ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.68 by pcg, Thu Aug 7 17:30:27 2008 UTC vs.
Revision 1.85 by pcg, Tue Jul 28 00:42:14 2009 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
8 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
9 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
10 (at your option) any later version. 10 option) any later version.
11 11
12 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
13 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15 GNU General Public License for more details. 15 Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
18 along with gvpe; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
20*/ 30*/
21 31
22#include "config.h" 32#include "config.h"
23 33
24#include <list> 34#include <list>
35#include <queue>
36#include <utility>
25 37
26#include <openssl/rand.h> 38#include <openssl/rand.h>
27#include <openssl/evp.h> 39#include <openssl/evp.h>
28#include <openssl/rsa.h> 40#include <openssl/rsa.h>
29#include <openssl/err.h> 41#include <openssl/err.h>
38 50
39#if !HAVE_RAND_PSEUDO_BYTES 51#if !HAVE_RAND_PSEUDO_BYTES
40# define RAND_pseudo_bytes RAND_bytes 52# define RAND_pseudo_bytes RAND_bytes
41#endif 53#endif
42 54
43#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 55#define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
44 57
45#define ULTRA_FAST 1 58#define ULTRA_FAST 1
46#define HLOG 15 59#define HLOG 15
47#include "lzf/lzf.h" 60#include "lzf/lzf.h"
48#include "lzf/lzf_c.c" 61#include "lzf/lzf_c.c"
49#include "lzf/lzf_d.c" 62#include "lzf/lzf_d.c"
63
64//////////////////////////////////////////////////////////////////////////////
65
66static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67static ev::child rs_child_ev;
68
69void // c++ requires external linkage here, apparently :(
70rs_child_cb (ev::child &w, int revents)
71{
72 w.stop ();
73
74 if (rs_queue.empty ())
75 return;
76
77 pid_t pid = run_script (*rs_queue.front ().first, false);
78 if (pid)
79 {
80 w.set (pid);
81 w.start ();
82 }
83 else
84 slog (L_WARN, rs_queue.front ().second);
85
86 delete rs_queue.front ().first;
87 rs_queue.pop ();
88}
89
90// despite the fancy name, this is quite a hack
91static void
92run_script_queued (run_script_cb *cb, const char *warnmsg)
93{
94 rs_queue.push (std::make_pair (cb, warnmsg));
95
96 if (!rs_child_ev.is_active ())
97 {
98 rs_child_ev.set<rs_child_cb> ();
99 rs_child_ev ();
100 }
101}
102
103//////////////////////////////////////////////////////////////////////////////
50 104
51struct crypto_ctx 105struct crypto_ctx
52{ 106{
53 EVP_CIPHER_CTX cctx; 107 EVP_CIPHER_CTX cctx;
54 HMAC_CTX hctx; 108 HMAC_CTX hctx;
560 rsaencrdata encr; 614 rsaencrdata encr;
561 615
562 auth_req_packet (int dst, bool initiate_, u8 protocols_) 616 auth_req_packet (int dst, bool initiate_, u8 protocols_)
563 { 617 {
564 config_packet::setup (PT_AUTH_REQ, dst); 618 config_packet::setup (PT_AUTH_REQ, dst);
565 strncpy (magic, MAGIC, 8); 619 strncpy (magic, MAGIC_OLD, 8);
566 initiate = !!initiate_; 620 initiate = !!initiate_;
567 protocols = protocols_; 621 protocols = protocols_;
568 622
569 len = sizeof (*this) - sizeof (net_packet); 623 len = sizeof (*this) - sizeof (net_packet);
570 } 624 }
619///////////////////////////////////////////////////////////////////////////// 673/////////////////////////////////////////////////////////////////////////////
620 674
621void 675void
622connection::connection_established () 676connection::connection_established ()
623{ 677{
624 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx); 678 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
625 679
626 if (ictx && octx) 680 if (ictx && octx)
627 { 681 {
628 // make sure rekeying timeouts are slightly asymmetric 682 // make sure rekeying timeouts are slightly asymmetric
629 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 683 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
643 { 697 {
644 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY); 698 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
645 delete p; 699 delete p;
646 } 700 }
647 } 701 }
702
703 vpn->connection_established (this);
648 } 704 }
649 else 705 else
650 { 706 {
651 retry_cnt = 0; 707 retry_cnt = 0;
652 establish_connection.start (5); 708 establish_connection.start (5);
656} 712}
657 713
658void 714void
659connection::reset_si () 715connection::reset_si ()
660{ 716{
717 if (vpn->can_direct (THISNODE, conf))
661 protocol = best_protocol (THISNODE->protocols & conf->protocols); 718 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
662 719 else
663 // mask out protocols we cannot establish
664 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
665 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
666 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
667
668 if (protocol
669 && (!conf->can_direct (THISNODE)
670 || !THISNODE->can_direct (conf)))
671 { 720 {
672 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename); 721 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
673 protocol = 0; 722 protocol = 0;
674 } 723 }
675 724
676 si.set (conf, protocol); 725 si.set (conf, protocol);
726
727 is_direct = si.valid ();
677} 728}
678 729
679// ensure sockinfo is valid, forward if necessary 730// ensure sockinfo is valid, forward if necessary
680const sockinfo & 731const sockinfo &
681connection::forward_si (const sockinfo &si) const 732connection::forward_si (const sockinfo &si) const
682{ 733{
683 if (!si.valid ()) 734 if (!si.valid ())
684 { 735 {
685 connection *r = vpn->find_router (); 736 connection *r = vpn->find_router_for (this);
686 737
687 if (r) 738 if (r)
688 { 739 {
689 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"), 740 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
690 conf->nodename, r->conf->nodename, (const char *)r->si); 741 conf->nodename, r->conf->nodename);
691 return r->si; 742 return r->si;
692 } 743 }
693 else 744 else
694 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 745 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
695 conf->nodename); 746 conf->nodename);
696 } 747 }
697 748
698 return si; 749 return si;
699} 750}
709connection::send_ping (const sockinfo &si, u8 pong) 760connection::send_ping (const sockinfo &si, u8 pong)
710{ 761{
711 ping_packet *pkt = new ping_packet; 762 ping_packet *pkt = new ping_packet;
712 763
713 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 764 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
765
766 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
767
714 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 768 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
715 769
716 delete pkt; 770 delete pkt;
717} 771}
718 772
737 791
738 rsachallenge chg; 792 rsachallenge chg;
739 rsa_cache.gen (pkt->id, chg); 793 rsa_cache.gen (pkt->id, chg);
740 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 794 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
741 795
742 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 796 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
743 797
744 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 798 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
745 799
746 delete pkt; 800 delete pkt;
747} 801}
755 809
756 rsa_hash (id, chg, pkt->response); 810 rsa_hash (id, chg, pkt->response);
757 811
758 pkt->hmac_set (octx); 812 pkt->hmac_set (octx);
759 813
760 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 814 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
761 815
762 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 816 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
763 817
764 delete pkt; 818 delete pkt;
765} 819}
766 820
767void 821void
768connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 822connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
769{ 823{
770 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)", 824 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
771 conf->id, rid, (const char *)rsi); 825 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
772 826
773 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 827 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
774 828
775 r->hmac_set (octx); 829 r->hmac_set (octx);
776 send_vpn_packet (r, si); 830 send_vpn_packet (r, si);
803 857
804 reset_si (); 858 reset_si ();
805 859
806 bool slow = si.prot & PROT_SLOW; 860 bool slow = si.prot & PROT_SLOW;
807 861
808 if (si.prot && !si.host) 862 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
809 { 863 {
810 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
811 /*TODO*/ /* start the timer so we don't recurse endlessly */ 864 /*TODO*/ /* start the timer so we don't recurse endlessly */
812 w.start (1); 865 w.start (1);
813 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (this);
814 } 867 }
815 else 868 else
816 { 869 {
817 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx); 870 if (si.valid ())
871 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
872 conf->nodename, (const char *)si);
818 873
819 const sockinfo &dsi = forward_si (si); 874 const sockinfo &dsi = forward_si (si);
820 875
821 slow = slow || (dsi.prot & PROT_SLOW); 876 slow = slow || (dsi.prot & PROT_SLOW);
822 877
848 slog (L_INFO, _("%s(%s): connection lost"), 903 slog (L_INFO, _("%s(%s): connection lost"),
849 conf->nodename, (const char *)si); 904 conf->nodename, (const char *)si);
850 905
851 if (::conf.script_node_down) 906 if (::conf.script_node_down)
852 { 907 {
853 run_script_cb cb; 908 run_script_cb *cb = new run_script_cb;
854 cb.set<connection, &connection::script_node_down> (this); 909 cb->set<connection, &connection::script_node_down> (this);
855 if (!run_script (cb, false))
856 slog (L_WARN, _("node-down command execution failed, continuing.")); 910 run_script_queued (cb, _("node-down command execution failed, continuing."));
857 } 911 }
858 } 912 }
859 913
860 delete ictx; ictx = 0; 914 delete ictx; ictx = 0;
861 delete octx; octx = 0; 915 delete octx; octx = 0;
863 dnsv4_reset_connection (); 917 dnsv4_reset_connection ();
864#endif 918#endif
865 919
866 si.host = 0; 920 si.host = 0;
867 921
868 last_activity = 0; 922 last_activity = 0.;
923 //last_si_change = 0.;
869 retry_cnt = 0; 924 retry_cnt = 0;
870 925
871 rekey.stop (); 926 rekey.stop ();
872 keepalive.stop (); 927 keepalive.stop ();
873 establish_connection.stop (); 928 establish_connection.stop ();
880 send_reset (si); 935 send_reset (si);
881 936
882 reset_connection (); 937 reset_connection ();
883} 938}
884 939
940// poor-man's rekeying
885inline void 941inline void
886connection::rekey_cb (ev::timer &w, int revents) 942connection::rekey_cb (ev::timer &w, int revents)
887{ 943{
888 reset_connection (); 944 reset_connection ();
889 establish_connection (); 945 establish_connection ();
944void 1000void
945connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1001connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
946{ 1002{
947 last_activity = ev_now (); 1003 last_activity = ev_now ();
948 1004
949 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1005 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
950 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1006 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
951 1007
952 if (connectmode == conf_node::C_DISABLED) 1008 if (connectmode == conf_node::C_DISABLED)
953 return; 1009 return;
954 1010
955 switch (pkt->typ ()) 1011 switch (pkt->typ ())
956 { 1012 {
957 case vpn_packet::PT_PING: 1013 case vpn_packet::PT_PING:
1014 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1015
958 // we send pings instead of auth packets after some retries, 1016 // we send pings instead of auth packets after some retries,
959 // so reset the retry counter and establish a connection 1017 // so reset the retry counter and establish a connection
960 // when we receive a ping. 1018 // when we receive a ping.
961 if (!ictx) 1019 if (!ictx)
962 { 1020 {
963 if (auth_rate_limiter.can (rsi)) 1021 if (auth_rate_limiter.can (rsi))
964 send_auth_request (rsi, true); 1022 send_auth_request (rsi, true);
965 } 1023 }
966 else 1024 else
1025 // we would love to change thre socket address here, but ping's aren't
1026 // authenticated, so we best ignore it.
967 send_ping (rsi, 1); // pong 1027 send_ping (rsi, 1); // pong
968 1028
969 break; 1029 break;
970 1030
971 case vpn_packet::PT_PONG: 1031 case vpn_packet::PT_PONG:
1032 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
972 break; 1033 break;
973 1034
974 case vpn_packet::PT_RESET: 1035 case vpn_packet::PT_RESET:
975 { 1036 {
976 reset_connection (); 1037 reset_connection ();
977 1038
978 config_packet *p = (config_packet *) pkt; 1039 config_packet *p = (config_packet *) pkt;
979 1040
980 if (!p->chk_config ()) 1041 if (!p->chk_config ())
981 { 1042 {
982 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1043 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
983 conf->nodename, (const char *)rsi); 1044 conf->nodename, (const char *)rsi);
984 connectmode = conf_node::C_DISABLED; 1045 connectmode = conf_node::C_DISABLED;
985 } 1046 }
986 else if (connectmode == conf_node::C_ALWAYS) 1047 else if (connectmode == conf_node::C_ALWAYS)
987 establish_connection (); 1048 establish_connection ();
991 case vpn_packet::PT_AUTH_REQ: 1052 case vpn_packet::PT_AUTH_REQ:
992 if (auth_rate_limiter.can (rsi)) 1053 if (auth_rate_limiter.can (rsi))
993 { 1054 {
994 auth_req_packet *p = (auth_req_packet *) pkt; 1055 auth_req_packet *p = (auth_req_packet *) pkt;
995 1056
996 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1057 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
997 1058
998 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1059 if (p->chk_config ()
1060 && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
999 { 1061 {
1000 if (p->prot_minor != PROTOCOL_MINOR) 1062 if (p->prot_minor != PROTOCOL_MINOR)
1001 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1063 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1002 conf->nodename, (const char *)rsi, 1064 conf->nodename, (const char *)rsi,
1003 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1065 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1029 1091
1030 break; 1092 break;
1031 } 1093 }
1032 } 1094 }
1033 else 1095 else
1034 slog (L_WARN, _("%s(%s): protocol mismatch"), 1096 slog (L_WARN, _("%s(%s): protocol mismatch."),
1035 conf->nodename, (const char *)rsi); 1097 conf->nodename, (const char *)rsi);
1036 1098
1037 send_reset (rsi); 1099 send_reset (rsi);
1038 } 1100 }
1039 1101
1040 break; 1102 break;
1041 1103
1042 case vpn_packet::PT_AUTH_RES: 1104 case vpn_packet::PT_AUTH_RES:
1043 { 1105 {
1044 auth_res_packet *p = (auth_res_packet *) pkt; 1106 auth_res_packet *p = (auth_res_packet *)pkt;
1045 1107
1046 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1108 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1047 1109
1048 if (p->chk_config ()) 1110 if (p->chk_config ())
1049 { 1111 {
1050 if (p->prot_minor != PROTOCOL_MINOR) 1112 if (p->prot_minor != PROTOCOL_MINOR)
1051 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1113 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1054 1116
1055 rsachallenge chg; 1117 rsachallenge chg;
1056 1118
1057 if (!rsa_cache.find (p->id, chg)) 1119 if (!rsa_cache.find (p->id, chg))
1058 { 1120 {
1059 slog (L_ERR, _("%s(%s): unrequested auth response ignored"), 1121 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1060 conf->nodename, (const char *)rsi); 1122 conf->nodename, (const char *)rsi);
1061 break; 1123 break;
1062 } 1124 }
1063 else 1125 else
1064 { 1126 {
1065 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1127 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1066 1128
1067 if (!p->hmac_chk (cctx)) 1129 if (!p->hmac_chk (cctx))
1068 { 1130 {
1069 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1131 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1070 "could be an attack, or just corruption or a synchronization error"), 1132 "could be an attack, or just corruption or a synchronization error."),
1071 conf->nodename, (const char *)rsi); 1133 conf->nodename, (const char *)rsi);
1072 break; 1134 break;
1073 } 1135 }
1074 else 1136 else
1075 { 1137 {
1086 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1148 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1087 1149
1088 si = rsi; 1150 si = rsi;
1089 protocol = rsi.prot; 1151 protocol = rsi.prot;
1090 1152
1153 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1154 conf->nodename, (const char *)rsi,
1155 is_direct ? "direct" : "forwarded",
1156 p->prot_major, p->prot_minor);
1157
1091 connection_established (); 1158 connection_established ();
1092
1093 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1094 conf->nodename, (const char *)rsi,
1095 p->prot_major, p->prot_minor);
1096 1159
1097 if (::conf.script_node_up) 1160 if (::conf.script_node_up)
1098 { 1161 {
1099 run_script_cb cb; 1162 run_script_cb *cb = new run_script_cb;
1100 cb.set<connection, &connection::script_node_up> (this); 1163 cb->set<connection, &connection::script_node_up> (this);
1101 if (!run_script (cb, false))
1102 slog (L_WARN, _("node-up command execution failed, continuing.")); 1164 run_script_queued (cb, _("node-up command execution failed, continuing."));
1103 } 1165 }
1104 1166
1105 break; 1167 break;
1106 } 1168 }
1107 else 1169 else
1108 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1170 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1109 conf->nodename, (const char *)rsi); 1171 conf->nodename, (const char *)rsi);
1110 } 1172 }
1111 1173
1112 delete cctx; 1174 delete cctx;
1113 } 1175 }
1129 { 1191 {
1130 vpndata_packet *p = (vpndata_packet *)pkt; 1192 vpndata_packet *p = (vpndata_packet *)pkt;
1131 1193
1132 if (!p->hmac_chk (ictx)) 1194 if (!p->hmac_chk (ictx))
1133 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1195 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1134 "could be an attack, or just corruption or a synchronization error"), 1196 "could be an attack, or just corruption or a synchronization error."),
1135 conf->nodename, (const char *)rsi); 1197 conf->nodename, (const char *)rsi);
1136 else 1198 else
1137 { 1199 {
1138 u32 seqno; 1200 u32 seqno;
1139 tap_packet *d = p->unpack (this, seqno); 1201 tap_packet *d = p->unpack (this, seqno);
1202 int seqclass = iseqno.seqno_classify (seqno);
1140 1203
1141 if (iseqno.recv_ok (seqno)) 1204 if (seqclass == 0) // ok
1142 { 1205 {
1143 vpn->tap->send (d); 1206 vpn->tap->send (d);
1144 1207
1145 if (si != rsi) 1208 if (si != rsi)
1146 { 1209 {
1147 // fast re-sync on source address changes, useful especially for tcp/ip 1210 // fast re-sync on source address changes, useful especially for tcp/ip
1211 //if (last_si_change < ev_now () + 5.)
1148 si = rsi; 1212 // {
1149
1150 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1213 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1151 conf->nodename, (const char *)si, (const char *)rsi); 1214 conf->nodename, (const char *)si, (const char *)rsi);
1215
1216 si = rsi;
1217
1218 if (::conf.script_node_change)
1219 {
1220 run_script_cb *cb = new run_script_cb;
1221 cb->set<connection, &connection::script_node_change> (this);
1222 run_script_queued (cb, _("node-change command execution failed, continuing."));
1223 }
1224
1225 // }
1226 //else
1227 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1228 // conf->nodename, (const char *)si, (const char *)rsi);
1152 } 1229 }
1230 }
1231 else if (seqclass == 1) // far history
1232 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1233 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1234 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1235 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1236 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1237 else if (seqclass == 3) // reset
1238 {
1239 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1240 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1241 send_reset (rsi);
1153 } 1242 }
1154 1243
1155 delete d; 1244 delete d;
1156 break; 1245 break;
1157 } 1246 }
1161 break; 1250 break;
1162 1251
1163 case vpn_packet::PT_CONNECT_REQ: 1252 case vpn_packet::PT_CONNECT_REQ:
1164 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1253 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1165 { 1254 {
1166 connect_req_packet *p = (connect_req_packet *) pkt; 1255 connect_req_packet *p = (connect_req_packet *)pkt;
1167 1256
1168 if (p->id > 0 && p->id <= vpn->conns.size ()) 1257 if (p->id > 0 && p->id <= vpn->conns.size ())
1169 { 1258 {
1170 connection *c = vpn->conns[p->id - 1]; 1259 connection *c = vpn->conns[p->id - 1];
1171 conf->protocols = p->protocols; 1260 conf->protocols = p->protocols;
1172 1261
1173 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]", 1262 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1174 conf->id, p->id, c->ictx && c->octx); 1263 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1175 1264
1176 if (c->ictx && c->octx) 1265 if (c->ictx && c->octx)
1177 { 1266 {
1178 // send connect_info packets to both sides, in case one is 1267 // send connect_info packets to both sides, in case one is
1179 // behind a nat firewall (or both ;) 1268 // behind a nat firewall (or both ;)
1202 1291
1203 c->conf->protocols = p->protocols; 1292 c->conf->protocols = p->protocols;
1204 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1293 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1205 p->si.upgrade_protocol (protocol, c->conf); 1294 p->si.upgrade_protocol (protocol, c->conf);
1206 1295
1207 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1296 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1297 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1208 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1298 (const char *)p->si, !c->ictx && !c->octx);
1209 1299
1210 const sockinfo &dsi = forward_si (p->si); 1300 const sockinfo &dsi = forward_si (p->si);
1211 1301
1212 if (dsi.valid ()) 1302 if (dsi.valid ())
1213 c->send_auth_request (dsi, true); 1303 c->send_auth_request (dsi, true);
1227} 1317}
1228 1318
1229inline void 1319inline void
1230connection::keepalive_cb (ev::timer &w, int revents) 1320connection::keepalive_cb (ev::timer &w, int revents)
1231{ 1321{
1232 if (ev_now () >= last_activity + ::conf.keepalive + 30) 1322 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1233 { 1323 {
1234 reset_connection (); 1324 reset_connection ();
1235 establish_connection (); 1325 establish_connection ();
1236 } 1326 }
1237 else if (ev_now () < last_activity + ::conf.keepalive) 1327 else if (ev_now () < last_activity + ::conf.keepalive)
1238 w.start (last_activity + ::conf.keepalive - ev::now ()); 1328 w.start (last_activity + ::conf.keepalive - ev::now ());
1239 else if (conf->connectmode != conf_node::C_ONDEMAND 1329 else if (conf->connectmode != conf_node::C_ONDEMAND
1240 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1330 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1241 { 1331 {
1242 send_ping (si); 1332 send_ping (si);
1243 w.start (5); 1333 w.start (3);
1244 } 1334 }
1245 else if (ev_now () < last_activity + ::conf.keepalive + 10) 1335 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1246 // hold ondemand connections implicitly a few seconds longer 1336 // hold ondemand connections implicitly a few seconds longer
1247 // should delete octx, though, or something like that ;) 1337 // should delete octx, though, or something like that ;)
1248 w.start (last_activity + ::conf.keepalive + 10 - ev::now ()); 1338 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1252 1342
1253void connection::send_connect_request (int id) 1343void connection::send_connect_request (int id)
1254{ 1344{
1255 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1345 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1256 1346
1257 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1347 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1348 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1258 p->hmac_set (octx); 1349 p->hmac_set (octx);
1259 send_vpn_packet (p, si); 1350 send_vpn_packet (p, si);
1260 1351
1261 delete p; 1352 delete p;
1262} 1353}
1263 1354
1264void connection::script_init_env (const char *ext) 1355void connection::script_init_env (const char *ext)
1265{ 1356{
1266 char *env; 1357 char *env;
1267 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env); 1358 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1268 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env); 1359 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1269 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext, 1360 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1270 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8, 1361 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1271 conf->id & 0xff); putenv (env); 1362 conf->id & 0xff); putenv (env);
1272} 1363}
1273 1364
1274void connection::script_init_connect_env () 1365void connection::script_init_connect_env ()
1275{ 1366{
1276 vpn->script_init_env (); 1367 vpn->script_init_env ();
1277 1368
1278 char *env; 1369 char *env;
1279 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1370 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1371 asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1280 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1372 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1281 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1373 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1282 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1374 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1283} 1375}
1284 1376
1285inline const char * 1377inline const char *
1286connection::script_node_up () 1378connection::script_node_up ()
1287{ 1379{
1297 1389
1298 return filename; 1390 return filename;
1299} 1391}
1300 1392
1301inline const char * 1393inline const char *
1394connection::script_node_change ()
1395{
1396 script_init_connect_env ();
1397
1398 putenv ((char *)"STATE=change");
1399
1400 char *filename;
1401 asprintf (&filename,
1402 "%s/%s",
1403 confbase,
1404 ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1405
1406 return filename;
1407}
1408
1409inline const char *
1302connection::script_node_down () 1410connection::script_node_down ()
1303{ 1411{
1304 script_init_connect_env (); 1412 script_init_connect_env ();
1305 1413
1306 putenv ((char *)"STATE=down"); 1414 putenv ((char *)"STATE=down");
1317connection::connection (struct vpn *vpn, conf_node *conf) 1425connection::connection (struct vpn *vpn, conf_node *conf)
1318: vpn(vpn), conf(conf), 1426: vpn(vpn), conf(conf),
1319#if ENABLE_DNS 1427#if ENABLE_DNS
1320 dns (0), 1428 dns (0),
1321#endif 1429#endif
1322 data_queue(conf->max_ttl, conf->max_queue), 1430 data_queue(conf->max_ttl, conf->max_queue + 1),
1323 vpn_queue(conf->max_ttl, conf->max_queue) 1431 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1324{ 1432{
1325 rekey .set<connection, &connection::rekey_cb > (this); 1433 rekey .set<connection, &connection::rekey_cb > (this);
1326 keepalive .set<connection, &connection::keepalive_cb > (this); 1434 keepalive .set<connection, &connection::keepalive_cb > (this);
1327 establish_connection.set<connection, &connection::establish_connection_cb> (this); 1435 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1328 1436

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines