs_queue.front ().second);
87 pcg 1.70
88 root 1.90 delete rs_queue.front ().first;
89     rs_queue.pop ();
90     }
91     };
92 pcg 1.70
93     // despite the fancy name, this is quite a hack
94     static void
95     run_script_queued (run_script_cb *cb, const char *warnmsg)
96     {
97     rs_queue.push (std::make_pair (cb, warnmsg));
98    
99     if (!rs_child_ev.is_active ())
100     {
101     rs_child_ev.set<rs_child_cb> ();
102     rs_child_ev ();
103     }
104     }
105    
106     //////////////////////////////////////////////////////////////////////////////
107    
108 pcg 1.1 struct crypto_ctx
109     {
110     EVP_CIPHER_CTX cctx;
111     HMAC_CTX hctx;
112    
113     crypto_ctx (const rsachallenge &challenge, int enc);
114     ~crypto_ctx ();
115     };
116    
117     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
118     {
119     EVP_CIPHER_CTX_init (&cctx);
120 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
121 pcg 1.1 HMAC_CTX_init (&hctx);
122     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
123     }
124    
125     crypto_ctx::~crypto_ctx ()
126     {
127 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
128 pcg 1.1 HMAC_CTX_cleanup (&hctx);
129     }
130    
131     static void
132     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
133     {
134     EVP_MD_CTX ctx;
135    
136     EVP_MD_CTX_init (&ctx);
137 root 1.95 require (EVP_DigestInit (&ctx, RSA_HASH));
138     require (EVP_DigestUpdate (&ctx, &chg, sizeof chg));
139     require (EVP_DigestUpdate (&ctx, &id, sizeof id));
140     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
141 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
142     }
143    
144 pcg 1.63 struct rsa_entry
145     {
146 pcg 1.1 tstamp expire;
147     rsaid id;
148     rsachallenge chg;
149     };
150    
151     struct rsa_cache : list<rsa_entry>
152     {
153 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
154 pcg 1.1
155     bool find (const rsaid &id, rsachallenge &chg)
156 pcg 1.51 {
157     for (iterator i = begin (); i != end (); ++i)
158     {
159 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
160 pcg 1.51 {
161     memcpy (&chg, &i->chg, sizeof chg);
162 pcg 1.1
163 pcg 1.51 erase (i);
164     return true;
165     }
166     }
167 pcg 1.1
168 pcg 1.60 if (!cleaner.is_active ())
169     cleaner.again ();
170 pcg 1.1
171 pcg 1.51 return false;
172     }
173 pcg 1.1
174     void gen (rsaid &id, rsachallenge &chg)
175 pcg 1.51 {
176     rsa_entry e;
177 pcg 1.1
178 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
179     RAND_bytes ((unsigned char *)&chg, sizeof chg);
180 pcg 1.1
181 pcg 1.62 e.expire = ev_now () + RSA_TTL;
182 pcg 1.51 e.id = id;
183     memcpy (&e.chg, &chg, sizeof chg);
184 pcg 1.1
185 pcg 1.51 push_back (e);
186 pcg 1.1
187 pcg 1.60 if (!cleaner.is_active ())
188     cleaner.again ();
189 pcg 1.51 }
190 pcg 1.1
191     rsa_cache ()
192 pcg 1.60 {
193 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
194 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
195     }
196 pcg 1.1
197     } rsa_cache;
198    
199 root 1.90 void
200     rsa_cache::cleaner_cb (ev::timer &w, int revents)
201 pcg 1.1 {
202 pcg 1.60 if (empty ())
203     w.stop ();
204     else
205 pcg 1.1 {
206     for (iterator i = begin (); i != end (); )
207 pcg 1.62 if (i->expire <= ev_now ())
208 pcg 1.1 i = erase (i);
209     else
210     ++i;
211     }
212     }
213    
214     //////////////////////////////////////////////////////////////////////////////
215    
216 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
217     : max_ttl (max_ttl), max_queue (max_queue)
218 pcg 1.1 {
219 pcg 1.67 queue = new pkt [max_queue];
220    
221     i = 0;
222     j = 0;
223    
224     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
225     }
226 pcg 1.1
227 pcg 1.67 pkt_queue::~pkt_queue ()
228     {
229     while (net_packet *p = get ())
230     delete p;
231 pcg 1.1
232 pcg 1.67 delete [] queue;
233 pcg 1.1 }
234    
235 root 1.90 void
236     pkt_queue::expire_cb (ev::timer &w, int revents)
237 pcg 1.1 {
238 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
239 pcg 1.1
240 pcg 1.67 for (;;)
241 pcg 1.1 {
242 pcg 1.67 if (empty ())
243     break;
244    
245     double diff = queue[j].tstamp - expire;
246    
247     if (diff >= 0.)
