ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.1 by pcg, Wed Apr 2 03:06:22 2003 UTC vs.
Revision 1.104 by root, Fri Jul 19 18:18:27 2013 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
5 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
6 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
7 (at your option) any later version. 10 option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
12 GNU General Public License for more details. 15 Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
15 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
17*/ 30*/
18 31
19#include "config.h" 32#include "config.h"
20 33
21extern "C" {
22# include "lzf/lzf.h"
23}
24
25#include <list> 34#include <list>
35#include <queue>
36#include <utility>
26 37
27#include "gettext.h" 38#include <openssl/rand.h>
39#include <openssl/evp.h>
40#include <openssl/rsa.h>
41#include <openssl/err.h>
28 42
29#include "conf.h" 43#include "conf.h"
30#include "slog.h" 44#include "slog.h"
31#include "device.h" 45#include "device.h"
32#include "protocol.h" 46#include "vpn.h"
33#include "connection.h" 47#include "connection.h"
48#include "hkdf.h"
34 49
35#if !HAVE_RAND_PSEUDO_BYTES 50#include "netcompat.h"
36# define RAND_pseudo_bytes RAND_bytes
37#endif
38 51
39#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 52#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53#define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D
54
55#define ULTRA_FAST 1
56#define HLOG 15
57#include "lzf/lzf.h"
58#include "lzf/lzf_c.c"
59#include "lzf/lzf_d.c"
60
61//////////////////////////////////////////////////////////////////////////////
62
63static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
64static ev::child rs_child_ev;
65
66namespace
67{
68 void // c++ requires external linkage here, apparently :(
69 rs_child_cb (ev::child &w, int revents)
70 {
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87 }
88};
89
90// despite the fancy name, this is quite a hack
91static void
92run_script_queued (run_script_cb *cb, const char *warnmsg)
93{
94 rs_queue.push (std::make_pair (cb, warnmsg));
95
96 if (!rs_child_ev.is_active ())
97 {
98 rs_child_ev.set<rs_child_cb> ();
99 rs_child_ev ();
100 }
101}
102
103//////////////////////////////////////////////////////////////////////////////
40 104
41struct crypto_ctx 105struct crypto_ctx
42{ 106{
43 EVP_CIPHER_CTX cctx; 107 EVP_CIPHER_CTX cctx;
44 HMAC_CTX hctx; 108 HMAC_CTX hctx;
45 109
46 crypto_ctx (const rsachallenge &challenge, int enc); 110 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
47 ~crypto_ctx (); 111 ~crypto_ctx ();
48}; 112};
49 113
50crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 114crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
51{ 115{
116 ecdh_key s;
117
118 curve25519_combine (a, b, s);
119
120 {
121 u8 mac_key[MAC_KEYSIZE];
122 static const unsigned char mac_info[] = "gvpe mac key";
123
124 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
125 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
126 kdf.extract (s, sizeof (s));
127 kdf.extract_done (HKDF_PRF_HASH ());
128 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
129
130 HMAC_CTX_init (&hctx);
131 require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
132 }
133
134 {
135 u8 cipher_key[CIPHER_KEYSIZE];
136 static const unsigned char cipher_info[] = "gvpe cipher key";
137
138 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
139 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
140 kdf.extract (s, sizeof (s));
141 kdf.extract_done (HKDF_PRF_HASH ());
142 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
143
52 EVP_CIPHER_CTX_init (&cctx); 144 EVP_CIPHER_CTX_init (&cctx);
53 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 145 require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
54 HMAC_CTX_init (&hctx); 146 }
55 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
56} 147}
57 148
58crypto_ctx::~crypto_ctx () 149crypto_ctx::~crypto_ctx ()
59{ 150{
60 EVP_CIPHER_CTX_cleanup (&cctx); 151 require (EVP_CIPHER_CTX_cleanup (&cctx));
61 HMAC_CTX_cleanup (&hctx); 152 HMAC_CTX_cleanup (&hctx);
62} 153}
63 154
155static inline void
156auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
157{
158 if (RSA_public_encrypt (sizeof (auth.rsa),
159 (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
160 key, RSA_PKCS1_OAEP_PADDING) < 0)
161 fatal ("RSA_public_encrypt error");
162
163 memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh));
164}
165
166static inline bool
167auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
168{
169 u8 rsa_decrypt[RSA_KEYLEN];
170
171 if (RSA_private_decrypt (sizeof (encr.rsa),
172 (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
173 key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
174 return 0;
175
176 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
177 memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh));
178
179 return 1;
180}
181
64static void 182static void
65rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 183auth_hash (const auth_data &auth, const ecdh_key &b, auth_mac &mac)
66{ 184{
67 EVP_MD_CTX ctx; 185 hkdf kdf (&auth.ecdh, sizeof (auth.ecdh), AUTH_DIGEST ()); // use remote ecdh b as salt
68 186 kdf.extract (&auth.rsa, sizeof (auth.rsa));
69 EVP_MD_CTX_init (&ctx); 187 kdf.extract_done ();
70 EVP_DigestInit (&ctx, RSA_HASH); 188 kdf.expand (mac, sizeof mac, b, sizeof b); // use response ecdh b as info
71 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
72 EVP_DigestUpdate(&ctx, &id, sizeof id);
73 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
74 EVP_MD_CTX_cleanup (&ctx);
75} 189}
76 190
77struct rsa_entry { 191void
78 tstamp expire; 192connection::generate_auth_data ()
79 rsaid id;
80 rsachallenge chg;
81};
82
83struct rsa_cache : list<rsa_entry>
84{ 193{
85 void cleaner_cb (tstamp &ts); time_watcher cleaner; 194 if (auth_expire < ev_now ())
86
87 bool find (const rsaid &id, rsachallenge &chg)
88 {
89 for (iterator i = begin (); i != end (); ++i)
90 {
91 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
92 {
93 memcpy (&chg, &i->chg, sizeof chg);
94
95 erase (i);
96 return true;
97 }
98 }
99
100 if (cleaner.at < NOW)
101 cleaner.start (NOW + RSA_TTL);
102
103 return false;
104 }
105
106 void gen (rsaid &id, rsachallenge &chg)
107 {
108 rsa_entry e;
109
110 RAND_bytes ((unsigned char *)&id, sizeof id);
111 RAND_bytes ((unsigned char *)&chg, sizeof chg);
112
113 e.expire = NOW + RSA_TTL;
114 e.id = id;
115 memcpy (&e.chg, &chg, sizeof chg);
116
117 push_back (e);
118
119 if (cleaner.at < NOW)
120 cleaner.start (NOW + RSA_TTL);
121 }
122
123 rsa_cache ()
124 : cleaner (this, &rsa_cache::cleaner_cb)
125 { } 195 {
196 // request data
197 rand_fill (snd_auth.rsa);
198 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
126 199
127} rsa_cache; 200 // eventual response data
128 201 curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
129void rsa_cache::cleaner_cb (tstamp &ts)
130{
131 if (empty ())
132 ts = TSTAMP_CANCEL;
133 else
134 { 202 }
135 ts = NOW + RSA_TTL;
136 203
137 for (iterator i = begin (); i != end (); ) 204 // every use prolongs the expiry
138 if (i->expire <= NOW) 205 auth_expire = ev_now () + AUTH_TTL;
139 i = erase (i);
140 else
141 ++i;
142 }
143} 206}
144 207
145////////////////////////////////////////////////////////////////////////////// 208//////////////////////////////////////////////////////////////////////////////
146 209
147void pkt_queue::put (tap_packet *p) 210pkt_queue::pkt_queue (double max_ttl, int max_queue)
211: max_ttl (max_ttl), max_queue (max_queue)
148{ 212{
149 if (queue[i]) 213 queue = new pkt [max_queue];
150 {
151 delete queue[i];
152 j = (j + 1) % QUEUEDEPTH;
153 }
154 214
155 queue[i] = p;
156
157 i = (i + 1) % QUEUEDEPTH;
158}
159
160tap_packet *pkt_queue::get ()
161{
162 tap_packet *p = queue[j];
163
164 if (p)
165 {
166 queue[j] = 0;
167 j = (j + 1) % QUEUEDEPTH;
168 }
169
170 return p;
171}
172
173pkt_queue::pkt_queue ()
174{
175 memset (queue, 0, sizeof (queue));
176 i = 0; 215 i = 0;
177 j = 0; 216 j = 0;
217
218 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
178} 219}
179 220
180pkt_queue::~pkt_queue () 221pkt_queue::~pkt_queue ()
181{ 222{
182 for (i = QUEUEDEPTH; --i > 0; ) 223 while (net_packet *p = get ())
224 delete p;
225
183 delete queue[i]; 226 delete [] queue;
184} 227}
185 228
229void
230pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void
252pkt_queue::put (net_packet *p)
253{
254 ev_tstamp now = ev_now ();
255
256 // start expiry timer
257 if (empty ())
258 expire.start (max_ttl);
259
260 int ni = i + 1 == max_queue ? 0 : i + 1;
261
262 if (ni == j)
263 delete get ();
264
265 queue[i].pkt = p;
266 queue[i].tstamp = now;
267
268 i = ni;
269}
270
271net_packet *
272pkt_queue::get ()
273{
274 if (empty ())
275 return 0;
276
277 net_packet *p = queue[j].pkt;
278 queue[j].pkt = 0;
279
280 j = j + 1 == max_queue ? 0 : j + 1;
281
282 return p;
283}
284
186struct net_rateinfo { 285struct net_rateinfo
286{
187 u32 host; 287 u32 host;
188 double pcnt, diff; 288 double pcnt, diff;
189 tstamp last; 289 tstamp last;
190}; 290};
191 291
192// only do action once every x seconds per host whole allowing bursts. 292// only do action once every x seconds per host whole allowing bursts.
193// this implementation ("splay list" ;) is inefficient, 293// this implementation ("splay list" ;) is inefficient,
194// but low on resources. 294// but low on resources.
195struct net_rate_limiter : list<net_rateinfo> 295struct net_rate_limiter : list<net_rateinfo>
196{ 296{
197 static const double ALPHA = 1. - 1. / 90.; // allow bursts 297# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
198 static const double CUTOFF = 20.; // one event every CUTOFF seconds 298# define NRL_CUTOFF 10. // one event every CUTOFF seconds
199 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 299# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
300# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
200 301
201 bool can (const sockinfo &si) { return can((u32)si.host); } 302 bool can (const sockinfo &si) { return can((u32)si.host); }
202 bool can (u32 host); 303 bool can (u32 host);
203}; 304};
204 305
205net_rate_limiter auth_rate_limiter, reset_rate_limiter; 306static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
206 307
308bool
207bool net_rate_limiter::can (u32 host) 309net_rate_limiter::can (u32 host)
208{ 310{
209 iterator i; 311 iterator i;
210 312
211 for (i = begin (); i != end (); ) 313 for (i = begin (); i != end (); )
212 if (i->host == host) 314 if (i->host == host)
213 break; 315 break;
214 else if (i->last < NOW - EXPIRE) 316 else if (i->last < ev_now () - NRL_EXPIRE)
215 i = erase (i); 317 i = erase (i);
216 else 318 else
217 i++; 319 i++;
218 320
219 if (i == end ()) 321 if (i == end ())
220 { 322 {
221 net_rateinfo ri; 323 net_rateinfo ri;
222 324
223 ri.host = host; 325 ri.host = host;
224 ri.pcnt = 1.; 326 ri.pcnt = 1.;
225 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 327 ri.diff = NRL_MAXDIF;
226 ri.last = NOW; 328 ri.last = ev_now ();
227 329
228 push_front (ri); 330 push_front (ri);
229 331
230 return true; 332 return true;
231 } 333 }
232 else 334 else
233 { 335 {
234 net_rateinfo ri (*i); 336 net_rateinfo ri (*i);
235 erase (i); 337 erase (i);
236 338
237 ri.pcnt = ri.pcnt * ALPHA; 339 ri.pcnt = ri.pcnt * NRL_ALPHA;
238 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 340 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
239 341
240 ri.last = NOW; 342 ri.last = ev_now ();
241 343
344 double dif = ri.diff / ri.pcnt;
345
242 bool send = ri.diff / ri.pcnt > CUTOFF; 346 bool send = dif > NRL_CUTOFF;
243 347
348 if (dif > NRL_MAXDIF)
349 {
350 ri.pcnt = 1.;
351 ri.diff = NRL_MAXDIF;
352 }
244 if (send) 353 else if (send)
245 ri.pcnt++; 354 ri.pcnt++;
246 355
247 push_front (ri); 356 push_front (ri);
248 357
249 return send; 358 return send;
250 } 359 }
251} 360}
252 361
253///////////////////////////////////////////////////////////////////////////// 362/////////////////////////////////////////////////////////////////////////////
254 363
255unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE]; 364void
256
257void hmac_packet::hmac_gen (crypto_ctx *ctx) 365hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
258{ 366{
259 unsigned int xlen;
260
261 HMAC_CTX *hctx = &ctx->hctx; 367 HMAC_CTX *hctx = &ctx->hctx;
262 368
263 HMAC_Init_ex (hctx, 0, 0, 0, 0); 369 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
264 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 370 require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet)));
265 len - sizeof (hmac_packet)); 371 require (HMAC_Final (hctx, hmac_digest, 0));
266 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
267} 372}
268 373
269void 374void
270hmac_packet::hmac_set (crypto_ctx *ctx) 375hmac_packet::hmac_set (crypto_ctx *ctx)
271{ 376{
272 hmac_gen (ctx); 377 unsigned char hmac_digest[EVP_MAX_MD_SIZE];
273 378 hmac_gen (ctx, hmac_digest);
274 memcpy (hmac, hmac_digest, HMACLENGTH); 379 memcpy (hmac, hmac_digest, HMACLENGTH);
275} 380}
276 381
277bool 382bool
278hmac_packet::hmac_chk (crypto_ctx *ctx) 383hmac_packet::hmac_chk (crypto_ctx *ctx)
279{ 384{
280 hmac_gen (ctx); 385 unsigned char hmac_digest[EVP_MAX_MD_SIZE];
281 386 hmac_gen (ctx, hmac_digest);
282 return !memcmp (hmac, hmac_digest, HMACLENGTH); 387 return !memcmp (hmac, hmac_digest, HMACLENGTH);
283} 388}
284 389
390void
285void vpn_packet::set_hdr (ptype type, unsigned int dst) 391vpn_packet::set_hdr (ptype type_, unsigned int dst)
286{ 392{
287 this->type = type; 393 type = type_;
288 394
289 int src = THISNODE->id; 395 int src = THISNODE->id;
290 396
291 src1 = src; 397 src1 = src;
292 srcdst = ((src >> 8) << 4) | (dst >> 8); 398 srcdst = ((src >> 8) << 4) | (dst >> 8);
294} 400}
295 401
296#define MAXVPNDATA (MAX_MTU - 6 - 6) 402#define MAXVPNDATA (MAX_MTU - 6 - 6)
297#define DATAHDR (sizeof (u32) + RAND_SIZE) 403#define DATAHDR (sizeof (u32) + RAND_SIZE)
298 404
299struct vpndata_packet:vpn_packet 405struct vpndata_packet : vpn_packet
406{
407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
408
409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410 tap_packet *unpack (connection *conn, u32 &seqno);
411
412private:
413 const u32 data_hdr_size () const
300 { 414 {
301 u8 data[MAXVPNDATA + DATAHDR]; // seqno
302
303 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
304 tap_packet *unpack (connection *conn, u32 &seqno);
305private:
306
307 const u32 data_hdr_size () const
308 {
309 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR; 415 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
310 }
311 }; 416 }
417};
312 418
313void 419void
314vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 420vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
315{ 421{
316 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 422 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
317 int outl = 0, outl2; 423 int outl = 0, outl2;
318 ptype type = PT_DATA_UNCOMPRESSED; 424 ptype type = PT_DATA_UNCOMPRESSED;
319 425
320#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
321 u8 cdata[MAX_MTU]; 427 u8 cdata[MAX_MTU];
322 u32 cl;
323 428
429 if (conn->features & FEATURE_COMPRESSION)
430 {
324 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 431 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432
325 if (cl) 433 if (cl)
326 { 434 {
327 type = PT_DATA_COMPRESSED; 435 type = PT_DATA_COMPRESSED;
328 d = cdata; 436 d = cdata;
329 l = cl + 2; 437 l = cl + 2;
330 438
331 d[0] = cl >> 8; 439 d[0] = cl >> 8;
332 d[1] = cl; 440 d[1] = cl;
441 }
333 } 442 }
334#endif 443#endif
335 444
336 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 445 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
337 446
338 struct { 447 struct {
339#if RAND_SIZE 448#if RAND_SIZE
340 u8 rnd[RAND_SIZE]; 449 u8 rnd[RAND_SIZE];
341#endif 450#endif
342 u32 seqno; 451 u32 seqno;
343 } datahdr; 452 } datahdr;
344 453
345 datahdr.seqno = ntohl (seqno); 454 datahdr.seqno = ntohl (seqno);
346#if RAND_SIZE 455#if RAND_SIZE
347 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 456 // NB: a constant (per session) random prefix
457 // is likely enough, but we don't take any chances.
458 conn->oiv.get (datahdr.rnd, RAND_SIZE);
348#endif 459#endif
349 460
350 EVP_EncryptUpdate (cctx, 461 require (EVP_EncryptUpdate (cctx,
351 (unsigned char *) data + outl, &outl2, 462 (unsigned char *) data + outl, &outl2,
352 (unsigned char *) &datahdr, DATAHDR); 463 (unsigned char *) &datahdr, DATAHDR));
353 outl += outl2; 464 outl += outl2;
354 465
355 EVP_EncryptUpdate (cctx, 466 require (EVP_EncryptUpdate (cctx,
356 (unsigned char *) data + outl, &outl2, 467 (unsigned char *) data + outl, &outl2,
357 (unsigned char *) d, l); 468 (unsigned char *) d, l));
358 outl += outl2; 469 outl += outl2;
359 470
360 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 471 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
361 outl += outl2; 472 outl += outl2;
362 473
363 len = outl + data_hdr_size (); 474 len = outl + data_hdr_size ();
364 475
365 set_hdr (type, dst); 476 set_hdr (type, dst);
374 int outl = 0, outl2; 485 int outl = 0, outl2;
375 tap_packet *p = new tap_packet; 486 tap_packet *p = new tap_packet;
376 u8 *d; 487 u8 *d;
377 u32 l = len - data_hdr_size (); 488 u32 l = len - data_hdr_size ();
378 489
379 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 490 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
380 491
381#if ENABLE_COMPRESSION 492#if ENABLE_COMPRESSION
382 u8 cdata[MAX_MTU]; 493 u8 cdata[MAX_MTU];
383 494
384 if (type == PT_DATA_COMPRESSED) 495 if (type == PT_DATA_COMPRESSED)
385 d = cdata; 496 d = cdata;
386 else 497 else
387#endif 498#endif
388 d = &(*p)[6 + 6 - DATAHDR]; 499 d = &(*p)[6 + 6] - DATAHDR;
389 500
390 /* this overwrites part of the src mac, but we fix that later */ 501 // we play do evil games with the struct layout atm.
502 // pending better solutions, we at least do some verification.
503 // this is fine, as we left ISO territory long ago.
504 require (DATAHDR <= 16);
505 require ((u8 *)(&p->len + 1) == &(*p)[0]);
506
507 // this can overwrite the len/dst/src fields
391 EVP_DecryptUpdate (cctx, 508 require (EVP_DecryptUpdate (cctx,
392 d, &outl2, 509 d, &outl2,
393 (unsigned char *)&data, len - data_hdr_size ()); 510 (unsigned char *)&data, len - data_hdr_size ()));
394 outl += outl2; 511 outl += outl2;
395 512
396 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 513 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
397 outl += outl2; 514 outl += outl2;
398 515
399 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 516 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
400 517
401 id2mac (dst () ? dst() : THISNODE->id, p->dst); 518 id2mac (dst () ? dst() : THISNODE->id, p->dst);
426 } 543 }
427}; 544};
428 545
429struct config_packet : vpn_packet 546struct config_packet : vpn_packet
430{ 547{
431 // actually, hmaclen cannot be checked because the hmac 548 u8 serial[SERIAL_SIZE];
432 // field comes before this data, so peers with other
433 // hmacs simply will not work.
434 u8 prot_major, prot_minor, randsize, hmaclen; 549 u8 prot_major, prot_minor, randsize;
435 u8 flags, challengelen, pad2, pad3; 550 u8 flags, features, pad6, pad7, pad8;
436 u32 cipher_nid, digest_nid, hmac_nid; 551 u32 cipher_nid, mac_nid, auth_nid;
437 552
438 const u8 curflags () const 553 void setup (ptype type, int dst);
554 bool chk_config (const conf_node *conf, const sockinfo &rsi) const;
555
556 static u8 get_features ()
439 { 557 {
558 u8 f = 0;
559#if ENABLE_COMPRESSION
560 f |= FEATURE_COMPRESSION;
561#endif
562#if ENABLE_ROHC
563 f |= FEATURE_ROHC;
564#endif
565#if ENABLE_BRIDGING
566 f |= FEATURE_BRIDGING;
567#endif
440 return 0x80 568 return f;
441 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
442 } 569 }
443
444 void setup (ptype type, int dst);
445 bool chk_config () const;
446}; 570};
447 571
572void
448void config_packet::setup (ptype type, int dst) 573config_packet::setup (ptype type, int dst)
449{ 574{
450 prot_major = PROTOCOL_MAJOR; 575 prot_major = PROTOCOL_MAJOR;
451 prot_minor = PROTOCOL_MINOR; 576 prot_minor = PROTOCOL_MINOR;
452 randsize = RAND_SIZE; 577 randsize = RAND_SIZE;
453 hmaclen = HMACLENGTH; 578 flags = 0;
454 flags = curflags (); 579 features = get_features ();
455 challengelen = sizeof (rsachallenge);
456 580
581 strncpy ((char *)serial, conf.serial, sizeof (serial));
582
457 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 583 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
458 digest_nid = htonl (EVP_MD_type (RSA_HASH));
459 hmac_nid = htonl (EVP_MD_type (DIGEST)); 584 mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
585 auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
460 586
461 len = sizeof (*this) - sizeof (net_packet); 587 len = sizeof (*this) - sizeof (net_packet);
462 set_hdr (type, dst); 588 set_hdr (type, dst);
463} 589}
464 590
465bool config_packet::chk_config () const 591bool
592config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
466{ 593{
467 return prot_major == PROTOCOL_MAJOR 594 if (prot_major != PROTOCOL_MAJOR)
468 && randsize == RAND_SIZE 595 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
469 && hmaclen == HMACLENGTH 596 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
470 && flags == curflags () 597 else if (randsize != RAND_SIZE)
471 && challengelen == sizeof (rsachallenge) 598 slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
599 conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
472 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 600 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
473 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 601 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
474 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 602 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
475} 603 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
604 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
605 conf->nodename, (const char *)rsi, ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
606 else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
607 slog (L_WARN, _("%s(%s): auth algo mismatch (remote %x <=> local %x)"),
608 conf->nodename, (const char *)rsi, ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
609 else
610 {
611 int cmp = memcmp (serial, ::conf.serial, sizeof (serial));
476 612
613 if (cmp > 0)
614 slog (L_WARN, _("%s(%s): remote serial newer than local serial - outdated config?"),
615 conf->nodename, (const char *)rsi);
616 else if (cmp == 0)
617 return true;
618 }
619
620 return false;
621}
622
477struct auth_req_packet : config_packet 623struct auth_req_packet : config_packet // UNPROTECTED
478{ 624{
479 char magic[8]; 625 char magic[8];
480 u8 initiate; // false if this is just an automatic reply 626 u8 initiate; // false if this is just an automatic reply
481 u8 protocols; // supported protocols (will get patches on forward) 627 u8 protocols; // supported protocols (will be patched on forward)
482 u8 pad2, pad3; 628 u8 pad2, pad3;
483 rsaid id; 629 auth_encr encr;
484 rsaencrdata encr;
485 630
486 auth_req_packet (int dst, bool initiate_, u8 protocols_) 631 auth_req_packet (int dst, bool initiate_, u8 protocols_)
487 { 632 {
488 config_packet::setup (PT_AUTH_REQ, dst); 633 config_packet::setup (PT_AUTH_REQ, dst);
489 strncpy (magic, MAGIC, 8); 634 memcpy (magic, MAGIC, 8);
490 initiate = !!initiate_; 635 initiate = !!initiate_;
491 protocols = protocols_; 636 protocols = protocols_;
492 637
493 len = sizeof (*this) - sizeof (net_packet); 638 len = sizeof (*this) - sizeof (net_packet);
494 } 639 }
495}; 640};
496 641
497struct auth_res_packet : config_packet 642struct auth_res_packet : vpn_packet // UNPROTECTED
498{ 643{
499 rsaid id;
500 u8 pad1, pad2, pad3;
501 u8 response_len; // encrypted length
502 rsaresponse response; 644 auth_response response;
503 645
504 auth_res_packet (int dst) 646 auth_res_packet (int dst)
505 { 647 {
506 config_packet::setup (PT_AUTH_RES, dst); 648 set_hdr (PT_AUTH_RES, dst);
507 649
508 len = sizeof (*this) - sizeof (net_packet); 650 len = sizeof (*this) - sizeof (net_packet);
509 } 651 }
510}; 652};
511 653
541}; 683};
542 684
543///////////////////////////////////////////////////////////////////////////// 685/////////////////////////////////////////////////////////////////////////////
544 686
545void 687void
688connection::connection_established (const sockinfo &rsi)
689{
690 if (!have_snd_auth || !have_rcv_auth)
691 return;
692
693 si = rsi;
694 protocol = rsi.prot;
695
696 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
697 conf->nodename, (const char *)rsi,
698 is_direct ? "direct" : "forwarded",
699 PROTOCOL_MAJOR, prot_minor);
700
701 if (::conf.script_node_up)
702 {
703 run_script_cb *cb = new run_script_cb;
704 cb->set<connection, &connection::script_node_up> (this);
705 run_script_queued (cb, _("node-up command execution failed, continuing."));
706 }
707
708 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
709 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
710
711 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
712 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
713
714 oiv.reset ();
715
716 // make sure rekeying timeouts are slightly asymmetric
717 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
718 rekey.start (rekey_interval, rekey_interval);
719
720 keepalive.start (::conf.keepalive);
721
722 // send queued packets
723 if (ictx && octx)
724 {
725 while (tap_packet *p = (tap_packet *)data_queue.get ())
726 {
727 if (p->len) send_data_packet (p);
728 delete p;
729 }
730
731 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
732 {
733 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
734 delete p;
735 }
736 }
737
738 vpn->connection_established (this);
739}
740
741void
546connection::reset_dstaddr () 742connection::reset_si ()
547{ 743{
744 if (vpn->can_direct (THISNODE, conf))
745 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
746 else
747 {
748 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
749 protocol = 0;
750 }
751
548 si.set (conf); 752 si.set (conf, protocol);
753
754 is_direct = si.valid ();
755}
756
757// ensure sockinfo is valid, forward if necessary
758const sockinfo &
759connection::forward_si (const sockinfo &si) const
760{
761 if (!si.valid ())
762 {
763 connection *r = vpn->find_router_for (this);
764
765 if (r)
766 {
767 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
768 conf->nodename, r->conf->nodename);
769 return r->si;
770 }
771 else
772 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
773 conf->nodename);
774 }
775
776 return si;
777}
778
779void
780connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
781{
782 if (!vpn->send_vpn_packet (pkt, si, tos))
783 reset_connection ();
549} 784}
550 785
551void 786void
552connection::send_ping (const sockinfo &si, u8 pong) 787connection::send_ping (const sockinfo &si, u8 pong)
553{ 788{
554 ping_packet *pkt = new ping_packet; 789 ping_packet *pkt = new ping_packet;
555 790
556 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 791 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
792
793 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
557 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 794 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
558 795
559 delete pkt; 796 delete pkt;
560} 797}
561 798
576void 813void
577connection::send_auth_request (const sockinfo &si, bool initiate) 814connection::send_auth_request (const sockinfo &si, bool initiate)
578{ 815{
579 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 816 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
580 817
581 protocol = best_protocol (THISNODE->protocols & conf->protocols); 818 generate_auth_data ();
819 auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
582 820
583 rsachallenge chg;
584
585 rsa_cache.gen (pkt->id, chg);
586
587 if (0 > RSA_public_encrypt (sizeof chg,
588 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
589 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
590 fatal ("RSA_public_encrypt error");
591
592 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 821 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
822 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
593 823
824 delete pkt;
825}
826
827void
828connection::send_auth_response (const sockinfo &si)
829{
830 auth_res_packet *pkt = new auth_res_packet (conf->id);
831
832 memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof rcv_ecdh_b);
833 auth_hash (rcv_auth, rcv_ecdh_b, pkt->response.mac);
834
835 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
594 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 836 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
595 837
596 delete pkt; 838 delete pkt;
597} 839}
598 840
599void 841void
600connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
601{
602 auth_res_packet *pkt = new auth_res_packet (conf->id);
603
604 pkt->id = id;
605
606 rsa_hash (id, chg, pkt->response);
607
608 pkt->hmac_set (octx);
609
610 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
611
612 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
613
614 delete pkt;
615}
616
617void
618connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 842connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
619{ 843{
620 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 844 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
621 conf->id, rid, (const char *)rsi); 845 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
846 conf->protocols);
622 847
623 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 848 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
624 849
625 r->hmac_set (octx); 850 r->hmac_set (octx);
626 send_vpn_packet (r, si); 851 send_vpn_packet (r, si);
627 852
628 delete r; 853 delete r;
629} 854}
630 855
631void 856inline void
632connection::establish_connection_cb (tstamp &ts) 857connection::establish_connection_cb (ev::timer &w, int revents)
633{ 858{
634 if (ictx || conf == THISNODE 859 if (!(ictx && octx)
860 && conf != THISNODE
635 || connectmode == conf_node::C_NEVER 861 && connectmode != conf_node::C_NEVER
636 || connectmode == conf_node::C_DISABLED) 862 && connectmode != conf_node::C_DISABLED
637 ts = TSTAMP_CANCEL; 863 && !w.is_active ())
638 else if (ts <= NOW)
639 { 864 {
640 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 865 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
641 866 // and stop trying. should probably be handled by a per-connection expire handler.
642 if (retry_int < 3600 * 8) 867 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
643 retry_cnt++;
644
645 ts = NOW + retry_int;
646
647 if (conf->hostname)
648 { 868 {
649 reset_dstaddr (); 869 reset_connection ();
650 if (si.host && auth_rate_limiter.can (si)) 870 return;
651 {
652 if (retry_cnt < 4)
653 send_auth_request (si, true);
654 else
655 send_ping (si, 0);
656 } 871 }
872
873 last_establish_attempt = ev_now ();
874
875 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
876 ? (retry_cnt & 3) + 1
877 : 1 << (retry_cnt >> 2));
878
879 reset_si ();
880
881 bool slow = si.prot & PROT_SLOW;
882
883 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
884 {
885 /*TODO*/ /* start the timer so we don't recurse endlessly */
886 w.start (1);
887 vpn->send_connect_request (this);
657 } 888 }
658 else 889 else
659 vpn->connect_request (conf->id); 890 {
891 if (si.valid ())
892 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
893 conf->nodename, (const char *)si);
894
895 const sockinfo &dsi = forward_si (si);
896
897 slow = slow || (dsi.prot & PROT_SLOW);
898
899 if (dsi.valid () && auth_rate_limiter.can (dsi))
900 {
901 if (retry_cnt < 4)
902 send_auth_request (dsi, true);
903 else
904 send_ping (dsi, 0);
905 }
906 }
907
908 retry_int *= slow ? 8. : 0.9;
909
910 if (retry_int < conf->max_retry)
911 retry_cnt++;
912 else
913 retry_int = conf->max_retry;
914
915 w.start (retry_int);
660 } 916 }
661} 917}
662 918
663void 919void
664connection::reset_connection () 920connection::reset_connection ()
667 { 923 {
668 slog (L_INFO, _("%s(%s): connection lost"), 924 slog (L_INFO, _("%s(%s): connection lost"),
669 conf->nodename, (const char *)si); 925 conf->nodename, (const char *)si);
670 926
671 if (::conf.script_node_down) 927 if (::conf.script_node_down)
672 run_script (run_script_cb (this, &connection::script_node_down), false); 928 {
929 run_script_cb *cb = new run_script_cb;
930 cb->set<connection, &connection::script_node_down> (this);
931 run_script_queued (cb, _("node-down command execution failed, continuing."));
932 }
673 } 933 }
674 934
675 delete ictx; ictx = 0; 935 delete ictx; ictx = 0;
676 delete octx; octx = 0; 936 delete octx; octx = 0;
677 937
678 si.host= 0; 938 si.host = 0;
679 939
940 have_snd_auth = false;
941 have_rcv_auth = false;
942 auth_expire = 0.;
943
680 last_activity = 0; 944 last_activity = 0.;
945 //last_si_change = 0.;
681 retry_cnt = 0; 946 retry_cnt = 0;
682 947
683 rekey.reset (); 948 rekey.stop ();
684 keepalive.reset (); 949 keepalive.stop ();
685 establish_connection.reset (); 950 establish_connection.stop ();
686} 951}
687 952
688void 953void
689connection::shutdown () 954connection::shutdown ()
690{ 955{
692 send_reset (si); 957 send_reset (si);
693 958
694 reset_connection (); 959 reset_connection ();
695} 960}
696 961
697void 962// poor-man's rekeying
698connection::rekey_cb (tstamp &ts) 963inline void
964connection::rekey_cb (ev::timer &w, int revents)
699{ 965{
700 ts = TSTAMP_CANCEL;
701
702 reset_connection (); 966 reset_connection ();
703 establish_connection (); 967 establish_connection ();
704} 968}
705 969
706void 970void
707connection::send_data_packet (tap_packet *pkt, bool broadcast) 971connection::send_data_packet (tap_packet *pkt)
708{ 972{
709 vpndata_packet *p = new vpndata_packet; 973 vpndata_packet *p = new vpndata_packet;
710 int tos = 0; 974 int tos = 0;
711 975
712 if (conf->inherit_tos 976 // I am not hilarious about peeking into packets, but so be it.
713 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 977 if (conf->inherit_tos && pkt->is_ipv4 ())
714 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
715 tos = (*pkt)[15] & IPTOS_TOS_MASK; 978 tos = (*pkt)[15] & IPTOS_TOS_MASK;
716 979
717 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 980 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
718 send_vpn_packet (p, si, tos); 981 send_vpn_packet (p, si, tos);
719 982
720 delete p; 983 delete p;
721 984
722 if (oseqno > MAX_SEQNO) 985 if (oseqno > MAX_SEQNO)
723 rekey (); 986 rekey ();
724} 987}
725 988
726void 989void
990connection::post_inject_queue ()
991{
992 // force a connection every now and when when packets are sent (max 1/s)
993 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
994 establish_connection.stop ();
995
996 establish_connection ();
997}
998
999void
727connection::inject_data_packet (tap_packet *pkt, bool broadcast) 1000connection::inject_data_packet (tap_packet *pkt)
728{ 1001{
729 if (ictx && octx) 1002 if (ictx && octx)
730 send_data_packet (pkt, broadcast); 1003 send_data_packet (pkt);
731 else 1004 else
732 { 1005 {
733 if (!broadcast)//DDDD
734 queue.put (new tap_packet (*pkt)); 1006 data_queue.put (new tap_packet (*pkt));
1007 post_inject_queue ();
1008 }
1009}
735 1010
736 establish_connection (); 1011void
1012connection::inject_vpn_packet (vpn_packet *pkt, int tos)
1013{
1014 if (ictx && octx)
1015 send_vpn_packet (pkt, si, tos);
1016 else
1017 {
1018 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1019 post_inject_queue ();
737 } 1020 }
738} 1021}
739 1022
740void 1023void
741connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1024connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
742{ 1025{
743 last_activity = NOW; 1026 last_activity = ev_now ();
744 1027
745 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1028 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
746 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1029 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1030
1031 if (connectmode == conf_node::C_DISABLED)
1032 return;
747 1033
748 switch (pkt->typ ()) 1034 switch (pkt->typ ())
749 { 1035 {
750 case vpn_packet::PT_PING: 1036 case vpn_packet::PT_PING:
1037 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1038
751 // we send pings instead of auth packets after some retries, 1039 // we send pings instead of auth packets after some retries,
752 // so reset the retry counter and establish a connection 1040 // so reset the retry counter and establish a connection
753 // when we receive a ping. 1041 // when we receive a ping.
754 if (!ictx) 1042 if (!ictx)
1043 {
1044 if (auth_rate_limiter.can (rsi))
1045 send_auth_request (rsi, true);
1046 }
1047 else
1048 // we would love to change the socket address here, but ping's aren't
1049 // authenticated, so we best ignore it.
1050 send_ping (rsi, 1); // pong
1051
1052 break;
1053
1054 case vpn_packet::PT_PONG:
1055 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1056
1057 // a PONG might mean that the other side doesn't really know
1058 // about our desire for communication.
1059 establish_connection ();
1060 break;
1061
1062 case vpn_packet::PT_RESET:
755 { 1063 {
756 if (auth_rate_limiter.can (rsi)) 1064 reset_connection ();
757 send_auth_request (rsi, true); 1065
1066 config_packet *p = (config_packet *) pkt;
1067
1068 if (p->chk_config (conf, rsi) && connectmode == conf_node::C_ALWAYS)
1069 establish_connection ();
758 } 1070 }
759 else
760 send_ping (rsi, 1); // pong
761
762 break; 1071 break;
763 1072
764 case vpn_packet::PT_PONG:
765 break;
766
767 case vpn_packet::PT_RESET: 1073 case vpn_packet::PT_AUTH_REQ:
768 { 1074 if (auth_rate_limiter.can (rsi))
769 reset_connection ();
770
771 config_packet *p = (config_packet *) pkt;
772
773 if (!p->chk_config ())
774 { 1075 {
1076 auth_req_packet *p = (auth_req_packet *)pkt;
1077
1078 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1079 conf->nodename, p->initiate ? "initiate" : "reply",
1080 p->protocols, p->features);
1081
1082 if (memcmp (p->magic, MAGIC, 8))
1083 {
775 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1084 slog (L_WARN, _("%s(%s): protocol magic mismatch - stray packet?"),
776 conf->nodename, (const char *)rsi); 1085 conf->nodename, (const char *)rsi);
777 connectmode = conf_node::C_DISABLED; 1086 }
1087 else if (p->chk_config (conf, rsi))
1088 {
1089 if (p->prot_minor != PROTOCOL_MINOR)
1090 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1091 conf->nodename, (const char *)rsi,
1092 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1093
1094 if (p->initiate)
1095 send_auth_request (rsi, false);
1096
1097 auth_data auth;
1098
1099 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
1100 {
1101 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1102 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1103 }
1104 else
1105 {
1106 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
1107
1108 rcv_auth = auth;
1109 have_rcv_auth = true;
1110
1111 send_auth_response (rsi);
1112
1113 if (chg)
1114 {
1115 conf->protocols = p->protocols;
1116 features = p->features & config_packet::get_features ();
1117
1118 connection_established (rsi);
1119 }
1120 }
1121
1122 break;
1123 }
1124
1125 send_reset (rsi);
778 } 1126 }
779 else if (connectmode == conf_node::C_ALWAYS) 1127
780 establish_connection ();
781 }
782 break; 1128 break;
783 1129
784 case vpn_packet::PT_AUTH_REQ: 1130 case vpn_packet::PT_AUTH_RES:
785 if (auth_rate_limiter.can (rsi))
786 { 1131 {
787 auth_req_packet *p = (auth_req_packet *) pkt; 1132 auth_res_packet *p = (auth_res_packet *)pkt;
788 1133
789 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1134 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
790 1135
791 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1136 auth_mac local_mac;
1137 auth_hash (snd_auth, p->response.ecdh, local_mac);
1138
1139 if (memcmp (&p->response.mac, local_mac, sizeof local_mac))
792 { 1140 {
793 if (p->prot_minor != PROTOCOL_MINOR) 1141 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
794 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
795 conf->nodename, (const char *)rsi,
796 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
797
798 if (p->initiate)
799 send_auth_request (rsi, false);
800
801 rsachallenge k;
802
803 if (0 > RSA_private_decrypt (sizeof (p->encr),
804 (unsigned char *)&p->encr, (unsigned char *)&k,
805 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
806 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
807 conf->nodename, (const char *)rsi); 1142 conf->nodename, (const char *)rsi);
808 else
809 {
810 retry_cnt = 0;
811 establish_connection.set (NOW + 8); //? ;)
812 keepalive.reset ();
813 rekey.reset ();
814
815 delete ictx;
816 ictx = 0;
817
818 delete octx;
819
820 octx = new crypto_ctx (k, 1);
821 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
822
823 conf->protocols = p->protocols;
824 send_auth_response (rsi, p->id, k);
825
826 break;
827 }
828 } 1143 }
1144 else if (!have_snd_auth)
1145 {
1146 memcpy (snd_ecdh_b, p->response.ecdh, sizeof snd_ecdh_b);
829 1147
830 send_reset (rsi); 1148 have_snd_auth = true;
1149 connection_established (rsi);
1150 }
1151
1152 break;
831 } 1153 }
832 1154
1155 send_reset (rsi);
833 break; 1156 break;
834 1157
835 case vpn_packet::PT_AUTH_RES: 1158 case vpn_packet::PT_DATA_COMPRESSED:
836 { 1159#if !ENABLE_COMPRESSION
837 auth_res_packet *p = (auth_res_packet *) pkt; 1160 send_reset (rsi);
1161 break;
1162#endif
838 1163
839 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1164 case vpn_packet::PT_DATA_UNCOMPRESSED:
840 1165
841 if (p->chk_config ()) 1166 if (ictx && octx)
842 { 1167 {
843 if (p->prot_minor != PROTOCOL_MINOR) 1168 vpndata_packet *p = (vpndata_packet *)pkt;
844 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
845 conf->nodename, (const char *)rsi,
846 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
847 1169
848 rsachallenge chg; 1170 if (!p->hmac_chk (ictx))
849 1171 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
850 if (!rsa_cache.find (p->id, chg)) 1172 "could be an attack, or just corruption or a synchronization error."),
851 slog (L_ERR, _("%s(%s): unrequested auth response"),
852 conf->nodename, (const char *)rsi); 1173 conf->nodename, (const char *)rsi);
853 else 1174 else
854 { 1175 {
855 crypto_ctx *cctx = new crypto_ctx (chg, 0);
856
857 if (!p->hmac_chk (cctx))
858 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
859 "could be an attack, or just corruption or an synchronization error"),
860 conf->nodename, (const char *)rsi);
861 else 1176 u32 seqno;
1177 tap_packet *d = p->unpack (this, seqno);
1178 int seqclass = iseqno.seqno_classify (seqno);
1179
1180 if (seqclass == 0) // ok
862 { 1181 {
863 rsaresponse h; 1182 vpn->tap->send (d);
864 1183
865 rsa_hash (p->id, chg, h); 1184 if (si != rsi)
866
867 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
868 { 1185 {
869 prot_minor = p->prot_minor; 1186 // fast re-sync on source address changes, useful especially for tcp/ip
870 1187 //if (last_si_change < ev_now () + 5.)
871 delete ictx; ictx = cctx;
872
873 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
874
875 si = rsi;
876
877 rekey.set (NOW + ::conf.rekey);
878 keepalive.set (NOW + ::conf.keepalive);
879
880 // send queued packets
881 while (tap_packet *p = queue.get ())
882 { 1188 // {
883 send_data_packet (p); 1189 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1190 conf->nodename, (const char *)si, (const char *)rsi);
1191
1192 si = rsi;
1193
1194 if (::conf.script_node_change)
884 delete p; 1195 {
1196 run_script_cb *cb = new run_script_cb;
1197 cb->set<connection, &connection::script_node_change> (this);
1198 run_script_queued (cb, _("node-change command execution failed, continuing."));
1199 }
1200
885 } 1201 // }
886 1202 //else
887 connectmode = conf->connectmode; 1203 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
888
889 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
890 conf->nodename, (const char *)rsi, 1204 // conf->nodename, (const char *)si, (const char *)rsi);
891 strprotocol (protocol),
892 p->prot_major, p->prot_minor);
893
894 if (::conf.script_node_up)
895 run_script (run_script_cb (this, &connection::script_node_up), false);
896
897 break;
898 } 1205 }
899 else
900 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
901 conf->nodename, (const char *)rsi);
902 } 1206 }
1207 else if (seqclass == 1) // far history
1208 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1209 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1210 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1211 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1212 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1213 else if (seqclass == 3) // reset
1214 {
1215 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1216 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1217 send_reset (rsi);
1218 }
903 1219
904 delete cctx; 1220 delete d;
1221 break;
905 } 1222 }
906 } 1223 }
907 }
908 1224
909 send_reset (rsi); 1225 send_reset (rsi);
910 break; 1226 break;
911 1227
912 case vpn_packet::PT_DATA_COMPRESSED:
913#if !ENABLE_COMPRESSION
914 send_reset (rsi);
915 break;
916#endif
917
918 case vpn_packet::PT_DATA_UNCOMPRESSED:
919
920 if (ictx && octx)
921 {
922 vpndata_packet *p = (vpndata_packet *)pkt;
923
924 if (rsi == si)
925 {
926 if (!p->hmac_chk (ictx))
927 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
928 "could be an attack, or just corruption or an synchronization error"),
929 conf->nodename, (const char *)rsi);
930 else
931 {
932 u32 seqno;
933 tap_packet *d = p->unpack (this, seqno);
934
935 if (iseqno.recv_ok (seqno))
936 {
937 vpn->tap->send (d);
938
939 if (p->dst () == 0) // re-broadcast
940 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
941 {
942 connection *c = *i;
943
944 if (c->conf != THISNODE && c->conf != conf)
945 c->inject_data_packet (d);
946 }
947
948 delete d;
949
950 break;
951 }
952 }
953 }
954 else
955 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
956 }
957
958 send_reset (rsi);
959 break;
960
961 case vpn_packet::PT_CONNECT_REQ: 1228 case vpn_packet::PT_CONNECT_REQ:
962 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1229 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
963 { 1230 {
964 connect_req_packet *p = (connect_req_packet *) pkt; 1231 connect_req_packet *p = (connect_req_packet *)pkt;
965 1232
966 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1233 if (p->id > 0 && p->id <= vpn->conns.size ())
967 conf->protocols = p->protocols; 1234 {
968 connection *c = vpn->conns[p->id - 1]; 1235 connection *c = vpn->conns[p->id - 1];
1236 conf->protocols = p->protocols;
969 1237
970 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1238 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1239 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1240 p->protocols,
971 conf->id, p->id, c->ictx && c->octx); 1241 c->ictx && c->octx);
972 1242
973 if (c->ictx && c->octx) 1243 if (c->ictx && c->octx)
974 { 1244 {
975 // send connect_info packets to both sides, in case one is 1245 // send connect_info packets to both sides, in case one is
976 // behind a nat firewall (or both ;) 1246 // behind a nat firewall (or both ;)
977 c->send_connect_info (conf->id, si, conf->protocols); 1247 c->send_connect_info (conf->id, si, conf->protocols);
978 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1248 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1249 }
1250 else
1251 c->establish_connection ();
979 } 1252 }
1253 else
1254 slog (L_WARN,
1255 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1256 p->id);
980 } 1257 }
981 1258
982 break; 1259 break;
983 1260
984 case vpn_packet::PT_CONNECT_INFO: 1261 case vpn_packet::PT_CONNECT_INFO:
985 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1262 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
986 { 1263 {
987 connect_info_packet *p = (connect_info_packet *) pkt; 1264 connect_info_packet *p = (connect_info_packet *)pkt;
988 1265
989 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1266 if (p->id > 0 && p->id <= vpn->conns.size ())
990 conf->protocols = p->protocols; 1267 {
991 connection *c = vpn->conns[p->id - 1]; 1268 connection *c = vpn->conns[p->id - 1];
992 1269
993 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1270 c->conf->protocols = p->protocols;
994 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1271 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1272 p->si.upgrade_protocol (protocol, c->conf);
995 1273
1274 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1275 conf->nodename,
1276 vpn->conns[p->id - 1]->conf->nodename,
1277 (const char *)p->si,
1278 p->protocols,
1279 protocol,
1280 p->si.supported_protocols (c->conf),
1281 !c->ictx && !c->octx);
1282
1283 const sockinfo &dsi = forward_si (p->si);
1284
1285 if (dsi.valid ())
996 c->send_auth_request (p->si, true); 1286 c->send_auth_request (dsi, true);
1287 else
1288 slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1289 vpn->conns[p->id - 1]->conf->nodename,
1290 (const char *)p->si);
1291 }
1292 else
1293 slog (L_WARN,
1294 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1295 p->id);
997 } 1296 }
998 1297
999 break; 1298 break;
1000 1299
1001 default: 1300 default:
1002 send_reset (rsi); 1301 send_reset (rsi);
1003 break; 1302 break;
1004
1005 } 1303 }
1006} 1304}
1007 1305
1008void connection::keepalive_cb (tstamp &ts) 1306inline void
1307connection::keepalive_cb (ev::timer &w, int revents)
1009{ 1308{
1010 if (NOW >= last_activity + ::conf.keepalive + 30) 1309 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1310
1311 if (when >= 0)
1312 w.start (when);
1313 else if (when < -15)
1011 { 1314 {
1012 reset_connection (); 1315 reset_connection ();
1013 establish_connection (); 1316 establish_connection ();
1014 } 1317 }
1015 else if (NOW < last_activity + ::conf.keepalive)
1016 ts = last_activity + ::conf.keepalive;
1017 else if (conf->connectmode != conf_node::C_ONDEMAND 1318 else if (conf->connectmode != conf_node::C_ONDEMAND
1018 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1319 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1019 { 1320 {
1321 w.start (3);
1020 send_ping (si); 1322 send_ping (si);
1021 ts = NOW + 5;
1022 } 1323 }
1324 else if (when >= -10)
1325 // hold ondemand connections implicitly a few seconds longer
1326 // should delete octx, though, or something like that ;)
1327 w.start (when + 10);
1023 else 1328 else
1024 reset_connection (); 1329 reset_connection ();
1025} 1330}
1026 1331
1332void
1027void connection::connect_request (int id) 1333connection::send_connect_request (int id)
1028{ 1334{
1029 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1335 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1030 1336
1031 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1337 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1338 conf->nodename, vpn->conns[id - 1]->conf->nodename,
1339 THISNODE->protocols);
1032 p->hmac_set (octx); 1340 p->hmac_set (octx);
1033 send_vpn_packet (p, si); 1341 send_vpn_packet (p, si);
1034 1342
1035 delete p; 1343 delete p;
1036} 1344}
1037 1345
1038void connection::script_node () 1346void
1347connection::script_init_env (const char *ext)
1039{ 1348{
1040 vpn->script_if_up (0);
1041
1042 char *env; 1349 char *env;
1350 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1351 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1352 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1353 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1354 conf->id & 0xff); putenv (env);
1355}
1356
1357void
1358connection::script_init_connect_env ()
1359{
1360 vpn->script_init_env ();
1361
1362 char *env;
1043 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1363 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1364 asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1044 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1365 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1045 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1366 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1046 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1367 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1047} 1368}
1048 1369
1370inline const char *
1049const char *connection::script_node_up (int) 1371connection::script_node_up ()
1050{ 1372{
1051 script_node (); 1373 script_init_connect_env ();
1052 1374
1053 putenv ("STATE=up"); 1375 putenv ((char *)"STATE=up");
1054 1376
1377 char *filename;
1378 asprintf (&filename,
1379 "%s/%s",
1380 confbase,
1055 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1381 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1056}
1057 1382
1383 return filename;
1384}
1385
1386inline const char *
1387connection::script_node_change ()
1388{
1389 script_init_connect_env ();
1390
1391 putenv ((char *)"STATE=change");
1392
1393 char *filename;
1394 asprintf (&filename,
1395 "%s/%s",
1396 confbase,
1397 ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1398
1399 return filename;
1400}
1401
1402inline const char *
1058const char *connection::script_node_down (int) 1403connection::script_node_down ()
1059{ 1404{
1060 script_node (); 1405 script_init_connect_env ();
1061 1406
1062 putenv ("STATE=down"); 1407 putenv ((char *)"STATE=down");
1063 1408
1064 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1409 char *filename;
1065} 1410 asprintf (&filename,
1411 "%s/%s",
1412 confbase,
1413 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1066 1414
1067// send a vpn packet out to other hosts 1415 return filename;
1068void
1069connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1070{
1071 if (protocol & PROT_IPv4)
1072 vpn->send_ipv4_packet (pkt, si, tos);
1073 else
1074 vpn->send_udpv4_packet (pkt, si, tos);
1075} 1416}
1076 1417
1077connection::connection(struct vpn *vpn_) 1418connection::connection (struct vpn *vpn, conf_node *conf)
1078: vpn(vpn_) 1419: vpn(vpn), conf(conf),
1079, rekey (this, &connection::rekey_cb) 1420#if ENABLE_DNS
1080, keepalive (this, &connection::keepalive_cb) 1421 dns (0),
1422#endif
1423 data_queue(conf->max_ttl, conf->max_queue + 1),
1424 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1425{
1426 rekey .set<connection, &connection::rekey_cb > (this);
1427 keepalive .set<connection, &connection::keepalive_cb > (this);
1081, establish_connection (this, &connection::establish_connection_cb) 1428 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1082{ 1429
1430 last_establish_attempt = 0.;
1083 octx = ictx = 0; 1431 octx = ictx = 0;
1084 retry_cnt = 0;
1085 1432
1086 connectmode = conf_node::C_ALWAYS; // initial setting 1433 connectmode = conf->connectmode;
1434
1435 // queue a dummy packet to force an initial connection attempt
1436 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1437 vpn_queue.put (new net_packet);
1438
1087 reset_connection (); 1439 reset_connection ();
1088} 1440}
1089 1441
1090connection::~connection () 1442connection::~connection ()
1091{ 1443{
1092 shutdown (); 1444 shutdown ();
1093} 1445}
1094 1446
1447void
1095void connection_init () 1448connection_init ()
1096{ 1449{
1097 auth_rate_limiter.clear (); 1450 auth_rate_limiter.clear ();
1098 reset_rate_limiter.clear (); 1451 reset_rate_limiter.clear ();
1099} 1452}
1100 1453

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines