ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.97
Committed: Tue Dec 4 13:23:17 2012 UTC (11 years, 5 months ago) by root
Content type: text/plain
Branch: MAIN
CVS Tags: rel-2_25
Changes since 1.96: +9 -6 lines
Log Message: 
*** empty log message ***

File Contents

# User Rev Content
1 pcg 1.1 /*
2     connection.C -- manage a single connection
3 root 1.93 Copyright (C) 2003-2008,2010,2011 Marc Lehmann <gvpe@schmorp.de>
4 pcg 1.1
5 pcg 1.42 This file is part of GVPE.
6    
7 pcg 1.69 GVPE is free software; you can redistribute it and/or modify it
8     under the terms of the GNU General Public License as published by the
9     Free Software Foundation; either version 3 of the License, or (at your
10     option) any later version.
11    
12     This program is distributed in the hope that it will be useful, but
13     WITHOUT ANY WARRANTY; without even the implied warranty of
14     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15     Public License for more details.
16    
17     You should have received a copy of the GNU General Public License along
18     with this program; if not, see <http://www.gnu.org/licenses/>.
19    
20     Additional permission under GNU GPL version 3 section 7
21    
22     If you modify this Program, or any covered work, by linking or
23     combining it with the OpenSSL project's OpenSSL library (or a modified
24     version of that library), containing parts covered by the terms of the
25     OpenSSL or SSLeay licenses, the licensors of this Program grant you
26     additional permission to convey the resulting work. Corresponding
27     Source for a non-source form of such a combination shall include the
28     source code for the parts of OpenSSL used as well as that of the
29     covered work.
30 pcg 1.1 */
31    
32     #include "config.h"
33    
34     #include <list>
35 pcg 1.70 #include <queue>
36     #include <utility>
37 pcg 1.1
38 pcg 1.2 #include <openssl/rand.h>
39     #include <openssl/evp.h>
40     #include <openssl/rsa.h>
41     #include <openssl/err.h>
42    
43 pcg 1.1 #include "conf.h"
44     #include "slog.h"
45     #include "device.h"
46 pcg 1.2 #include "vpn.h"
47 pcg 1.1 #include "connection.h"
48    
49 pcg 1.20 #include "netcompat.h"
50 pcg 1.19
51 pcg 1.1 #if !HAVE_RAND_PSEUDO_BYTES
52     # define RAND_pseudo_bytes RAND_bytes
53     #endif
54    
55 pcg 1.85 #define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56     #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
57 pcg 1.30
58     #define ULTRA_FAST 1
59     #define HLOG 15
60     #include "lzf/lzf.h"
61     #include "lzf/lzf_c.c"
62     #include "lzf/lzf_d.c"
63 pcg 1.1
64 pcg 1.70 //////////////////////////////////////////////////////////////////////////////
65    
66     static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67     static ev::child rs_child_ev;
68    
69 root 1.90 namespace
70 pcg 1.70 {
71 root 1.90 void // c++ requires external linkage here, apparently :(
72     rs_child_cb (ev::child &w, int revents)
73     {
74     w.stop ();
75 pcg 1.70
76 root 1.90 if (rs_queue.empty ())
77     return;
78 pcg 1.70
79 root 1.90 pid_t pid = run_script (*rs_queue.front ().first, false);
80     if (pid)
81     {
82     w.set (pid);
83     w.start ();
84     }
85     else
86     slog (L_WARN, rs_queue.front ().second);
87 pcg 1.70
88 root 1.90 delete rs_queue.front ().first;
89     rs_queue.pop ();
90     }
91     };
92 pcg 1.70
93     // despite the fancy name, this is quite a hack
94     static void
95     run_script_queued (run_script_cb *cb, const char *warnmsg)
96     {
97     rs_queue.push (std::make_pair (cb, warnmsg));
98    
99     if (!rs_child_ev.is_active ())
100     {
101     rs_child_ev.set<rs_child_cb> ();
102     rs_child_ev ();
103     }
104     }
105    
106     //////////////////////////////////////////////////////////////////////////////
107    
108 pcg 1.1 struct crypto_ctx
109     {
110     EVP_CIPHER_CTX cctx;
111     HMAC_CTX hctx;
112    
113     crypto_ctx (const rsachallenge &challenge, int enc);
114     ~crypto_ctx ();
115     };
116    
117     crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
118     {
119     EVP_CIPHER_CTX_init (&cctx);
120 pcg 1.29 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
121 pcg 1.1 HMAC_CTX_init (&hctx);
122     HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
123     }
124    
125     crypto_ctx::~crypto_ctx ()
126     {
127 pcg 1.29 require (EVP_CIPHER_CTX_cleanup (&cctx));
128 pcg 1.1 HMAC_CTX_cleanup (&hctx);
129     }
130    
131     static void
132     rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
133     {
134     EVP_MD_CTX ctx;
135    
136     EVP_MD_CTX_init (&ctx);
137 root 1.95 require (EVP_DigestInit (&ctx, RSA_HASH));
138     require (EVP_DigestUpdate (&ctx, &chg, sizeof chg));
139     require (EVP_DigestUpdate (&ctx, &id, sizeof id));
140     require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
141 pcg 1.1 EVP_MD_CTX_cleanup (&ctx);
142     }
143    
144 pcg 1.63 struct rsa_entry
145     {
146 pcg 1.1 tstamp expire;
147     rsaid id;
148     rsachallenge chg;
149     };
150    
151     struct rsa_cache : list<rsa_entry>
152     {
153 pcg 1.66 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
154 pcg 1.1
155     bool find (const rsaid &id, rsachallenge &chg)
156 pcg 1.51 {
157     for (iterator i = begin (); i != end (); ++i)
158     {
159 pcg 1.62 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
160 pcg 1.51 {
161     memcpy (&chg, &i->chg, sizeof chg);
162 pcg 1.1
163 pcg 1.51 erase (i);
164     return true;
165     }
166     }
167 pcg 1.1
168 pcg 1.60 if (!cleaner.is_active ())
169     cleaner.again ();
170 pcg 1.1
171 pcg 1.51 return false;
172     }
173 pcg 1.1
174     void gen (rsaid &id, rsachallenge &chg)
175 pcg 1.51 {
176     rsa_entry e;
177 pcg 1.1
178 pcg 1.51 RAND_bytes ((unsigned char *)&id, sizeof id);
179     RAND_bytes ((unsigned char *)&chg, sizeof chg);
180 pcg 1.1
181 pcg 1.62 e.expire = ev_now () + RSA_TTL;
182 pcg 1.51 e.id = id;
183     memcpy (&e.chg, &chg, sizeof chg);
184 pcg 1.1
185 pcg 1.51 push_back (e);
186 pcg 1.1
187 pcg 1.60 if (!cleaner.is_active ())
188     cleaner.again ();
189 pcg 1.51 }
190 pcg 1.1
191     rsa_cache ()
192 pcg 1.60 {
193 pcg 1.65 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
194 pcg 1.60 cleaner.set (RSA_TTL, RSA_TTL);
195     }
196 pcg 1.1
197     } rsa_cache;
198    
199 root 1.90 void
200     rsa_cache::cleaner_cb (ev::timer &w, int revents)
201 pcg 1.1 {
202 pcg 1.60 if (empty ())
203     w.stop ();
204     else
205 pcg 1.1 {
206     for (iterator i = begin (); i != end (); )
207 pcg 1.62 if (i->expire <= ev_now ())
208 pcg 1.1 i = erase (i);
209     else
210     ++i;
211     }
212     }
213    
214     //////////////////////////////////////////////////////////////////////////////
215    
216 pcg 1.67 pkt_queue::pkt_queue (double max_ttl, int max_queue)
217     : max_ttl (max_ttl), max_queue (max_queue)
218 pcg 1.1 {
219 pcg 1.67 queue = new pkt [max_queue];
220    
221     i = 0;
222     j = 0;
223    
224     expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
225     }
226 pcg 1.1
227 pcg 1.67 pkt_queue::~pkt_queue ()
228     {
229     while (net_packet *p = get ())
230     delete p;
231 pcg 1.1
232 pcg 1.67 delete [] queue;
233 pcg 1.1 }
234    
235 root 1.90 void
236     pkt_queue::expire_cb (ev::timer &w, int revents)
237 pcg 1.1 {
238 pcg 1.67 ev_tstamp expire = ev_now () - max_ttl;
239 pcg 1.1
240 pcg 1.67 for (;;)
241 pcg 1.1 {
242 pcg 1.67 if (empty ())
243     break;
244    
245     double diff = queue[j].tstamp - expire;
246    
247     if (diff >= 0.)
248     {
249     w.start (diff > 0.5 ? diff : 0.5);
250     break;
251     }
252    
253     delete get ();
254 pcg 1.1 }
255     }
256    
257 root 1.90 void
258     pkt_queue::put (net_packet *p)
259 pcg 1.1 {
260 pcg 1.67 ev_tstamp now = ev_now ();
261    
262     // start expiry timer
263     if (empty ())
264     expire.start (max_ttl);
265    
266     int ni = i + 1 == max_queue ? 0 : i + 1;
267    
268     if (ni == j)
269     delete get ();
270    
271     queue[i].pkt = p;
272     queue[i].tstamp = now;
273    
274     i = ni;
275 pcg 1.1 }
276    
277 root 1.90 net_packet *
278     pkt_queue::get ()
279 pcg 1.1 {
280 pcg 1.67 if (empty ())
281     return 0;
282    
283     net_packet *p = queue[j].pkt;
284     queue[j].pkt = 0;
285    
286     j = j + 1 == max_queue ? 0 : j + 1;
287    
288     return p;
289 pcg 1.1 }
290    
291 pcg 1.63 struct net_rateinfo
292     {
293 pcg 1.1 u32 host;
294     double pcnt, diff;
295     tstamp last;
296     };
297    
298     // only do action once every x seconds per host whole allowing bursts.
299     // this implementation ("splay list" ;) is inefficient,
300     // but low on resources.
301     struct net_rate_limiter : list<net_rateinfo>
302     {
303 pcg 1.35 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
304     # define NRL_CUTOFF 10. // one event every CUTOFF seconds
305     # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
306     # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
307 pcg 1.1
308 pcg 1.16 bool can (const sockinfo &si) { return can((u32)si.host); }
309 pcg 1.1 bool can (u32 host);
310     };
311    
312 root 1.90 static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
313 pcg 1.1
314 root 1.90 bool
315     net_rate_limiter::can (u32 host)
316 pcg 1.1 {
317     iterator i;
318    
319     for (i = begin (); i != end (); )
320     if (i->host == host)
321     break;
322 pcg 1.62 else if (i->last < ev_now () - NRL_EXPIRE)
323 pcg 1.1 i = erase (i);
324     else
325     i++;
326    
327     if (i == end ())
328     {
329     net_rateinfo ri;
330    
331     ri.host = host;
332     ri.pcnt = 1.;
333 pcg 1.34 ri.diff = NRL_MAXDIF;
334 pcg 1.62 ri.last = ev_now ();
335 pcg 1.1
336     push_front (ri);
337    
338     return true;
339     }
340     else
341     {
342     net_rateinfo ri (*i);
343     erase (i);
344    
345 pcg 1.34 ri.pcnt = ri.pcnt * NRL_ALPHA;
346 pcg 1.62 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
347 pcg 1.1
348 pcg 1.62 ri.last = ev_now ();
349 pcg 1.1
350 pcg 1.10 double dif = ri.diff / ri.pcnt;
351 pcg 1.1
352 pcg 1.34 bool send = dif > NRL_CUTOFF;
353 pcg 1.10
354 pcg 1.34 if (dif > NRL_MAXDIF)
355 pcg 1.10 {
356     ri.pcnt = 1.;
357 pcg 1.34 ri.diff = NRL_MAXDIF;
358 pcg 1.10 }
359     else if (send)
360 pcg 1.1 ri.pcnt++;
361    
362     push_front (ri);
363    
364     return send;
365     }
366     }
367    
368     /////////////////////////////////////////////////////////////////////////////
369    
370     unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
371    
372 root 1.90 void
373     hmac_packet::hmac_gen (crypto_ctx *ctx)
374 pcg 1.1 {
375     unsigned int xlen;
376    
377     HMAC_CTX *hctx = &ctx->hctx;
378    
379     HMAC_Init_ex (hctx, 0, 0, 0, 0);
380     HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
381     len - sizeof (hmac_packet));
382     HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
383     }
384    
385     void
386     hmac_packet::hmac_set (crypto_ctx *ctx)
387     {
388     hmac_gen (ctx);
389    
390     memcpy (hmac, hmac_digest, HMACLENGTH);
391     }
392    
393     bool
394     hmac_packet::hmac_chk (crypto_ctx *ctx)
395     {
396     hmac_gen (ctx);
397    
398     return !memcmp (hmac, hmac_digest, HMACLENGTH);
399     }
400    
401 root 1.90 void
402     vpn_packet::set_hdr (ptype type_, unsigned int dst)
403 pcg 1.1 {
404 pcg 1.6 type = type_;
405 pcg 1.1
406     int src = THISNODE->id;
407    
408     src1 = src;
409     srcdst = ((src >> 8) << 4) | (dst >> 8);
410     dst1 = dst;
411     }
412    
413     #define MAXVPNDATA (MAX_MTU - 6 - 6)
414     #define DATAHDR (sizeof (u32) + RAND_SIZE)
415    
416 pcg 1.28 struct vpndata_packet : vpn_packet
417 root 1.90 {
418     u8 data[MAXVPNDATA + DATAHDR]; // seqno
419    
420     void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
421     tap_packet *unpack (connection *conn, u32 &seqno);
422 pcg 1.1
423     private:
424 root 1.90 const u32 data_hdr_size () const
425     {
426     return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
427     }
428     };
429 pcg 1.1
430     void
431     vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
432     {
433     EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
434     int outl = 0, outl2;
435     ptype type = PT_DATA_UNCOMPRESSED;
436    
437     #if ENABLE_COMPRESSION
438     u8 cdata[MAX_MTU];
439    
440 pcg 1.86 if (conn->features & FEATURE_COMPRESSION)
441 pcg 1.1 {
442 pcg 1.31 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
443 pcg 1.1
444 pcg 1.31 if (cl)
445     {
446     type = PT_DATA_COMPRESSED;
447     d = cdata;
448     l = cl + 2;
449    
450     d[0] = cl >> 8;
451     d[1] = cl;
452     }
453 pcg 1.1 }
454     #endif
455    
456 pcg 1.29 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
457 pcg 1.1
458     struct {
459     #if RAND_SIZE
460     u8 rnd[RAND_SIZE];
461     #endif
462     u32 seqno;
463     } datahdr;
464    
465     datahdr.seqno = ntohl (seqno);
466     #if RAND_SIZE
467     RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
468     #endif
469    
470 pcg 1.29 require (EVP_EncryptUpdate (cctx,
471 pcg 1.1 (unsigned char *) data + outl, &outl2,
472 pcg 1.29 (unsigned char *) &datahdr, DATAHDR));
473 pcg 1.1 outl += outl2;
474    
475 pcg 1.29 require (EVP_EncryptUpdate (cctx,
476 pcg 1.1 (unsigned char *) data + outl, &outl2,
477 pcg 1.29 (unsigned char *) d, l));
478 pcg 1.1 outl += outl2;
479    
480 pcg 1.29 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
481 pcg 1.1 outl += outl2;
482    
483     len = outl + data_hdr_size ();
484    
485     set_hdr (type, dst);
486    
487     hmac_set (conn->octx);
488     }
489    
490     tap_packet *
491     vpndata_packet::unpack (connection *conn, u32 &seqno)
492     {
493     EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
494     int outl = 0, outl2;
495     tap_packet *p = new tap_packet;
496     u8 *d;
497     u32 l = len - data_hdr_size ();
498    
499 pcg 1.29 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
500 pcg 1.1
501     #if ENABLE_COMPRESSION
502     u8 cdata[MAX_MTU];
503    
504     if (type == PT_DATA_COMPRESSED)
505     d = cdata;
506     else
507     #endif
508     d = &(*p)[6 + 6 - DATAHDR];
509    
510     /* this overwrites part of the src mac, but we fix that later */
511 pcg 1.29 require (EVP_DecryptUpdate (cctx,
512 pcg 1.1 d, &outl2,
513 pcg 1.29 (unsigned char *)&data, len - data_hdr_size ()));
514 pcg 1.1 outl += outl2;
515    
516 pcg 1.29 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
517 pcg 1.1 outl += outl2;
518    
519     seqno = ntohl (*(u32 *)(d + RAND_SIZE));
520    
521     id2mac (dst () ? dst() : THISNODE->id, p->dst);
522     id2mac (src (), p->src);
523    
524     #if ENABLE_COMPRESSION
525     if (type == PT_DATA_COMPRESSED)
526     {
527     u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
528    
529     p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
530     &(*p)[6 + 6], MAX_MTU)
531     + 6 + 6;
532     }
533     else
534     p->len = outl + (6 + 6 - DATAHDR);
535     #endif
536    
537     return p;
538     }
539    
540     struct ping_packet : vpn_packet
541     {
542     void setup (int dst, ptype type)
543     {
544     set_hdr (type, dst);
545     len = sizeof (*this) - sizeof (net_packet);
546     }
547     };
548    
549     struct config_packet : vpn_packet
550     {
551     // actually, hmaclen cannot be checked because the hmac
552     // field comes before this data, so peers with other
553     // hmacs simply will not work.
554     u8 prot_major, prot_minor, randsize, hmaclen;
555 pcg 1.31 u8 flags, challengelen, features, pad3;
556 pcg 1.1 u32 cipher_nid, digest_nid, hmac_nid;
557    
558     void setup (ptype type, int dst);
559     bool chk_config () const;
560 pcg 1.32
561     static u8 get_features ()
562     {
563     u8 f = 0;
564     #if ENABLE_COMPRESSION
565     f |= FEATURE_COMPRESSION;
566     #endif
567     #if ENABLE_ROHC
568     f |= FEATURE_ROHC;
569     #endif
570 pcg 1.59 #if ENABLE_BRIDGING
571     f |= FEATURE_BRIDGING;
572     #endif
573 pcg 1.32 return f;
574     }
575 pcg 1.1 };
576    
577 root 1.90 void
578     config_packet::setup (ptype type, int dst)
579 pcg 1.1 {
580     prot_major = PROTOCOL_MAJOR;
581     prot_minor = PROTOCOL_MINOR;
582     randsize = RAND_SIZE;
583     hmaclen = HMACLENGTH;
584 pcg 1.48 flags = 0;
585 pcg 1.1 challengelen = sizeof (rsachallenge);
586 pcg 1.32 features = get_features ();
587 pcg 1.1
588     cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
589     digest_nid = htonl (EVP_MD_type (RSA_HASH));
590     hmac_nid = htonl (EVP_MD_type (DIGEST));
591    
592     len = sizeof (*this) - sizeof (net_packet);
593     set_hdr (type, dst);
594     }
595    
596 root 1.90 bool
597     config_packet::chk_config () const
598 pcg 1.1 {
599 pcg 1.15 if (prot_major != PROTOCOL_MAJOR)
600 pcg 1.23 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
601 pcg 1.15 else if (randsize != RAND_SIZE)
602 pcg 1.23 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
603 pcg 1.15 else if (hmaclen != HMACLENGTH)
604 pcg 1.23 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
605 pcg 1.15 else if (challengelen != sizeof (rsachallenge))
606 pcg 1.23 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
607 pcg 1.15 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
608 pcg 1.23 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
609 pcg 1.15 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
610 pcg 1.23 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
611 pcg 1.15 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
612 pcg 1.23 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
613 pcg 1.15 else
614     return true;
615    
616     return false;
617 pcg 1.1 }
618    
619     struct auth_req_packet : config_packet
620     {
621     char magic[8];
622     u8 initiate; // false if this is just an automatic reply
623 pcg 1.28 u8 protocols; // supported protocols (will be patched on forward)
624 pcg 1.1 u8 pad2, pad3;
625     rsaid id;
626     rsaencrdata encr;
627    
628     auth_req_packet (int dst, bool initiate_, u8 protocols_)
629     {
630     config_packet::setup (PT_AUTH_REQ, dst);
631 pcg 1.85 strncpy (magic, MAGIC_OLD, 8);
632 pcg 1.1 initiate = !!initiate_;
633     protocols = protocols_;
634    
635     len = sizeof (*this) - sizeof (net_packet);
636     }
637     };
638    
639     struct auth_res_packet : config_packet
640     {
641     rsaid id;
642     u8 pad1, pad2, pad3;
643     u8 response_len; // encrypted length
644     rsaresponse response;
645    
646     auth_res_packet (int dst)
647     {
648     config_packet::setup (PT_AUTH_RES, dst);
649    
650     len = sizeof (*this) - sizeof (net_packet);
651     }
652     };
653    
654     struct connect_req_packet : vpn_packet
655     {
656     u8 id, protocols;
657     u8 pad1, pad2;
658    
659     connect_req_packet (int dst, int id_, u8 protocols_)
660     : id(id_)
661     , protocols(protocols_)
662     {
663     set_hdr (PT_CONNECT_REQ, dst);
664     len = sizeof (*this) - sizeof (net_packet);
665     }
666     };
667    
668     struct connect_info_packet : vpn_packet
669     {
670     u8 id, protocols;
671     u8 pad1, pad2;
672     sockinfo si;
673    
674     connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
675     : id(id_)
676     , protocols(protocols_)
677     , si(si_)
678     {
679     set_hdr (PT_CONNECT_INFO, dst);
680    
681     len = sizeof (*this) - sizeof (net_packet);
682     }
683     };
684    
685     /////////////////////////////////////////////////////////////////////////////
686    
687     void
688 pcg 1.10 connection::connection_established ()
689     {
690 pcg 1.79 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
691 pcg 1.61
692 pcg 1.10 if (ictx && octx)
693     {
694 pcg 1.36 // make sure rekeying timeouts are slightly asymmetric
695 pcg 1.60 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
696     rekey.start (rekey_interval, rekey_interval);
697 root 1.97
698 pcg 1.60 keepalive.start (::conf.keepalive);
699 pcg 1.10
700     // send queued packets
701     if (ictx && octx)
702 pcg 1.12 {
703     while (tap_packet *p = (tap_packet *)data_queue.get ())
704     {
705 pcg 1.67 if (p->len) send_data_packet (p);
706 pcg 1.12 delete p;
707     }
708    
709     while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
710     {
711 pcg 1.67 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
712 pcg 1.12 delete p;
713     }
714     }
715 pcg 1.73
716     vpn->connection_established (this);
717 pcg 1.10 }
718     else
719     {
720     retry_cnt = 0;
721 pcg 1.60 establish_connection.start (5);
722 pcg 1.25 keepalive.stop ();
723     rekey.stop ();
724 pcg 1.10 }
725     }
726    
727     void
728 pcg 1.8 connection::reset_si ()
729 pcg 1.1 {
730 pcg 1.73 if (vpn->can_direct (THISNODE, conf))
731     protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
732     else
733 pcg 1.59 {
734 pcg 1.73 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
735 pcg 1.59 protocol = 0;
736     }
737 pcg 1.6
738     si.set (conf, protocol);
739 pcg 1.73
740     is_direct = si.valid ();
741 pcg 1.1 }
742    
743 pcg 1.8 // ensure sockinfo is valid, forward if necessary
744     const sockinfo &
745     connection::forward_si (const sockinfo &si) const
746     {
747     if (!si.valid ())
748     {
749 pcg 1.73 connection *r = vpn->find_router_for (this);
750 pcg 1.8
751     if (r)
752     {
753 pcg 1.73 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
754     conf->nodename, r->conf->nodename);
755 pcg 1.8 return r->si;
756     }
757     else
758 pcg 1.73 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
759 pcg 1.8 conf->nodename);
760     }
761    
762     return si;
763     }
764    
765 pcg 1.1 void
766 pcg 1.10 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
767     {
768 pcg 1.46 if (!vpn->send_vpn_packet (pkt, si, tos))
769 pcg 1.10 reset_connection ();
770     }
771    
772     void
773 pcg 1.1 connection::send_ping (const sockinfo &si, u8 pong)
774     {
775     ping_packet *pkt = new ping_packet;
776    
777     pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
778 pcg 1.73
779 pcg 1.79 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
780 pcg 1.73
781 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
782 pcg 1.1
783     delete pkt;
784     }
785    
786     void
787     connection::send_reset (const sockinfo &si)
788     {
789     if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
790     {
791     config_packet *pkt = new config_packet;
792    
793     pkt->setup (vpn_packet::PT_RESET, conf->id);
794 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_MINCOST);
795 pcg 1.1
796     delete pkt;
797     }
798     }
799    
800     void
801     connection::send_auth_request (const sockinfo &si, bool initiate)
802     {
803     auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
804    
805 pcg 1.6 rsachallenge chg;
806     rsa_cache.gen (pkt->id, chg);
807 pcg 1.24 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
808 pcg 1.1
809 pcg 1.81 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
810 pcg 1.1
811 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
812 pcg 1.1
813 pcg 1.6 delete pkt;
814 pcg 1.1 }
815    
816     void
817     connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
818     {
819     auth_res_packet *pkt = new auth_res_packet (conf->id);
820    
821     pkt->id = id;
822    
823     rsa_hash (id, chg, pkt->response);
824    
825     pkt->hmac_set (octx);
826    
827 pcg 1.80 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
828 pcg 1.1
829 pcg 1.10 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
830 pcg 1.1
831     delete pkt;
832     }
833    
834     void
835     connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
836     {
837 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
838     vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
839     conf->protocols);
840 pcg 1.1
841     connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
842    
843     r->hmac_set (octx);
844 pcg 1.10 send_vpn_packet (r, si);
845 pcg 1.1
846     delete r;
847     }
848    
849 pcg 1.66 inline void
850 pcg 1.60 connection::establish_connection_cb (ev::timer &w, int revents)
851 pcg 1.1 {
852 root 1.92 if (!(ictx && octx)
853 pcg 1.25 && conf != THISNODE
854     && connectmode != conf_node::C_NEVER
855     && connectmode != conf_node::C_DISABLED
856 pcg 1.60 && !w.is_active ())
857 pcg 1.1 {
858 pcg 1.67 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
859     // and stop trying. should probably be handled by a per-connection expire handler.
860     if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
861     {
862     reset_connection ();
863     return;
864     }
865    
866 pcg 1.68 last_establish_attempt = ev_now ();
867    
868 pcg 1.60 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
869     ? (retry_cnt & 3) + 1
870     : 1 << (retry_cnt >> 2));
871 pcg 1.1
872 pcg 1.47 reset_si ();
873 pcg 1.1
874 pcg 1.47 bool slow = si.prot & PROT_SLOW;
875 pcg 1.8
876 pcg 1.73 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
877 pcg 1.60 {
878     /*TODO*/ /* start the timer so we don't recurse endlessly */
879     w.start (1);
880 pcg 1.74 vpn->send_connect_request (this);
881 pcg 1.60 }
882 pcg 1.8 else
883 pcg 1.1 {
884 pcg 1.73 if (si.valid ())
885     slog (L_DEBUG, _("%s: sending direct connection request to %s."),
886     conf->nodename, (const char *)si);
887 pcg 1.61
888 pcg 1.8 const sockinfo &dsi = forward_si (si);
889 pcg 1.6
890 pcg 1.47 slow = slow || (dsi.prot & PROT_SLOW);
891    
892 pcg 1.8 if (dsi.valid () && auth_rate_limiter.can (dsi))
893     {
894     if (retry_cnt < 4)
895     send_auth_request (dsi, true);
896     else
897     send_ping (dsi, 0);
898     }
899 pcg 1.1 }
900 pcg 1.47
901 pcg 1.68 retry_int *= slow ? 8. : 0.9;
902 pcg 1.47
903     if (retry_int < conf->max_retry)
904     retry_cnt++;
905     else
906     retry_int = conf->max_retry;
907    
908 pcg 1.60 w.start (retry_int);
909 pcg 1.1 }
910     }
911    
912     void
913     connection::reset_connection ()
914     {
915     if (ictx && octx)
916     {
917     slog (L_INFO, _("%s(%s): connection lost"),
918     conf->nodename, (const char *)si);
919    
920     if (::conf.script_node_down)
921 pcg 1.64 {
922 pcg 1.70 run_script_cb *cb = new run_script_cb;
923     cb->set<connection, &connection::script_node_down> (this);
924     run_script_queued (cb, _("node-down command execution failed, continuing."));
925 pcg 1.64 }
926 pcg 1.1 }
927    
928     delete ictx; ictx = 0;
929     delete octx; octx = 0;
930    
931 pcg 1.38 si.host = 0;
932 pcg 1.1
933 pcg 1.73 last_activity = 0.;
934     //last_si_change = 0.;
935 pcg 1.1 retry_cnt = 0;
936    
937 pcg 1.25 rekey.stop ();
938     keepalive.stop ();
939     establish_connection.stop ();
940 pcg 1.1 }
941    
942     void
943     connection::shutdown ()
944     {
945     if (ictx && octx)
946     send_reset (si);
947    
948     reset_connection ();
949     }
950    
951 pcg 1.73 // poor-man's rekeying
952 pcg 1.66 inline void
953 pcg 1.60 connection::rekey_cb (ev::timer &w, int revents)
954 pcg 1.1 {
955     reset_connection ();
956     establish_connection ();
957     }
958    
959     void
960 pcg 1.21 connection::send_data_packet (tap_packet *pkt)
961 pcg 1.1 {
962     vpndata_packet *p = new vpndata_packet;
963     int tos = 0;
964    
965 pcg 1.12 // I am not hilarious about peeking into packets, but so be it.
966 pcg 1.21 if (conf->inherit_tos && pkt->is_ipv4 ())
967 pcg 1.1 tos = (*pkt)[15] & IPTOS_TOS_MASK;
968    
969 pcg 1.21 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
970 pcg 1.10 send_vpn_packet (p, si, tos);
971 pcg 1.1
972     delete p;
973    
974     if (oseqno > MAX_SEQNO)
975     rekey ();
976     }
977    
978     void
979 pcg 1.68 connection::post_inject_queue ()
980     {
981     // force a connection every now and when when packets are sent (max 1/s)
982     if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
983     establish_connection.stop ();
984    
985     establish_connection ();
986     }
987    
988     void
989     connection::inject_data_packet (tap_packet *pkt)
990 pcg 1.1 {
991     if (ictx && octx)
992 pcg 1.21 send_data_packet (pkt);
993 pcg 1.1 else
994     {
995 pcg 1.68 data_queue.put (new tap_packet (*pkt));
996     post_inject_queue ();
997 pcg 1.1 }
998     }
999    
1000 root 1.90 void
1001     connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1002 pcg 1.8 {
1003     if (ictx && octx)
1004 pcg 1.10 send_vpn_packet (pkt, si, tos);
1005 pcg 1.8 else
1006 pcg 1.12 {
1007 pcg 1.28 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1008 pcg 1.68 post_inject_queue ();
1009 pcg 1.12 }
1010 pcg 1.8 }
1011    
1012 pcg 1.1 void
1013     connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1014     {
1015 pcg 1.62 last_activity = ev_now ();
1016 pcg 1.1
1017 root 1.91 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1018 pcg 1.79 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1019 pcg 1.1
1020 pcg 1.61 if (connectmode == conf_node::C_DISABLED)
1021     return;
1022    
1023 pcg 1.1 switch (pkt->typ ())
1024     {
1025 pcg 1.3 case vpn_packet::PT_PING:
1026 pcg 1.79 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1027    
1028 pcg 1.3 // we send pings instead of auth packets after some retries,
1029     // so reset the retry counter and establish a connection
1030     // when we receive a ping.
1031 root 1.89 if (!ictx)
1032 pcg 1.3 {
1033     if (auth_rate_limiter.can (rsi))
1034     send_auth_request (rsi, true);
1035     }
1036     else
1037 root 1.89 // we would love to change the socket address here, but ping's aren't
1038 pcg 1.73 // authenticated, so we best ignore it.
1039 pcg 1.3 send_ping (rsi, 1); // pong
1040    
1041     break;
1042    
1043     case vpn_packet::PT_PONG:
1044 pcg 1.79 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1045 root 1.89
1046     // a PONG might mean that the other side doesn't really know
1047     // about our desire for communication.
1048     establish_connection ();
1049 pcg 1.3 break;
1050    
1051     case vpn_packet::PT_RESET:
1052 pcg 1.1 {
1053 pcg 1.3 reset_connection ();
1054    
1055     config_packet *p = (config_packet *) pkt;
1056    
1057     if (!p->chk_config ())
1058     {
1059 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1060 pcg 1.3 conf->nodename, (const char *)rsi);
1061     connectmode = conf_node::C_DISABLED;
1062     }
1063     else if (connectmode == conf_node::C_ALWAYS)
1064     establish_connection ();
1065 pcg 1.1 }
1066 pcg 1.3 break;
1067    
1068     case vpn_packet::PT_AUTH_REQ:
1069     if (auth_rate_limiter.can (rsi))
1070     {
1071 root 1.93 auth_req_packet *p = (auth_req_packet *)pkt;
1072 pcg 1.3
1073 root 1.93 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1074     conf->nodename, p->initiate ? "initiate" : "reply",
1075     p->protocols, p->features);
1076 pcg 1.1
1077 pcg 1.85 if (p->chk_config ()
1078 root 1.93 && (!memcmp (p->magic, MAGIC_OLD, 8) || !memcmp (p->magic, MAGIC, 8)))
1079 pcg 1.3 {
1080     if (p->prot_minor != PROTOCOL_MINOR)
1081     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1082     conf->nodename, (const char *)rsi,
1083     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1084    
1085     if (p->initiate)
1086     send_auth_request (rsi, false);
1087    
1088     rsachallenge k;
1089    
1090 pcg 1.24 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
1091 pcg 1.23 {
1092     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1093     conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1094     break;
1095     }
1096 pcg 1.3 else
1097     {
1098     delete octx;
1099 pcg 1.1
1100 pcg 1.3 octx = new crypto_ctx (k, 1);
1101     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
1102 pcg 1.1
1103 pcg 1.3 conf->protocols = p->protocols;
1104 pcg 1.32 features = p->features & config_packet::get_features ();
1105 pcg 1.10
1106 pcg 1.3 send_auth_response (rsi, p->id, k);
1107    
1108 pcg 1.10 connection_established ();
1109    
1110 pcg 1.3 break;
1111     }
1112     }
1113 pcg 1.15 else
1114 pcg 1.73 slog (L_WARN, _("%s(%s): protocol mismatch."),
1115 pcg 1.15 conf->nodename, (const char *)rsi);
1116 pcg 1.3
1117     send_reset (rsi);
1118 pcg 1.1 }
1119    
1120 pcg 1.3 break;
1121    
1122     case vpn_packet::PT_AUTH_RES:
1123 pcg 1.1 {
1124 pcg 1.79 auth_res_packet *p = (auth_res_packet *)pkt;
1125 pcg 1.1
1126 pcg 1.81 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1127 pcg 1.1
1128 pcg 1.3 if (p->chk_config ())
1129 pcg 1.1 {
1130     if (p->prot_minor != PROTOCOL_MINOR)
1131     slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1132     conf->nodename, (const char *)rsi,
1133     PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1134    
1135 pcg 1.3 rsachallenge chg;
1136 pcg 1.1
1137 pcg 1.3 if (!rsa_cache.find (p->id, chg))
1138 pcg 1.13 {
1139 pcg 1.73 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1140 pcg 1.13 conf->nodename, (const char *)rsi);
1141     break;
1142     }
1143 pcg 1.1 else
1144     {
1145 pcg 1.3 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1146    
1147     if (!p->hmac_chk (cctx))
1148 pcg 1.18 {
1149     slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1150 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1151 pcg 1.18 conf->nodename, (const char *)rsi);
1152     break;
1153     }
1154 pcg 1.3 else
1155     {
1156     rsaresponse h;
1157    
1158     rsa_hash (p->id, chg, h);
1159    
1160     if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1161     {
1162     prot_minor = p->prot_minor;
1163    
1164     delete ictx; ictx = cctx;
1165    
1166     iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1167    
1168     si = rsi;
1169 pcg 1.7 protocol = rsi.prot;
1170 pcg 1.3
1171 pcg 1.76 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1172 pcg 1.3 conf->nodename, (const char *)rsi,
1173 pcg 1.82 is_direct ? "direct" : "forwarded",
1174 pcg 1.3 p->prot_major, p->prot_minor);
1175 pcg 1.1
1176 pcg 1.73 connection_established ();
1177    
1178 pcg 1.3 if (::conf.script_node_up)
1179 pcg 1.64 {
1180 pcg 1.70 run_script_cb *cb = new run_script_cb;
1181     cb->set<connection, &connection::script_node_up> (this);
1182     run_script_queued (cb, _("node-up command execution failed, continuing."));
1183 pcg 1.64 }
1184 pcg 1.1
1185 pcg 1.3 break;
1186     }
1187     else
1188 pcg 1.73 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1189 pcg 1.3 conf->nodename, (const char *)rsi);
1190     }
1191 pcg 1.1
1192 pcg 1.3 delete cctx;
1193 pcg 1.1 }
1194     }
1195     }
1196    
1197 pcg 1.3 send_reset (rsi);
1198     break;
1199 pcg 1.1
1200 pcg 1.3 case vpn_packet::PT_DATA_COMPRESSED:
1201     #if !ENABLE_COMPRESSION
1202     send_reset (rsi);
1203     break;
1204     #endif
1205 pcg 1.1
1206 pcg 1.3 case vpn_packet::PT_DATA_UNCOMPRESSED:
1207 pcg 1.1
1208 pcg 1.3 if (ictx && octx)
1209 pcg 1.1 {
1210 pcg 1.3 vpndata_packet *p = (vpndata_packet *)pkt;
1211 pcg 1.1
1212 pcg 1.10 if (!p->hmac_chk (ictx))
1213     slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1214 pcg 1.73 "could be an attack, or just corruption or a synchronization error."),
1215 pcg 1.10 conf->nodename, (const char *)rsi);
1216     else
1217 pcg 1.1 {
1218 pcg 1.10 u32 seqno;
1219     tap_packet *d = p->unpack (this, seqno);
1220 pcg 1.73 int seqclass = iseqno.seqno_classify (seqno);
1221 pcg 1.10
1222 pcg 1.73 if (seqclass == 0) // ok
1223 pcg 1.1 {
1224 pcg 1.10 vpn->tap->send (d);
1225 pcg 1.1
1226 pcg 1.10 if (si != rsi)
1227 pcg 1.1 {
1228 pcg 1.56 // fast re-sync on source address changes, useful especially for tcp/ip
1229 pcg 1.73 //if (last_si_change < ev_now () + 5.)
1230     // {
1231 pcg 1.78 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1232     conf->nodename, (const char *)si, (const char *)rsi);
1233    
1234 pcg 1.73 si = rsi;
1235 pcg 1.84
1236     if (::conf.script_node_change)
1237     {
1238     run_script_cb *cb = new run_script_cb;
1239     cb->set<connection, &connection::script_node_change> (this);
1240     run_script_queued (cb, _("node-change command execution failed, continuing."));
1241     }
1242    
1243 pcg 1.73 // }
1244     //else
1245     // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1246     // conf->nodename, (const char *)si, (const char *)rsi);
1247 pcg 1.10 }
1248 pcg 1.32 }
1249 pcg 1.75 else if (seqclass == 1) // far history
1250     slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1251     "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1252     else if (seqclass == 2) // in-window duplicate, happens often on wireless
1253     slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1254     "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1255     else if (seqclass == 3) // reset
1256 pcg 1.73 {
1257 pcg 1.75 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1258     "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1259 pcg 1.73 send_reset (rsi);
1260     }
1261 pcg 1.3
1262 pcg 1.32 delete d;
1263     break;
1264 pcg 1.1 }
1265     }
1266    
1267 pcg 1.3 send_reset (rsi);
1268     break;
1269 pcg 1.1
1270 pcg 1.3 case vpn_packet::PT_CONNECT_REQ:
1271     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1272     {
1273 pcg 1.84 connect_req_packet *p = (connect_req_packet *)pkt;
1274 pcg 1.1
1275 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1276     {
1277     connection *c = vpn->conns[p->id - 1];
1278     conf->protocols = p->protocols;
1279 pcg 1.1
1280 root 1.93 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1281     conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1282     p->protocols,
1283     c->ictx && c->octx);
1284 pcg 1.1
1285 pcg 1.57 if (c->ictx && c->octx)
1286     {
1287     // send connect_info packets to both sides, in case one is
1288     // behind a nat firewall (or both ;)
1289     c->send_connect_info (conf->id, si, conf->protocols);
1290     send_connect_info (c->conf->id, c->si, c->conf->protocols);
1291     }
1292     else
1293     c->establish_connection ();
1294 pcg 1.3 }
1295 pcg 1.11 else
1296 pcg 1.57 slog (L_WARN,
1297     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298     p->id);
1299 pcg 1.3 }
1300 pcg 1.1
1301 pcg 1.3 break;
1302 pcg 1.1
1303 pcg 1.3 case vpn_packet::PT_CONNECT_INFO:
1304     if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1305     {
1306 pcg 1.39 connect_info_packet *p = (connect_info_packet *)pkt;
1307 pcg 1.1
1308 pcg 1.57 if (p->id > 0 && p->id <= vpn->conns.size ())
1309 pcg 1.39 {
1310     connection *c = vpn->conns[p->id - 1];
1311 pcg 1.7
1312 pcg 1.39 c->conf->protocols = p->protocols;
1313     protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1314     p->si.upgrade_protocol (protocol, c->conf);
1315 pcg 1.1
1316 root 1.96 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1317 root 1.93 conf->nodename,
1318     vpn->conns[p->id - 1]->conf->nodename,
1319     (const char *)p->si,
1320     p->protocols,
1321 root 1.96 protocol,
1322     p->si.supported_protocols (c->conf),
1323 root 1.93 !c->ictx && !c->octx);
1324 pcg 1.7
1325 pcg 1.39 const sockinfo &dsi = forward_si (p->si);
1326 pcg 1.1
1327 pcg 1.39 if (dsi.valid ())
1328     c->send_auth_request (dsi, true);
1329 root 1.96 else
1330     slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1331     vpn->conns[p->id - 1]->conf->nodename,
1332     (const char *)p->si);
1333 pcg 1.39 }
1334 pcg 1.57 else
1335     slog (L_WARN,
1336     _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1337     p->id);
1338 pcg 1.3 }
1339 pcg 1.1
1340 pcg 1.3 break;
1341 pcg 1.1
1342 pcg 1.3 default:
1343     send_reset (rsi);
1344     break;
1345 pcg 1.1 }
1346     }
1347    
1348 pcg 1.66 inline void
1349     connection::keepalive_cb (ev::timer &w, int revents)
1350 pcg 1.1 {
1351 root 1.97 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1352    
1353     if (when >= 0)
1354     w.start (when);
1355     else if (when < -15)
1356 pcg 1.1 {
1357     reset_connection ();
1358     establish_connection ();
1359     }
1360     else if (conf->connectmode != conf_node::C_ONDEMAND
1361     || THISNODE->connectmode != conf_node::C_ONDEMAND)
1362     {
1363 root 1.97 w.start (3);
1364 pcg 1.1 send_ping (si);
1365     }
1366 root 1.97 else if (when >= -10)
1367 pcg 1.12 // hold ondemand connections implicitly a few seconds longer
1368     // should delete octx, though, or something like that ;)
1369 root 1.97 w.start (when + 10);
1370 pcg 1.1 else
1371     reset_connection ();
1372     }
1373    
1374 root 1.90 void
1375     connection::send_connect_request (int id)
1376 pcg 1.1 {
1377 root 1.93 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1378 pcg 1.1
1379 root 1.93 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1380     conf->nodename, vpn->conns[id - 1]->conf->nodename,
1381     THISNODE->protocols);
1382 pcg 1.1 p->hmac_set (octx);
1383 pcg 1.10 send_vpn_packet (p, si);
1384 pcg 1.1
1385     delete p;
1386     }
1387    
1388 root 1.90 void
1389     connection::script_init_env (const char *ext)
1390 pcg 1.53 {
1391     char *env;
1392     asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1393 pcg 1.84 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1394 pcg 1.53 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1395     0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1396 pcg 1.84 conf->id & 0xff); putenv (env);
1397 pcg 1.53 }
1398    
1399 root 1.90 void
1400     connection::script_init_connect_env ()
1401 pcg 1.1 {
1402 pcg 1.52 vpn->script_init_env ();
1403 pcg 1.1
1404     char *env;
1405 pcg 1.84 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1406     asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1407     asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1408     asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1409     asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1410 pcg 1.1 }
1411    
1412 pcg 1.66 inline const char *
1413     connection::script_node_up ()
1414 pcg 1.1 {
1415 pcg 1.53 script_init_connect_env ();
1416 pcg 1.1
1417 pcg 1.60 putenv ((char *)"STATE=up");
1418 pcg 1.1
1419 pcg 1.52 char *filename;
1420     asprintf (&filename,
1421     "%s/%s",
1422     confbase,
1423     ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1424 pcg 1.54
1425     return filename;
1426 pcg 1.1 }
1427    
1428 pcg 1.66 inline const char *
1429 pcg 1.84 connection::script_node_change ()
1430     {
1431     script_init_connect_env ();
1432    
1433     putenv ((char *)"STATE=change");
1434    
1435     char *filename;
1436     asprintf (&filename,
1437     "%s/%s",
1438     confbase,
1439     ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1440    
1441     return filename;
1442     }
1443    
1444     inline const char *
1445 pcg 1.66 connection::script_node_down ()
1446 pcg 1.1 {
1447 pcg 1.53 script_init_connect_env ();
1448 pcg 1.1
1449 pcg 1.60 putenv ((char *)"STATE=down");
1450 pcg 1.1
1451 pcg 1.52 char *filename;
1452     asprintf (&filename,
1453     "%s/%s",
1454     confbase,
1455     ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1456 pcg 1.54
1457     return filename;
1458 pcg 1.1 }
1459    
1460 pcg 1.40 connection::connection (struct vpn *vpn, conf_node *conf)
1461 pcg 1.67 : vpn(vpn), conf(conf),
1462 pcg 1.40 #if ENABLE_DNS
1463 pcg 1.67 dns (0),
1464 pcg 1.40 #endif
1465 pcg 1.72 data_queue(conf->max_ttl, conf->max_queue + 1),
1466     vpn_queue(conf->max_ttl, conf->max_queue + 1)
1467 pcg 1.1 {
1468 pcg 1.65 rekey .set<connection, &connection::rekey_cb > (this);
1469     keepalive .set<connection, &connection::keepalive_cb > (this);
1470     establish_connection.set<connection, &connection::establish_connection_cb> (this);
1471    
1472 pcg 1.68 last_establish_attempt = 0.;
1473 pcg 1.1 octx = ictx = 0;
1474    
1475 pcg 1.67 connectmode = conf->connectmode;
1476    
1477     // queue a dummy packet to force an initial connection attempt
1478     if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1479 pcg 1.68 vpn_queue.put (new net_packet);
1480 pcg 1.67
1481 pcg 1.1 reset_connection ();
1482     }
1483    
1484     connection::~connection ()
1485     {
1486     shutdown ();
1487     }
1488    
1489 root 1.90 void
1490     connection_init ()
1491 pcg 1.1 {
1492     auth_rate_limiter.clear ();
1493     reset_rate_limiter.clear ();
1494     }
1495