248     {
249     w.start (diff > 0.5 ? diff : 0.5);
250     break;
251     }
252    
253     delete get ();
254 pcg 1.1 }
255     }
256    
257 root 1.90 void
258     pkt_queue::put (net_packet *p)
259 pcg 1.1 {
260 pcg 1.67 ev_tstamp now = ev_now ();
261    
262     // start expiry timer
263     if (empty ())
264     expire.start (max_ttl);
265    
266     int ni = i + 1 == max_queue ? 0 : i + 1;
267    
268     if (ni == j)
269     delete get ();
270    
271     queue[i].pkt = p;
272     queue[i].tstamp = now;
273    
274     i = ni;
275 pcg 1.1 }
276    
277 root 1.90 net_packet *
278     pkt_queue::get ()
279 pcg 1.1 {
280 pcg 1.67 if (empty ())
281     return 0;
282    
283     net_packet *p = queue[j].pkt;
284     queue[j].pkt = 0;
285    
286     j = j + 1 == max_queue ? 0 : j + 1;
287    
288     return p;
289 pcg 1.1 }
290    
291 pcg 1.63 struct net_rateinfo
292     {
293 pcg 1.1 u32 host;
294     double pcnt, diff;
295     tstamp last;
296     };
297    
298     // only do action once every x seconds per host whole allowing bursts.
299     // this implementation ("splay list" ;) is inefficient,
300     // but low on resources.
301     struct net_rate_limiter : list<net_rateinfo>
302     {
303 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
304     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
305     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
306     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
307 pcg 1.1
308 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
309 pcg 1.1 bool can (u32 host);
310     };
311    
312 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
313 pcg 1.1
314 root 1.90 bool
315     net_rate_limiter::can (u32 host)
316 pcg 1.1 {
317     iterator i;
318    
319     for (i = begin (); i != end (); )
320     if (i->host == host)
321     break;
322 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
323 pcg 1.1 i = erase (i);
324     else
325     i++;
326    
327     if (i == end ())
328     {
329     net_rateinfo ri;
330    
331     ri.host = host;
332     ri.pcnt = 1.;
333 pcg 1.34 ri.diff = NRL_MAXDIF;
334 pcg 1.62 ri.last = ev_now ();
335 pcg 1.1
336     push_front (ri);
337    
338     return true;
339     }
340     else
341     {
342     net_rateinfo ri (*i);
343     erase (i);
344    
345 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
346 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
347 pcg 1.1
348 pcg 1.62 ri.last = ev_now ();
349 pcg 1.1
350 pcg 1.10 double dif = ri.diff / ri.pcnt;
351 pcg 1.1
352 pcg 1.34 bool send = dif > NRL_CUTOFF;
353 pcg 1.10
354 pcg 1.34 if (dif > NRL_MAXDIF)
355 pcg 1.10 {
356     ri.pcnt = 1.;
357 pcg 1.34 ri.diff = NRL_MAXDIF;
358 pcg 1.10 }
359     else if (send)
360 pcg 1.1 ri.pcnt++;
361    
362     push_front (ri);
363    
364     return send;
365     }
366     }
367    
368     /////////////////////////////////////////////////////////////////////////////
369    
370     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
371    
372 root 1.90 void
373     hmac_packet::hmac_gen (crypto_ctx *ctx)
374 pcg 1.1 {
375     unsigned int xlen;
376    
377     HMAC_CTX *hctx = &ctx->hctx;
378    
379     HMAC_Init_ex (hctx, 0, 0, 0, 0);
380     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
381     len - sizeof (hmac_packet));
382     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
383     }
384    
385     void
386     hmac_packet::hmac_set (crypto_ctx *ctx)
387     {
388     hmac_gen (ctx);
389    
390     memcpy (hmac, hmac_digest, HMACLENGTH);
391     }
392    
393     bool
394     hmac_packet::hmac_chk (crypto_ctx *ctx)
395     {
396     hmac_gen (ctx);
397    
398     return !memcmp (hmac, hmac_digest, HMACLENGTH);
399     }
400    
401 root 1.90 void
402     vpn_packet::set_hdr (ptype type_, unsigned int dst)
403 pcg 1.1 {
404 pcg 1.6 type = type_;
405 pcg 1.1
406     int src = THISNODE->id;
407    
408     src1 = src;
409     srcdst = ((src >> 8) << 4) | (dst >> 8);
410     dst1 = dst;
411     }
412    
413     #define MAXVPNDATA (MAX_MTU - 6 - 6)
414     #define DATAHDR (sizeof (u32) + RAND_SIZE)
415    
416 pcg 1.28 struct vpndata_packet : vpn_packet
417 root 1.90 {
418     u8 data[MAXVPNDATA + DATAHDR]; // seqno
419    
420     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
421     tap_packet *unpack (connection *conn, u32 &seqno);
422 pcg 1.1
423     private:
424 root 1.90 const u32 data_hdr_size () const
425     {
426     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
427     }
428     };
429 pcg 1.1
430     void
431     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
432     {
433     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
434     int outl = 0, outl2;
435     ptype type = PT_DATA_UNCOMPRESSED;
436    
437     #if ENABLE_COMPRESSION
438     u8 cdata[MAX_MTU];
439    
440 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
441 pcg 1.1 {
442 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
443 pcg 1.1
444 pcg 1.31 if (cl)
445     {
446     type = PT_DATA_COMPRESSED;
447     d = cdata;
448     l = cl + 2;
449    
450     d[0] = cl >> 8;
451     d[1] = cl;
452     }
453 pcg 1.1 }
454     #endif
455    
456 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
457 pcg 1.1
458     struct {
