ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.19 by pcg, Tue Oct 14 03:22:09 2003 UTC vs.
Revision 1.70 by pcg, Thu Aug 7 19:07:02 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
5 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
6 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
7 (at your option) any later version. 10 option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
12 GNU General Public License for more details. 15 Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
15 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
17*/ 30*/
18 31
19#include "config.h" 32#include "config.h"
20 33
21extern "C" {
22# include "lzf/lzf.h"
23}
24
25#include <list> 34#include <list>
35#include <queue>
36#include <utility>
26 37
27#include <openssl/rand.h> 38#include <openssl/rand.h>
28#include <openssl/evp.h> 39#include <openssl/evp.h>
29#include <openssl/rsa.h> 40#include <openssl/rsa.h>
30#include <openssl/err.h> 41#include <openssl/err.h>
31
32#include "gettext.h"
33 42
34#include "conf.h" 43#include "conf.h"
35#include "slog.h" 44#include "slog.h"
36#include "device.h" 45#include "device.h"
37#include "vpn.h" 46#include "vpn.h"
38#include "connection.h" 47#include "connection.h"
39 48
40#include <sys/socket.h> 49#include "netcompat.h"
41#ifdef HAVE_NETINET_IN_H
42# include <netinet/in.h>
43#endif
44#include <arpa/inet.h>
45#include <net/if.h>
46#ifdef HAVE_NETINET_IN_SYSTM_H
47# include <netinet/in_systm.h>
48#endif
49#ifdef HAVE_NETINET_IP_H
50# include <netinet/ip.h>
51#endif
52
53#ifndef IPTOS_TOS_MASK
54# define IPTOS_TOS_MASK (IPTOS_LOWDELAY | IPTOS_THROUGHPUT | IPTOS_RELIABILITY | IPTOS_MINCOST)
55#endif
56 50
57#if !HAVE_RAND_PSEUDO_BYTES 51#if !HAVE_RAND_PSEUDO_BYTES
58# define RAND_pseudo_bytes RAND_bytes 52# define RAND_pseudo_bytes RAND_bytes
59#endif 53#endif
60 54
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 55#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62 56
57#define ULTRA_FAST 1
58#define HLOG 15
59#include "lzf/lzf.h"
60#include "lzf/lzf_c.c"
61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
103
63struct crypto_ctx 104struct crypto_ctx
64{ 105{
65 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
66 HMAC_CTX hctx; 107 HMAC_CTX hctx;
67 108
70}; 111};
71 112
72crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 113crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
73{ 114{
74 EVP_CIPHER_CTX_init (&cctx); 115 EVP_CIPHER_CTX_init (&cctx);
75 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 116 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
76 HMAC_CTX_init (&hctx); 117 HMAC_CTX_init (&hctx);
77 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 118 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
78} 119}
79 120
80crypto_ctx::~crypto_ctx () 121crypto_ctx::~crypto_ctx ()
81{ 122{
82 EVP_CIPHER_CTX_cleanup (&cctx); 123 require (EVP_CIPHER_CTX_cleanup (&cctx));
83 HMAC_CTX_cleanup (&hctx); 124 HMAC_CTX_cleanup (&hctx);
84} 125}
85 126
86static void 127static void
87rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 128rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88{ 129{
89 EVP_MD_CTX ctx; 130 EVP_MD_CTX ctx;
90 131
91 EVP_MD_CTX_init (&ctx); 132 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH); 133 require (EVP_DigestInit (&ctx, RSA_HASH));
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 134 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
94 EVP_DigestUpdate(&ctx, &id, sizeof id); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
95 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
96 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
97} 138}
98 139
99struct rsa_entry { 140struct rsa_entry
141{
100 tstamp expire; 142 tstamp expire;
101 rsaid id; 143 rsaid id;
102 rsachallenge chg; 144 rsachallenge chg;
103}; 145};
104 146
105struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
106{ 148{
107 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
108 150
109 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
110 { 152 {
111 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
112 { 154 {
113 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
114 { 156 {
115 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
116 158
117 erase (i); 159 erase (i);
118 return true; 160 return true;
119 } 161 }
120 } 162 }
121 163
122 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
123 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
124 166
125 return false; 167 return false;
126 } 168 }
127 169
128 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