459     #if RAND_SIZE
460     u8 rnd[RAND_SIZE];
461     #endif
462     u32 seqno;
463     } datahdr;
464    
465     datahdr.seqno = ntohl (seqno);
466     #if RAND_SIZE
467     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
468     #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508     d = &(*p)[6 + 6 - DATAHDR];
509    
510     /* this overwrites part of the src mac, but we fix that later */
511 pcg 1.29 require (EVP_DecryptUpdate (cctx,
512 pcg 1.1 d, &outl2,
513 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
514 pcg 1.1 outl += outl2;
515    
516 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
517 pcg 1.1 outl += outl2;
518    
519     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
520    
521     id2mac (dst () ? dst() : THISNODE->id, p->dst);
522     id2mac (src (), p->src);
523    
524     #if ENABLE_COMPRESSION
525     if (type == PT_DATA_COMPRESSED)
526     {
527     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
528    
529     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
530     &(*p)[6 + 6], MAX_MTU)
531     + 6 + 6;
532     }
533     else
534     p->len = outl + (6 + 6 - DATAHDR);
535     #endif
536    
537     return p;
538     }
539    
540     struct ping_packet : vpn_packet
541     {
542     void setup (int dst, ptype type)
543     {
544     set_hdr (type, dst);
545     len = sizeof (*this) - sizeof (net_packet);
546     }
547     };
548    
549     struct config_packet : vpn_packet
550     {
551     // actually, hmaclen cannot be checked because the hmac
552     // field comes before this data, so peers with other
553     // hmacs simply will not work.
554     u8 prot_major, prot_minor, randsize, hmaclen;
555 pcg 1.31 u8 flags, challengelen, features, pad3;
556 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
557    
558     void setup (ptype type, int dst);
559     bool chk_config () const;
560 pcg 1.32
561     static u8 get_features ()
562     {
563     u8 f = 0;
564     #if ENABLE_COMPRESSION
565     f |= FEATURE_COMPRESSION;
566     #endif
567     #if ENABLE_ROHC
568     f |= FEATURE_ROHC;
569     #endif
570 pcg 1.59 #if ENABLE_BRIDGING
571     f |= FEATURE_BRIDGING;
572     #endif
573 pcg 1.32 return f;
574     }
575 pcg 1.1 };
576    
577 root 1.90 void
578     config_packet::setup (ptype type, int dst)
579 pcg 1.1 {
580     prot_major = PROTOCOL_MAJOR;
581     prot_minor = PROTOCOL_MINOR;
582     randsize = RAND_SIZE;
583     hmaclen = HMACLENGTH;
584 pcg 1.48 flags = 0;
585 pcg 1.1 challengelen = sizeof (rsachallenge);
586 pcg 1.32 features = get_features ();
587 pcg 1.1
588     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
589     digest_nid = htonl (EVP_MD_type (RSA_HASH));
590     hmac_nid = htonl (EVP_MD_type (DIGEST));
591    
592     len = sizeof (*this) - sizeof (net_packet);
593     set_hdr (type, dst);
594     }
595    
596 root 1.90 bool
597     config_packet::chk_config () const
598 pcg 1.1 {
599 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
600 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
601 pcg 1.15 else if (randsize != RAND_SIZE)
602 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
603 pcg 1.15 else if (hmaclen != HMACLENGTH)
604 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
605 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
606 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
607 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
608 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
609 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
610 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
611 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
612 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
613 pcg 1.15 else
614     return true;
615    
616     return false;
617 pcg 1.1 }
618    
619     struct auth_req_packet : config_packet
620     {
621     char magic[8];
622     u8 initiate; // false if this is just an automatic reply
623 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
624 pcg 1.1 u8 pad2, pad3;
625     rsaid id;
626     rsaencrdata encr;
627    
628     auth_req_packet (int dst, bool initiate_, u8 protocols_)
629     {
630     config_packet::setup (PT_AUTH_REQ, dst);
631 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
632 pcg 1.1 initiate = !!initiate_;
633     protocols = protocols_;
634    
635     len = sizeof (*this) - sizeof (net_packet);
636     }
637     };
638    
639     struct auth_res_packet : config_packet
640     {
641     rsaid id;
642     u8 pad1, pad2, pad3;
643     u8 response_len; // encrypted length
644     rsaresponse response;
645    
646     auth_res_packet (int dst)
647     {
648     config_packet::setup (PT_AUTH_RES, dst);
649    
650     len = sizeof (*this) - sizeof (net_packet);
651     }
652     };
653    
654     struct connect_req_packet : vpn_packet
655     {
656     u8 id, protocols;
657     u8 pad1, pad2;
658    
659     connect_req_packet (int dst, int id_, u8 protocols_)
660     : id(id_)
661     , protocols(protocols_)
662     {
663     set_hdr (PT_CONNECT_REQ, dst);
664     len = sizeof (*this) - sizeof (net_packet);
665     }
666     };
667    
668     struct connect_info_packet : vpn_packet
669     {
670     u8 id, protocols;
671     u8 pad1, pad2;
672     sockinfo si;
673    
674     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
675     : id(id_)
676     , protocols(protocols_)
677     , si(si_)
678     {
679     set_hdr (PT_CONNECT_INFO, dst);
680    
681     len = sizeof (*this) - sizeof (net_packet);
682     }
683     };
684    
685     /////////////////////////////////////////////////////////////////////////////
686    
687     void
688 pcg 1.10 connection::connection_established ()
689     {
690 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
691 pcg 1.61
692 pcg 1.10 if (ictx && octx)
693     {
694 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
695 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
696     rekey.start (rekey_interval, rekey_interval);
697     keepalive.start (::conf.keepalive);
698 pcg 1.10
699     // send queued packets
700     if (ictx && octx)
701 pcg 1.12 {
702     while (tap_packet *p = (tap_packet *)data_queue.get ())
703     {
704 pcg 1.67 if (p->len) send_data_packet (p);
705 pcg 1.12 delete p;
706     }
707    
708     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
709     {
710 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
711 pcg 1.12 delete p;
712     }
713     }
714 pcg 1.73
715     vpn->connection_established (this);
716 pcg 1.10 }
717     else
718     {
719     retry_cnt = 0;
720 pcg 1.60 establish_connection.start (5);
721 pcg 1.25 keepalive.stop ();
722     rekey.stop ();
723 pcg 1.10 }
724     }
725    
726     void
727 pcg 1.8 connection::reset_si ()
728 pcg 1.1 {
729 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
730     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
731     else
732 pcg 1.59 {
733 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
734 pcg 1.59 protocol = 0;
735     }
736 pcg 1.6
737     si.set (conf, protocol);
738 pcg 1.73
739     is_direct = si.valid ();
740 pcg 1.1 }
741    
742 pcg 1.8 // ensure sockinfo is valid, forward if necessary
743     const sockinfo &
744     connection::forward_si (const sockinfo &si) const
745     {
746     if (!si.valid ())
747     {
748 pcg 1.73 connection *r = vpn->find_router_for (this);
749 pcg 1.8
750     if (r)
751     {
752 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
753     conf->nodename, r->conf->nodename);
754 pcg 1.8 return r->si;
755     }
756     else
757 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
758 pcg 1.8 conf->nodename);
759     }
760    
761     return si;
762     }
763    
764 pcg 1.1 void
765 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
766     {
767 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
768 pcg 1.10 reset_connection ();
769     }
770    
771     void
772 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
773     {
774     ping_packet *pkt = new ping_packet;
775    
776     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
777 pcg 1.73
778 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
779 pcg 1.73
780 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
781 pcg 1.1
782     delete pkt;
783     }
784    
785     void
786     connection::send_reset (const sockinfo &si)
787     {
788     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
789     {
790     config_packet *pkt = new config_packet;
791    
792     pkt->setup (vpn_packet::PT_RESET, conf->id);
793 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
794 pcg 1.1
795     delete pkt;
796     }
797     }
798    
799     void
800     connection::send_auth_request (const sockinfo &si, bool initiate)
801     {
802     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
803    
804 pcg 1.6 rsachallenge chg;
805     rsa_cache.gen (pkt->id, chg);
806 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
807 pcg 1.1
808 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
809 pcg 1.1
810 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
811 pcg 1.1
812 pcg 1.6 delete pkt;
813 pcg 1.1 }
814    
815     void
816     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
817     {
818     auth_res_packet *pkt = new auth_res_packet (conf->id);
819    
820     pkt->id = id;
821    
822     rsa_hash (id, chg, pkt->response);
823    
824     pkt->hmac_set (octx);
825    
826 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
827 pcg 1.1
828 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
829 pcg 1.1
830     delete pkt;
831     }
832    
833     void
834     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
835     {
836 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
837     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
838     conf->protocols);
839 pcg 1.1
840     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
841    
842     r->hmac_set (octx);
843 pcg 1.10 send_vpn_packet (r, si);
844 pcg 1.1
845     delete r;
846     }
847    
848 pcg 1.66 inline void
849 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
850 pcg 1.1 {
851 root 1.92 if (!(ictx && octx)
852 pcg 1.25 && conf != THISNODE
853     && connectmode != conf_node::C_NEVER
854     && connectmode != conf_node::C_DISABLED
855 pcg 1.60 && !w.is_active ())
856 pcg 1.1 {
857 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
858     // and stop trying. should probably be handled by a per-connection expire handler.
859     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
860     {
861     reset_connection ();
862     return;
863     }
864    
865 pcg 1.68 last_establish_attempt = ev_now ();
866    
867 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
868     ? (retry_cnt & 3) + 1
869     : 1 << (retry_cnt >> 2));
870 pcg 1.1
871 pcg 1.47 reset_si ();
872 pcg 1.1
873 pcg 1.47 bool slow = si.prot & PROT_SLOW;
874 pcg 1.8
875 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
876 pcg 1.60 {
877     /*TODO*/ /* start the timer so we don't recurse endlessly */
878     w.start (1);
879 pcg 1.74 vpn->send_connect_request (this);
880 pcg 1.60 }
881 pcg 1.8 else
882 pcg 1.1 {
883 pcg 1.73 if (si.valid ())
884     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
885     conf->nodename, (const char *)si);
886 pcg 1.61
887 pcg 1.8 const sockinfo &dsi = forward_si (si);
888 pcg 1.6
889 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
890    
891 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
892     {
893     if (retry_cnt < 4)
894     send_auth_request (dsi, true);
895     else
896     send_ping (dsi, 0);
897     }
898 pcg 1.1 }
899 pcg 1.47
900 pcg 1.68 retry_int *= slow ? 8. : 0.9;
901 pcg 1.47
902     if (retry_int < conf->max_retry)
903     retry_cnt++;
904     else
905     retry_int = conf->max_retry;
906    
907 pcg 1.60 w.start (retry_int);
908 pcg 1.1 }
909     }
910    
911     void
912     connection::reset_connection ()
913     {
914     if (ictx && octx)
915     {
916     slog (L_INFO, _("%s(%s): connection lost"),
917     conf->nodename, (const char *)si);
918    
919     if (::conf.script_node_down)
920 pcg 1.64 {
921 pcg 1.70 run_script_cb *cb = new run_script_cb;
922     cb->set<connection, &connection::script_node_down> (this);
923     run_script_queued (cb, _("node-down command execution failed, continuing."));
924 pcg 1.64 }
925 pcg 1.1 }
926    
927     delete ictx; ictx = 0;
928     delete octx; octx = 0;
929    
930 pcg 1.38 si.host = 0;
931 pcg 1.1
932 pcg 1.73 last_activity = 0.;
933     //last_si_change = 0.;
934 pcg 1.1 retry_cnt = 0;
935    
936 pcg 1.25 rekey.stop ();
937     keepalive.stop ();
938     establish_connection.stop ();
939 pcg 1.1 }
940    
941     void
942     connection::shutdown ()
943     {
944     if (ictx && octx)
945     send_reset (si);
946    
947     reset_connection ();
948     }
949    
950 pcg 1.73 // poor-man's rekeying
951 pcg 1.66 inline void
952 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
953 pcg 1.1 {
954     reset_connection ();
955     establish_connection ();
956     }
957    
958     void
959 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
960 pcg 1.1 {
961     vpndata_packet *p = new vpndata_packet;
962     int tos = 0;
963    
964 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
965 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
966 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
967    
968 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
969 pcg 1.10 send_vpn_packet (p, si, tos);
970 pcg 1.1
971     delete p;
972    
973     if (oseqno > MAX_SEQNO)
974     rekey ();
975     }
976    
977     void
978 pcg 1.68 connection::post_inject_queue ()
979     {
980     // force a connection every now and when when packets are sent (max 1/s)
981     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
982     establish_connection.stop ();
983    
984     establish_connection ();
985     }
986    
987     void
988     connection::inject_data_packet (tap_packet *pkt)
989 pcg 1.1 {
990     if (ictx && octx)
991 pcg 1.21 send_data_packet (pkt);
992 pcg 1.1 else
993     {
994 pcg 1.68 data_queue.put (new tap_packet (*pkt));
995     post_inject_queue ();
996 pcg 1.1 }
997     }
998    
999 root 1.90 void
1000     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1001 pcg 1.8 {
1002     if (ictx && octx)
1003 pcg 1.10 send_vpn_packet (pkt, si, tos);
1004 pcg 1.8 else
1005 pcg 1.12 {
1006 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1007 pcg 1.68 post_inject_queue ();
1008 pcg 1.12 }
1009 pcg 1.8 }
1010    
1011 pcg 1.1 void
1012     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1013     {
1014 pcg 1.62 last_activity = ev_now ();
1015 pcg 1.1
1016 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1017 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1018 pcg 1.1
1019 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1020     return;
1021    
1022 pcg 1.1 switch (pkt->typ ())
1023     {
1024 pcg 1.3 case vpn_packet::PT_PING:
1025 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1026    
1027 pcg 1.3 // we send pings instead of auth packets after some retries,
1028     // so reset the retry counter and establish a connection
1029     // when we receive a ping.
1030 root 1.89 if (!ictx)
1031 pcg 1.3 {
1032     if (auth_rate_limiter.can (rsi))
1033     send_auth_request (rsi, true);
1034     }
1035     else
1036 root 1.89 // we would love to change the socket address here, but ping's aren't
1037 pcg 1.73 // authenticated, so we best ignore it.
1038 pcg 1.3 send_ping (rsi, 1); // pong
1039    
1040     break;
1041    
1042     case vpn_packet::PT_PONG:
1043 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1044 root 1.89
1045     // a PONG might mean that the other side doesn't really know
1046     // about our desire for communication.
1047     establish_connection ();
1048 pcg 1.3 break;
1049    
1050     case vpn_packet::PT_RESET:
1051 pcg 1.1 {
1052 pcg 1.3 reset_connection ();
1053    
1054     config_packet *p = (config_packet *) pkt;
1055    
1056     if (!p->chk_config ())
1057     {
1058 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1059 pcg 1.3 conf->nodename, (const char *)rsi);
1060     connectmode = conf_node::C_DISABLED;
1061     }
1062     else if (connectmode == conf_node::C_ALWAYS)
1063     establish_connection ();
1064 pcg 1.1 }
1065 pcg 1.3 break;
1066    
1067     case vpn_packet::PT_AUTH_REQ:
1068     if (auth_rate_limiter.can (rsi))
1069     {
1070 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1071 pcg 1.3
1072 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1073     conf->nodename, p->initiate ? "initiate" : "reply",
1074     p->protocols, p->features);
1075 pcg 1.1
1076 pcg 1.85 if (p->chk_config ()
1077 root 1.93 && (!memcmp (p->magic, MAGIC_OLD, 8) || !memcmp (p->magic, MAGIC, 8)))
1078 pcg 1.3 {
1079     if (p->prot_minor != PROTOCOL_MINOR)
1080     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1081     conf->nodename, (const char *)rsi,
1082     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1083    
1084     if (p->initiate)
1085     send_auth_request (rsi, false);
1086    
1087     rsachallenge k;
1088    
1089 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1090 pcg 1.23 {
1091     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1092     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1093     break;
1094     }
1095 pcg 1.3 else
1096     {
1097     delete octx;
1098 pcg 1.1
1099 pcg 1.3 octx = new crypto_ctx (k, 1);
1100     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1101 pcg 1.1
1102 pcg 1.3 conf->protocols = p->protocols;
1103 pcg 1.32 features = p->features & config_packet::get_features ();
1104 pcg 1.10
1105 pcg 1.3 send_auth_response (rsi, p->id, k);
1106    
1107 pcg 1.10 connection_established ();
1108    
1109 pcg 1.3 break;
1110     }
1111     }
1112 pcg 1.15 else
1113 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1114 pcg 1.15 conf->nodename, (const char *)rsi);
1115 pcg 1.3
1116     send_reset (rsi);
1117 pcg 1.1 }
1118    
1119 pcg 1.3 break;
1120    
1121     case vpn_packet::PT_AUTH_RES:
1122 pcg 1.1 {
1123 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1124 pcg 1.1
1125 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1126 pcg 1.1
1127 pcg 1.3 if (p->chk_config ())
1128 pcg 1.1 {
1129     if (p->prot_minor != PROTOCOL_MINOR)
1130     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1131     conf->nodename, (const char *)rsi,
1132     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1133    
1134 pcg 1.3 rsachallenge chg;
1135 pcg 1.1
1136 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1137 pcg 1.13 {
1138 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1139 pcg 1.13 conf->nodename, (const char *)rsi);
1140     break;
1141     }
1142 pcg 1.1 else
1143     {
1144 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1145    
1146     if (!p->hmac_chk (cctx))
1147 pcg 1.18 {
1148     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1149 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1150 pcg 1.18 conf->nodename, (const char *)rsi);
1151     break;
1152     }
1153 pcg 1.3 else
1154     {
1155     rsaresponse h;
1156    
1157     rsa_hash (p->id, chg, h);
1158    
1159     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1160     {
1161     prot_minor = p->prot_minor;
1162    
1163     delete ictx; ictx = cctx;
1164    
1165     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1166    
1167     si = rsi;
1168 pcg 1.7 protocol = rsi.prot;
1169 pcg 1.3
1170 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1171 pcg 1.3 conf->nodename, (const char *)rsi,
1172 pcg 1.82 is_direct ? "direct" : "forwarded",
1173 pcg 1.3 p->prot_major, p->prot_minor);
1174 pcg 1.1
1175 pcg 1.73 connection_established ();
1176    
1177 pcg 1.3 if (::conf.script_node_up)
1178 pcg 1.64 {
1179 pcg 1.70 run_script_cb *cb = new run_script_cb;
1180     cb->set<connection, &connection::script_node_up> (this);
1181     run_script_queued (cb, _("node-up command execution failed, continuing."));
1182 pcg 1.64 }
1183 pcg 1.1
1184 pcg 1.3 break;
1185     }
1186     else
1187 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1188 pcg 1.3 conf->nodename, (const char *)rsi);
1189     }
1190 pcg 1.1
1191 pcg 1.3 delete cctx;
1192 pcg 1.1 }
1193     }
1194     }
1195    
1196 pcg 1.3 send_reset (rsi);
1197     break;
1198 pcg 1.1
1199 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1200     #if !ENABLE_COMPRESSION
1201     send_reset (rsi);
1202     break;
1203     #endif
1204 pcg 1.1
1205 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1206 pcg 1.1
1207 pcg 1.3 if (ictx && octx)
1208 pcg 1.1 {
1209 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1210 pcg 1.1
1211 pcg 1.10 if (!p->hmac_chk (ictx))
1212     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1213 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1214 pcg 1.10 conf->nodename, (const char *)rsi);
1215     else
1216 pcg 1.1 {
1217 pcg 1.10 u32 seqno;
1218     tap_packet *d = p->unpack (this, seqno);
1219 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1220 pcg 1.10
1221 pcg 1.73 if (seqclass == 0) // ok
1222 pcg 1.1 {
1223 pcg 1.10 vpn->tap->send (d);
1224 pcg 1.1
1225 pcg 1.10 if (si != rsi)
1226 pcg 1.1 {
1227 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1228 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1229     // {
1230 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1231     conf->nodename, (const char *)si, (const char *)rsi);
1232    
1233 pcg 1.73 si = rsi;
1234 pcg 1.84
1235     if (::conf.script_node_change)
1236     {
1237     run_script_cb *cb = new run_script_cb;
1238     cb->set<connection, &connection::script_node_change> (this);
1239     run_script_queued (cb, _("node-change command execution failed, continuing."));
1240     }
1241    
1242 pcg 1.73 // }
1243     //else
1244     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1245     // conf->nodename, (const char *)si, (const char *)rsi);
1246 pcg 1.10 }
1247 pcg 1.32 }
1248 pcg 1.75 else if (seqclass == 1) // far history
1249     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1250     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1251     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1252     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1253     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1254     else if (seqclass == 3) // reset
1255 pcg 1.73 {
1256 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1257     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1258 pcg 1.73 send_reset (rsi);
1259     }
1260 pcg 1.3
1261 pcg 1.32 delete d;
1262     break;
1263 pcg 1.1 }
1264     }
1265    
1266 pcg 1.3 send_reset (rsi);
1267     break;
1268 pcg 1.1
1269 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1270     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1271     {
1272 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1273 pcg 1.1
1274 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1275     {
1276     connection *c = vpn->conns[p->id - 1];
1277     conf->protocols = p->protocols;
1278 pcg 1.1
1279 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1280     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1281     p->protocols,
1282     c->ictx && c->octx);
1283 pcg 1.1
1284 pcg 1.57 if (c->ictx && c->octx)
1285     {
1286     // send connect_info packets to both sides, in case one is
1287     // behind a nat firewall (or both ;)
1288     c->send_connect_info (conf->id, si, conf->protocols);
1289     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1290     }
1291     else
1292     c->establish_connection ();
1293 pcg 1.3 }
1294 pcg 1.11 else
1295 pcg 1.57 slog (L_WARN,
1296     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1297     p->id);
1298 pcg 1.3 }
1299 pcg 1.1
1300 pcg 1.3 break;
1301 pcg 1.1
1302 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1303     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1304     {
1305 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1306 pcg 1.1
1307 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1308 pcg 1.39 {
1309     connection *c = vpn->conns[p->id - 1];
1310 pcg 1.7
1311 pcg 1.39 c->conf->protocols = p->protocols;
1312     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1313     p->si.upgrade_protocol (protocol, c->conf);
1314 pcg 1.1
1315 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,p%02x) [%d]",
1316     conf->nodename,
1317     vpn->conns[p->id - 1]->conf->nodename,
1318     (const char *)p->si,
1319     p->protocols,
1320     !c->ictx && !c->octx);
1321 pcg 1.7
1322 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1323 pcg 1.1
1324 pcg 1.39 if (dsi.valid ())
1325     c->send_auth_request (dsi, true);
1326     }
1327 pcg 1.57 else
1328     slog (L_WARN,
1329     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1330     p->id);
1331 pcg 1.3 }
1332 pcg 1.1
1333 pcg 1.3 break;
1334 pcg 1.1
1335 pcg 1.3 default:
1336     send_reset (rsi);
1337     break;
1338 pcg 1.1 }
1339     }
1340    
1341 pcg 1.66 inline void
1342     connection::keepalive_cb (ev::timer &w, int revents)
1343 pcg 1.1 {
1344 pcg 1.83 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1345 pcg 1.1 {
1346     reset_connection ();
1347     establish_connection ();
1348     }
1349 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive)
1350 pcg 1.60 w.start (last_activity + ::conf.keepalive - ev::now ());
1351 pcg 1.1 else if (conf->connectmode != conf_node::C_ONDEMAND
1352     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1353     {
1354     send_ping (si);
1355 pcg 1.83 w.start (3);
1356 pcg 1.1 }
1357 pcg 1.62 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1358 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1359     // should delete octx, though, or something like that ;)
1360 pcg 1.60 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1361 pcg 1.1 else
1362     reset_connection ();
1363     }
1364    
1365 root 1.90 void
1366     connection::send_connect_request (int id)
1367 pcg 1.1 {
1368 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1369 pcg 1.1
1370 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1371     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1372     THISNODE->protocols);
1373 pcg 1.1 p->hmac_set (octx);
1374 pcg 1.10 send_vpn_packet (p, si);
1375 pcg 1.1
1376     delete p;
1377     }
1378    
1379 root 1.90 void
1380     connection::script_init_env (const char *ext)
1381 pcg 1.53 {
1382     char *env;
1383     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1384 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1385 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1386     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1387 pcg 1.84 conf->id & 0xff); putenv (env);
1388 pcg 1.53 }
1389    
1390 root 1.90 void
1391     connection::script_init_connect_env ()
1392 pcg 1.1 {
1393 pcg 1.52 vpn->script_init_env ();
1394 pcg 1.1
1395     char *env;
1396 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1397     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1398     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1399     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1400     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1401 pcg 1.1 }
1402    
1403 pcg 1.66 inline const char *
1404     connection::script_node_up ()
1405 pcg 1.1 {
1406 pcg 1.53 script_init_connect_env ();
1407 pcg 1.1
1408 pcg 1.60 putenv ((char *)"STATE=up");
1409 pcg 1.1
1410 pcg 1.52 char *filename;
1411     asprintf (&filename,
1412     "%s/%s",
1413     confbase,
1414     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1415 pcg 1.54
1416     return filename;
1417 pcg 1.1 }
1418    
1419 pcg 1.66 inline const char *
1420 pcg 1.84 connection::script_node_change ()
1421     {
1422     script_init_connect_env ();
1423    
1424     putenv ((char *)"STATE=change");
1425    
1426     char *filename;
1427     asprintf (&filename,
1428     "%s/%s",
1429     confbase,
1430     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1431    
1432     return filename;
1433     }
1434    
1435     inline const char *
1436 pcg 1.66 connection::script_node_down ()
1437 pcg 1.1 {
1438 pcg 1.53 script_init_connect_env ();
1439 pcg 1.1
1440 pcg 1.60 putenv ((char *)"STATE=down");
1441 pcg 1.1
1442 pcg 1.52 char *filename;
1443     asprintf (&filename,
1444     "%s/%s",
1445     confbase,
1446     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1447 pcg 1.54
1448     return filename;
1449 pcg 1.1 }
1450    
1451 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1452 pcg 1.67 : vpn(vpn), conf(conf),
1453 pcg 1.40 #if ENABLE_DNS
1454 pcg 1.67 dns (0),
1455 pcg 1.40 #endif
1456 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1457     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1458 pcg 1.1 {
1459 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1460     keepalive .set<connection, &connection::keepalive_cb > (this);
1461     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1462    
1463 pcg 1.68 last_establish_attempt = 0.;
1464 pcg 1.1 octx = ictx = 0;
1465    
1466 pcg 1.67 connectmode = conf->connectmode;
1467    
1468     // queue a dummy packet to force an initial connection attempt
1469     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1470 pcg 1.68 vpn_queue.put (new net_packet);
1471 pcg 1.67
1472 pcg 1.1 reset_connection ();
1473     }
1474    
1475     connection::~connection ()
1476     {
1477     shutdown ();
1478     }
1479    
1480 root 1.90 void
1481     connection_init ()
1482 pcg 1.1 {
1483     auth_rate_limiter.clear ();
1484     reset_rate_limiter.clear ();
1485     }
1486