129 { 171 {
130 rsa_entry e; 172 rsa_entry e;
131 173
132 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
133 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
134 176
135 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
136 e.id = id; 178 e.id = id;
137 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
138 180
139 push_back (e); 181 push_back (e);
140 182
141 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
142 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
143 } 185 }
144 186
145 rsa_cache () 187 rsa_cache ()
146 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
147 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
148 192
149} rsa_cache; 193} rsa_cache;
150 194
151void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
152{ 196{
153 if (empty ()) 197 if (empty ())
154 w.at = TSTAMP_CANCEL; 198 w.stop ();
155 else 199 else
156 { 200 {
157 w.at = NOW + RSA_TTL;
158
159 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
160 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
161 i = erase (i); 203 i = erase (i);
162 else 204 else
163 ++i; 205 ++i;
164 } 206 }
165} 207}
166 208
167////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
168 210
169void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
170{ 213{
171 if (queue[i]) 214 queue = new pkt [max_queue];
172 {
173 delete queue[i];
174 j = (j + 1) % QUEUEDEPTH;
175 }
176 215
177 queue[i] = p;
178
179 i = (i + 1) % QUEUEDEPTH;
180}
181
182net_packet *pkt_queue::get ()
183{
184 net_packet *p = queue[j];
185
186 if (p)
187 {
188 queue[j] = 0;
189 j = (j + 1) % QUEUEDEPTH;
190 }
191
192 return p;
193}
194
195pkt_queue::pkt_queue ()
196{
197 memset (queue, 0, sizeof (queue));
198 i = 0; 216 i = 0;
199 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
200} 220}
201 221
202pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
203{ 223{
204 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
205 delete queue[i]; 227 delete [] queue;
206} 228}
207 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
208struct net_rateinfo { 283struct net_rateinfo
284{
209 u32 host; 285 u32 host;
210 double pcnt, diff; 286 double pcnt, diff;
211 tstamp last; 287 tstamp last;
212}; 288};
213 289
214// only do action once every x seconds per host whole allowing bursts. 290// only do action once every x seconds per host whole allowing bursts.
215// this implementation ("splay list" ;) is inefficient, 291// this implementation ("splay list" ;) is inefficient,
216// but low on resources. 292// but low on resources.
217struct net_rate_limiter : list<net_rateinfo> 293struct net_rate_limiter : list<net_rateinfo>
218{ 294{
219 static const double ALPHA = 1. - 1. / 600.; // allow bursts 295# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
220 static const double CUTOFF = 10.; // one event every CUTOFF seconds 296# define NRL_CUTOFF 10. // one event every CUTOFF seconds
221 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 297# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
222 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 298# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
223 299
224 bool can (const sockinfo &si) { return can((u32)si.host); } 300 bool can (const sockinfo &si) { return can((u32)si.host); }
225 bool can (u32 host); 301 bool can (u32 host);
226}; 302};
227 303
232 iterator i; 308 iterator i;
233 309
234 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
235 if (i->host == host) 311 if (i->host == host)
236 break; 312 break;
237 else if (i->last < NOW - EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
238 i = erase (i); 314 i = erase (i);
239 else 315 else
240 i++; 316 i++;
241 317
242 if (i == end ()) 318 if (i == end ())
243 { 319 {
244 net_rateinfo ri; 320 net_rateinfo ri;
245 321
246 ri.host = host; 322 ri.host = host;
247 ri.pcnt = 1.; 323 ri.pcnt = 1.;
248 ri.diff = MAXDIF; 324 ri.diff = NRL_MAXDIF;
249 ri.last = NOW; 325 ri.last = ev_now ();
250 326
251 push_front (ri); 327 push_front (ri);
252 328
253 return true; 329 return true;
254 } 330 }
255 else 331 else
256 { 332 {
257 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
258 erase (i); 334 erase (i);
259 335
260 ri.pcnt = ri.pcnt * ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
261 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
262 338
263 ri.last = NOW; 339 ri.last = ev_now ();
264 340
265 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
266 342
267 bool send = dif > CUTOFF; 343 bool send = dif > NRL_CUTOFF;
268 344
269 if (dif > MAXDIF) 345 if (dif > NRL_MAXDIF)
270 { 346 {
271 ri.pcnt = 1.; 347 ri.pcnt = 1.;
272 ri.diff = MAXDIF; 348 ri.diff = NRL_MAXDIF;
273 } 349 }
274 else if (send) 350 else if (send)
275 ri.pcnt++; 351 ri.pcnt++;
276 352
277 push_front (ri); 353 push_front (ri);
324} 400}
325 401
326#define MAXVPNDATA (MAX_MTU - 6 - 6) 402#define MAXVPNDATA (MAX_MTU - 6 - 6)
327#define DATAHDR (sizeof (u32) + RAND_SIZE) 403#define DATAHDR (sizeof (u32) + RAND_SIZE)
328 404
329struct vpndata_packet:vpn_packet 405struct vpndata_packet : vpn_packet
330 { 406 {
331 u8 data[MAXVPNDATA + DATAHDR]; // seqno 407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
332 408
333 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
334 tap_packet *unpack (connection *conn, u32 &seqno); 410 tap_packet *unpack (connection *conn, u32 &seqno);
347 int outl = 0, outl2; 423 int outl = 0, outl2;
348 ptype type = PT_DATA_UNCOMPRESSED; 424 ptype type = PT_DATA_UNCOMPRESSED;
349 425
350#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
351 u8 cdata[MAX_MTU]; 427 u8 cdata[MAX_MTU];
352 u32 cl;
353 428
429 if (conn->features & ENABLE_COMPRESSION)
430 {
354 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 431 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432
355 if (cl) 433 if (cl)
356 { 434 {
357 type = PT_DATA_COMPRESSED; 435 type = PT_DATA_COMPRESSED;
358 d = cdata; 436 d = cdata;
359 l = cl + 2; 437 l = cl + 2;
360 438
361 d[0] = cl >> 8; 439 d[0] = cl >> 8;
362 d[1] = cl; 440 d[1] = cl;
441 }
363 } 442 }
364#endif 443#endif
365 444
366 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 445 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
367 446
368 struct { 447 struct {
369#if RAND_SIZE 448#if RAND_SIZE
370 u8 rnd[RAND_SIZE]; 449 u8 rnd[RAND_SIZE];
371#endif 450#endif
375 datahdr.seqno = ntohl (seqno); 454 datahdr.seqno = ntohl (seqno);
376#if RAND_SIZE 455#if RAND_SIZE
377 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 456 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
378#endif 457#endif
379 458
380 EVP_EncryptUpdate (cctx, 459 require (EVP_EncryptUpdate (cctx,
381 (unsigned char *) data + outl, &outl2, 460 (unsigned char *) data + outl, &outl2,
382 (unsigned char *) &datahdr, DATAHDR); 461 (unsigned char *) &datahdr, DATAHDR));
383 outl += outl2; 462 outl += outl2;
384 463
385 EVP_EncryptUpdate (cctx, 464 require (EVP_EncryptUpdate (cctx,
386 (unsigned char *) data + outl, &outl2, 465 (unsigned char *) data + outl, &outl2,
387 (unsigned char *) d, l); 466 (unsigned char *) d, l));
388 outl += outl2; 467 outl += outl2;
389 468
390 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 469 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
391 outl += outl2; 470 outl += outl2;
392 471
393 len = outl + data_hdr_size (); 472 len = outl + data_hdr_size ();
394 473
395 set_hdr (type, dst); 474 set_hdr (type, dst);
404 int outl = 0, outl2; 483 int outl = 0, outl2;
405 tap_packet *p = new tap_packet; 484 tap_packet *p = new tap_packet;
406 u8 *d; 485 u8 *d;
407 u32 l = len - data_hdr_size (); 486 u32 l = len - data_hdr_size ();
408 487
409 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 488 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
410 489
411#if ENABLE_COMPRESSION 490#if ENABLE_COMPRESSION
412 u8 cdata[MAX_MTU]; 491 u8 cdata[MAX_MTU];
413 492
414 if (type == PT_DATA_COMPRESSED) 493 if (type == PT_DATA_COMPRESSED)
416 else 495 else
417#endif 496#endif
418 d = &(*p)[6 + 6 - DATAHDR]; 497 d = &(*p)[6 + 6 - DATAHDR];
419 498
420 /* this overwrites part of the src mac, but we fix that later */ 499 /* this overwrites part of the src mac, but we fix that later */
421 EVP_DecryptUpdate (cctx, 500 require (EVP_DecryptUpdate (cctx,
422 d, &outl2, 501 d, &outl2,
423 (unsigned char *)&data, len - data_hdr_size ()); 502 (unsigned char *)&data, len - data_hdr_size ()));
424 outl += outl2; 503 outl += outl2;
425 504
426 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 505 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
427 outl += outl2; 506 outl += outl2;
428 507
429 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 508 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
430 509
431 id2mac (dst () ? dst() : THISNODE->id, p->dst); 510 id2mac (dst () ? dst() : THISNODE->id, p->dst);
460{ 539{
461 // actually, hmaclen cannot be checked because the hmac 540 // actually, hmaclen cannot be checked because the hmac
462 // field comes before this data, so peers with other 541 // field comes before this data, so peers with other
463 // hmacs simply will not work. 542 // hmacs simply will not work.
464 u8 prot_major, prot_minor, randsize, hmaclen; 543 u8 prot_major, prot_minor, randsize, hmaclen;
465 u8 flags, challengelen, pad2, pad3; 544 u8 flags, challengelen, features, pad3;
466 u32 cipher_nid, digest_nid, hmac_nid; 545 u32 cipher_nid, digest_nid, hmac_nid;
467
468 const u8 curflags () const
469 {
470 return 0x80
471 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
472 }
473 546
474 void setup (ptype type, int dst); 547 void setup (ptype type, int dst);
475 bool chk_config () const; 548 bool chk_config () const;
549
550 static u8 get_features ()
551 {
552 u8 f = 0;
553#if ENABLE_COMPRESSION
554 f |= FEATURE_COMPRESSION;
555#endif
556#if ENABLE_ROHC
557 f |= FEATURE_ROHC;
558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
562 return f;
563 }
476}; 564};
477 565
478void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
479{ 567{
480 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
481 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
482 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
483 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
484 flags = curflags (); 572 flags = 0;
485 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
574 features = get_features ();
486 575
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
489 hmac_nid = htonl (EVP_MD_type (DIGEST)); 578 hmac_nid = htonl (EVP_MD_type (DIGEST));
490 579
493} 582}
494 583
495bool config_packet::chk_config () const 584bool config_packet::chk_config () const
496{ 585{
497 if (prot_major != PROTOCOL_MAJOR) 586 if (prot_major != PROTOCOL_MAJOR)
498 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503 else if (flags != curflags ())
504 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
505 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
506 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
507 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
508 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
509 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
510 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH)); 597 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
511 else if (hmac_nid != htonl (EVP_MD_type (DIGEST))) 598 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
512 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST)); 599 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
513 else 600 else
514 return true; 601 return true;
515 602
516 return false; 603 return false;
517} 604}
518 605
519struct auth_req_packet : config_packet 606struct auth_req_packet : config_packet
520{ 607{
521 char magic[8]; 608 char magic[8];
522 u8 initiate; // false if this is just an automatic reply 609 u8 initiate; // false if this is just an automatic reply
523 u8 protocols; // supported protocols (will get patches on forward) 610 u8 protocols; // supported protocols (will be patched on forward)
524 u8 pad2, pad3; 611 u8 pad2, pad3;
525 rsaid id; 612 rsaid id;
526 rsaencrdata encr; 613 rsaencrdata encr;
527 614
528 auth_req_packet (int dst, bool initiate_, u8 protocols_) 615 auth_req_packet (int dst, bool initiate_, u8 protocols_)
585///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
586 673
587void 674void
588connection::connection_established () 675connection::connection_established ()
589{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
590 if (ictx && octx) 679 if (ictx && octx)
591 { 680 {
592 connectmode = conf->connectmode; 681 // make sure rekeying timeouts are slightly asymmetric
593 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
594 rekey.start (NOW + ::conf.rekey); 683 rekey.start (rekey_interval, rekey_interval);
595 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
596 685
597 // send queued packets 686 // send queued packets
598 if (ictx && octx) 687 if (ictx && octx)
599 { 688 {
600 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
601 { 690 {
602 send_data_packet (p); 691 if (p->len) send_data_packet (p);
603 delete p; 692 delete p;
604 } 693 }
605 694
606 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
607 { 696 {
608 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
609 delete p; 698 delete p;
610 } 699 }
611 } 700 }
612 } 701 }
613 else 702 else
614 { 703 {
615 retry_cnt = 0; 704 retry_cnt = 0;
616 establish_connection.start (NOW + 5); 705 establish_connection.start (5);
617 keepalive.reset (); 706 keepalive.stop ();
618 rekey.reset (); 707 rekey.stop ();
619 } 708 }
620} 709}
621 710
622void 711void
623connection::reset_si () 712connection::reset_si ()
625 protocol = best_protocol (THISNODE->protocols & conf->protocols); 714 protocol = best_protocol (THISNODE->protocols & conf->protocols);
626 715
627 // mask out protocols we cannot establish 716 // mask out protocols we cannot establish
628 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 717 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
629 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 718 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
719 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
720
721 if (protocol
722 && (!conf->can_direct (THISNODE)
723 || !THISNODE->can_direct (conf)))
724 {
725 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
726 protocol = 0;
727 }
630 728
631 si.set (conf, protocol); 729 si.set (conf, protocol);
632} 730}
633 731
634// ensure sockinfo is valid, forward if necessary 732// ensure sockinfo is valid, forward if necessary
639 { 737 {
640 connection *r = vpn->find_router (); 738 connection *r = vpn->find_router ();
641 739
642 if (r) 740 if (r)
643 { 741 {
644 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 742 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
645 conf->nodename, r->conf->nodename); 743 conf->nodename, r->conf->nodename, (const char *)r->si);
646 return r->si; 744 return r->si;
647 } 745 }
648 else 746 else
649 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 747 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
650 conf->nodename); 748 conf->nodename);
689connection::send_auth_request (const sockinfo &si, bool initiate) 787connection::send_auth_request (const sockinfo &si, bool initiate)
690{ 788{
691 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 789 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
692 790
693 rsachallenge chg; 791 rsachallenge chg;
694
695 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
696 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
697 if (0 > RSA_public_encrypt (sizeof chg,
698 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
699 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
700 fatal ("RSA_public_encrypt error");
701 794
702 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
703 796
704 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
705 798
725} 818}
726 819
727void 820void
728connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
729{ 822{
730 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
731 conf->id, rid, (const char *)rsi); 824 conf->id, rid, (const char *)rsi);
732 825
733 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
734 827
735 r->hmac_set (octx); 828 r->hmac_set (octx);
736 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
737 830
738 delete r; 831 delete r;
739} 832}
740 833
741void 834inline void
742connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
743{ 836{
744 if (ictx || conf == THISNODE 837 if (!ictx
838 && conf != THISNODE
745 || connectmode == conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
746 || connectmode == conf_node::C_DISABLED) 840 && connectmode != conf_node::C_DISABLED
747 w.at = TSTAMP_CANCEL; 841 && !w.is_active ())
748 else if (w.at <= NOW)
749 { 842 {
750 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
751 844 // and stop trying. should probably be handled by a per-connection expire handler.
752 if (retry_int < 3600 * 8) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
753 retry_cnt++; 848 return;
849 }
754 850
755 w.at = NOW + retry_int; 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
756 856
757 reset_si (); 857 reset_si ();
758 858
859 bool slow = si.prot & PROT_SLOW;
860
759 if (si.prot && !si.host) 861 if (si.prot && !si.host)
862 {
863 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
864 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1);
760 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (conf->id);
867 }
761 else 868 else
762 { 869 {
870 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
871
763 const sockinfo &dsi = forward_si (si); 872 const sockinfo &dsi = forward_si (si);
873
874 slow = slow || (dsi.prot & PROT_SLOW);
764 875
765 if (dsi.valid () && auth_rate_limiter.can (dsi)) 876 if (dsi.valid () && auth_rate_limiter.can (dsi))
766 { 877 {
767 if (retry_cnt < 4) 878 if (retry_cnt < 4)
768 send_auth_request (dsi, true); 879 send_auth_request (dsi, true);
769 else 880 else
770 send_ping (dsi, 0); 881 send_ping (dsi, 0);
771 } 882 }
772 } 883 }
884
885 retry_int *= slow ? 8. : 0.9;
886
887 if (retry_int < conf->max_retry)
888 retry_cnt++;
889 else
890 retry_int = conf->max_retry;
891
892 w.start (retry_int);
773 } 893 }
774} 894}
775 895
776void 896void
777connection::reset_connection () 897connection::reset_connection ()
780 { 900 {
781 slog (L_INFO, _("%s(%s): connection lost"), 901 slog (L_INFO, _("%s(%s): connection lost"),
782 conf->nodename, (const char *)si); 902 conf->nodename, (const char *)si);
783 903
784 if (::conf.script_node_down) 904 if (::conf.script_node_down)
785 run_script (run_script_cb (this, &connection::script_node_down), false); 905 {
906 run_script_cb *cb = new run_script_cb;
907 cb->set<connection, &connection::script_node_down> (this);
908 run_script_queued (cb, _("node-down command execution failed, continuing."));
909 }
786 } 910 }
787 911
788 delete ictx; ictx = 0; 912 delete ictx; ictx = 0;
789 delete octx; octx = 0; 913 delete octx; octx = 0;
914#if ENABLE_DNS
915 dnsv4_reset_connection ();
916#endif
790 917
791 si.host= 0; 918 si.host = 0;
792 919
793 last_activity = 0; 920 last_activity = 0;
794 retry_cnt = 0; 921 retry_cnt = 0;
795 922
796 rekey.reset (); 923 rekey.stop ();
797 keepalive.reset (); 924 keepalive.stop ();
798 establish_connection.reset (); 925 establish_connection.stop ();
799} 926}
800 927
801void 928void
802connection::shutdown () 929connection::shutdown ()
803{ 930{
805 send_reset (si); 932 send_reset (si);
806 933
807 reset_connection (); 934 reset_connection ();
808} 935}
809 936
810void 937inline void
811connection::rekey_cb (time_watcher &w) 938connection::rekey_cb (ev::timer &w, int revents)
812{ 939{
813 w.at = TSTAMP_CANCEL;
814
815 reset_connection (); 940 reset_connection ();
816 establish_connection (); 941 establish_connection ();
817} 942}
818 943
819void 944void
820connection::send_data_packet (tap_packet *pkt, bool broadcast) 945connection::send_data_packet (tap_packet *pkt)
821{ 946{
822 vpndata_packet *p = new vpndata_packet; 947 vpndata_packet *p = new vpndata_packet;
823 int tos = 0; 948 int tos = 0;
824 949
825 // I am not hilarious about peeking into packets, but so be it. 950 // I am not hilarious about peeking into packets, but so be it.
826 if (conf->inherit_tos 951 if (conf->inherit_tos && pkt->is_ipv4 ())
827 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
828 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
829 tos = (*pkt)[15] & IPTOS_TOS_MASK; 952 tos = (*pkt)[15] & IPTOS_TOS_MASK;
830 953
831 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 954 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
832 send_vpn_packet (p, si, tos); 955 send_vpn_packet (p, si, tos);
833 956
834 delete p; 957 delete p;
835 958
836 if (oseqno > MAX_SEQNO) 959 if (oseqno > MAX_SEQNO)
837 rekey (); 960 rekey ();
838} 961}
839 962
840void 963void
964connection::post_inject_queue ()
965{
966 // force a connection every now and when when packets are sent (max 1/s)
967 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
968 establish_connection.stop ();
969
970 establish_connection ();
971}
972
973void
841connection::inject_data_packet (tap_packet *pkt, bool broadcast) 974connection::inject_data_packet (tap_packet *pkt)
842{ 975{
843 if (ictx && octx) 976 if (ictx && octx)
844 send_data_packet (pkt, broadcast); 977 send_data_packet (pkt);
845 else 978 else
846 { 979 {
847 if (!broadcast)//DDDD
848 data_queue.put (new tap_packet (*pkt)); 980 data_queue.put (new tap_packet (*pkt));
849 981 post_inject_queue ();
850 establish_connection ();
851 } 982 }
852} 983}
853 984
854void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 985void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
855{ 986{
856 if (ictx && octx) 987 if (ictx && octx)
857 send_vpn_packet (pkt, si, tos); 988 send_vpn_packet (pkt, si, tos);
858 else 989 else
859 { 990 {
860 vpn_queue.put (new vpn_packet (*pkt)); 991 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
861 992 post_inject_queue ();
862 establish_connection ();
863 } 993 }
864} 994}
865 995
866void 996void
867connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 997connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
868{ 998{
869 last_activity = NOW; 999 last_activity = ev_now ();
870 1000
871 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1001 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
872 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1002 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1003
1004 if (connectmode == conf_node::C_DISABLED)
1005 return;
873 1006
874 switch (pkt->typ ()) 1007 switch (pkt->typ ())
875 { 1008 {
876 case vpn_packet::PT_PING: 1009 case vpn_packet::PT_PING:
877 // we send pings instead of auth packets after some retries, 1010 // we send pings instead of auth packets after some retries,
924 if (p->initiate) 1057 if (p->initiate)
925 send_auth_request (rsi, false); 1058 send_auth_request (rsi, false);
926 1059
927 rsachallenge k; 1060 rsachallenge k;
928 1061
929 if (0 > RSA_private_decrypt (sizeof (p->encr), 1062 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
930 (unsigned char *)&p->encr, (unsigned char *)&k, 1063 {
931 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
932 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1064 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
933 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1065 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1066 break;
1067 }
934 else 1068 else
935 { 1069 {
936 delete octx; 1070 delete octx;
937 1071
938 octx = new crypto_ctx (k, 1); 1072 octx = new crypto_ctx (k, 1);
939 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1073 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
940 1074
941 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
1076 features = p->features & config_packet::get_features ();
942 1077
943 send_auth_response (rsi, p->id, k); 1078 send_auth_response (rsi, p->id, k);
944 1079
945 connection_established (); 1080 connection_established ();
946 1081
982 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1117 crypto_ctx *cctx = new crypto_ctx (chg, 0);
983 1118
984 if (!p->hmac_chk (cctx)) 1119 if (!p->hmac_chk (cctx))
985 { 1120 {
986 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1121 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
987 "could be an attack, or just corruption or an synchronization error"), 1122 "could be an attack, or just corruption or a synchronization error"),
988 conf->nodename, (const char *)rsi); 1123 conf->nodename, (const char *)rsi);
989 break; 1124 break;
990 } 1125 }
991 else 1126 else
992 { 1127 {
1010 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1145 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1011 conf->nodename, (const char *)rsi, 1146 conf->nodename, (const char *)rsi,
1012 p->prot_major, p->prot_minor); 1147 p->prot_major, p->prot_minor);
1013 1148
1014 if (::conf.script_node_up) 1149 if (::conf.script_node_up)
1015 run_script (run_script_cb (this, &connection::script_node_up), false); 1150 {
1151 run_script_cb *cb = new run_script_cb;
1152 cb->set<connection, &connection::script_node_up> (this);
1153 run_script_queued (cb, _("node-up command execution failed, continuing."));
1154 }
1016 1155
1017 break; 1156 break;
1018 } 1157 }
1019 else 1158 else
1020 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1159 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1041 { 1180 {
1042 vpndata_packet *p = (vpndata_packet *)pkt; 1181 vpndata_packet *p = (vpndata_packet *)pkt;
1043 1182
1044 if (!p->hmac_chk (ictx)) 1183 if (!p->hmac_chk (ictx))
1045 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1184 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1046 "could be an attack, or just corruption or an synchronization error"), 1185 "could be an attack, or just corruption or a synchronization error"),
1047 conf->nodename, (const char *)rsi); 1186 conf->nodename, (const char *)rsi);
1048 else 1187 else
1049 { 1188 {
1050 u32 seqno; 1189 u32 seqno;
1051 tap_packet *d = p->unpack (this, seqno); 1190 tap_packet *d = p->unpack (this, seqno);
1052 1191
1053 if (iseqno.recv_ok (seqno)) 1192 if (iseqno.recv_ok (seqno))
1054 { 1193 {
1055 vpn->tap->send (d); 1194 vpn->tap->send (d);
1056 1195
1057 if (p->dst () == 0) // re-broadcast
1058 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1059 {
1060 connection *c = *i;
1061
1062 if (c->conf != THISNODE && c->conf != conf)
1063 c->inject_data_packet (d);
1064 }
1065
1066 if (si != rsi) 1196 if (si != rsi)
1067 { 1197 {
1068 // fast re-sync on connection changes, useful especially for tcp/ip 1198 // fast re-sync on source address changes, useful especially for tcp/ip
1069 si = rsi; 1199 si = rsi;
1070 1200
1071 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1201 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1072 conf->nodename, (const char *)si, (const char *)rsi); 1202 conf->nodename, (const char *)si, (const char *)rsi);
1073 } 1203 }
1074
1075 delete d;
1076
1077 break;
1078 } 1204 }
1205
1206 delete d;
1207 break;
1079 } 1208 }
1080 } 1209 }
1081 1210
1082 send_reset (rsi); 1211 send_reset (rsi);
1083 break; 1212 break;
1085 case vpn_packet::PT_CONNECT_REQ: 1214 case vpn_packet::PT_CONNECT_REQ:
1086 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1215 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1087 { 1216 {
1088 connect_req_packet *p = (connect_req_packet *) pkt; 1217 connect_req_packet *p = (connect_req_packet *) pkt;
1089 1218
1090 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1219 if (p->id > 0 && p->id <= vpn->conns.size ())
1091 connection *c = vpn->conns[p->id - 1];
1092 conf->protocols = p->protocols;
1093
1094 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1095 conf->id, p->id, c->ictx && c->octx);
1096
1097 if (c->ictx && c->octx)
1098 { 1220 {
1221 connection *c = vpn->conns[p->id - 1];
1222 conf->protocols = p->protocols;
1223
1224 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1225 conf->id, p->id, c->ictx && c->octx);
1226
1227 if (c->ictx && c->octx)
1228 {
1099 // send connect_info packets to both sides, in case one is 1229 // send connect_info packets to both sides, in case one is
1100 // behind a nat firewall (or both ;) 1230 // behind a nat firewall (or both ;)
1101 c->send_connect_info (conf->id, si, conf->protocols); 1231 c->send_connect_info (conf->id, si, conf->protocols);
1102 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1232 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1233 }
1234 else
1235 c->establish_connection ();
1103 } 1236 }
1104 else 1237 else
1105 c->establish_connection (); 1238 slog (L_WARN,
1239 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1240 p->id);
1106 } 1241 }
1107 1242
1108 break; 1243 break;
1109 1244
1110 case vpn_packet::PT_CONNECT_INFO: 1245 case vpn_packet::PT_CONNECT_INFO:
1111 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1246 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1112 { 1247 {
1113 connect_info_packet *p = (connect_info_packet *) pkt; 1248 connect_info_packet *p = (connect_info_packet *)pkt;
1114 1249
1115 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1250 if (p->id > 0 && p->id <= vpn->conns.size ())
1116 1251 {
1117 connection *c = vpn->conns[p->id - 1]; 1252 connection *c = vpn->conns[p->id - 1];
1118 1253
1119 c->conf->protocols = p->protocols; 1254 c->conf->protocols = p->protocols;
1120 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1255 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1121 p->si.upgrade_protocol (protocol, c->conf); 1256 p->si.upgrade_protocol (protocol, c->conf);
1122 1257
1123 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1258 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1124 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1259 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1125 1260
1126 const sockinfo &dsi = forward_si (p->si); 1261 const sockinfo &dsi = forward_si (p->si);
1127 1262
1128 if (dsi.valid ()) 1263 if (dsi.valid ())
1129 c->send_auth_request (dsi, true); 1264 c->send_auth_request (dsi, true);
1265 }
1266 else
1267 slog (L_WARN,
1268 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269 p->id);
1130 } 1270 }
1131 1271
1132 break; 1272 break;
1133 1273
1134 default: 1274 default:
1135 send_reset (rsi); 1275 send_reset (rsi);
1136 break; 1276 break;
1137 } 1277 }
1138} 1278}
1139 1279
1140void connection::keepalive_cb (time_watcher &w) 1280inline void
1281connection::keepalive_cb (ev::timer &w, int revents)
1141{ 1282{
1142 if (NOW >= last_activity + ::conf.keepalive + 30) 1283 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1143 { 1284 {
1144 reset_connection (); 1285 reset_connection ();
1145 establish_connection (); 1286 establish_connection ();
1146 } 1287 }
1147 else if (NOW < last_activity + ::conf.keepalive) 1288 else if (ev_now () < last_activity + ::conf.keepalive)
1148 w.at = last_activity + ::conf.keepalive; 1289 w.start (last_activity + ::conf.keepalive - ev::now ());
1149 else if (conf->connectmode != conf_node::C_ONDEMAND 1290 else if (conf->connectmode != conf_node::C_ONDEMAND
1150 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1291 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1151 { 1292 {
1152 send_ping (si); 1293 send_ping (si);
1153 w.at = NOW + 5; 1294 w.start (5);
1154 } 1295 }
1155 else if (NOW < last_activity + ::conf.keepalive + 10) 1296 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1156 // hold ondemand connections implicitly a few seconds longer 1297 // hold ondemand connections implicitly a few seconds longer
1157 // should delete octx, though, or something like that ;) 1298 // should delete octx, though, or something like that ;)
1158 w.at = last_activity + ::conf.keepalive + 10; 1299 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1159 else 1300 else
1160 reset_connection (); 1301 reset_connection ();
1161} 1302}
1162 1303
1163void connection::send_connect_request (int id) 1304void connection::send_connect_request (int id)
1169 send_vpn_packet (p, si); 1310 send_vpn_packet (p, si);
1170 1311
1171 delete p; 1312 delete p;
1172} 1313}
1173 1314
1315void connection::script_init_env (const char *ext)
1316{
1317 char *env;
1318 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1319 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1320 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1321 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1322 conf->id & 0xff); putenv (env);
1323}
1324
1174void connection::script_node () 1325void connection::script_init_connect_env ()
1175{ 1326{
1176 vpn->script_if_up (); 1327 vpn->script_init_env ();
1177 1328
1178 char *env; 1329 char *env;
1179 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1330 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1180 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1331 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1181 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1332 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1182 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1333 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1183} 1334}
1184 1335
1336inline const char *
1185const char *connection::script_node_up () 1337connection::script_node_up ()
1186{ 1338{
1187 script_node (); 1339 script_init_connect_env ();
1188 1340
1189 putenv ("STATE=up"); 1341 putenv ((char *)"STATE=up");
1190 1342
1343 char *filename;
1344 asprintf (&filename,
1345 "%s/%s",
1346 confbase,
1191 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1347 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1192}
1193 1348
1349 return filename;
1350}
1351
1352inline const char *
1194const char *connection::script_node_down () 1353connection::script_node_down ()
1195{ 1354{
1196 script_node (); 1355 script_init_connect_env ();
1197 1356
1198 putenv ("STATE=down"); 1357 putenv ((char *)"STATE=down");
1199 1358
1200 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1359 char *filename;
1201} 1360 asprintf (&filename,
1361 "%s/%s",
1362 confbase,
1363 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1202 1364
1365 return filename;
1366}
1367
1203connection::connection(struct vpn *vpn_) 1368connection::connection (struct vpn *vpn, conf_node *conf)
1204: vpn(vpn_) 1369: vpn(vpn), conf(conf),
1205, rekey (this, &connection::rekey_cb) 1370#if ENABLE_DNS
1206, keepalive (this, &connection::keepalive_cb) 1371 dns (0),
1372#endif
1373 data_queue(conf->max_ttl, conf->max_queue),
1374 vpn_queue(conf->max_ttl, conf->max_queue)
1375{
1376 rekey .set<connection, &connection::rekey_cb > (this);
1377 keepalive .set<connection, &connection::keepalive_cb > (this);
1207, establish_connection (this, &connection::establish_connection_cb) 1378 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1208{ 1379
1380 last_establish_attempt = 0.;
1209 octx = ictx = 0; 1381 octx = ictx = 0;
1210 retry_cnt = 0;
1211 1382
1212 connectmode = conf_node::C_ALWAYS; // initial setting 1383 if (!conf->protocols) // make sure some protocol is enabled
1384 conf->protocols = PROT_UDPv4;
1385
1386 connectmode = conf->connectmode;
1387
1388 // queue a dummy packet to force an initial connection attempt
1389 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1390 vpn_queue.put (new net_packet);
1391
1213 reset_connection (); 1392 reset_connection ();
1214} 1393}
1215 1394
1216connection::~connection () 1395connection::~connection ()
1217{ 1396{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines