ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.42 by pcg, Thu Mar 3 16:54:34 2005 UTC vs.
Revision 1.71 by pcg, Fri Aug 8 06:51:56 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
8 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
9 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
10 (at your option) any later version. 10 option) any later version.
11 11
12 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
13 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15 GNU General Public License for more details. 15 Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
18 along with gvpe; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
19 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
20*/ 30*/
21 31
22#include "config.h" 32#include "config.h"
23 33
24#include <cassert>
25
26#include <list> 34#include <list>
35#include <queue>
36#include <utility>
27 37
28#include <openssl/rand.h> 38#include <openssl/rand.h>
29#include <openssl/evp.h> 39#include <openssl/evp.h>
30#include <openssl/rsa.h> 40#include <openssl/rsa.h>
31#include <openssl/err.h> 41#include <openssl/err.h>
32
33#include "gettext.h"
34 42
35#include "conf.h" 43#include "conf.h"
36#include "slog.h" 44#include "slog.h"
37#include "device.h" 45#include "device.h"
38#include "vpn.h" 46#include "vpn.h"
49#define ULTRA_FAST 1 57#define ULTRA_FAST 1
50#define HLOG 15 58#define HLOG 15
51#include "lzf/lzf.h" 59#include "lzf/lzf.h"
52#include "lzf/lzf_c.c" 60#include "lzf/lzf_c.c"
53#include "lzf/lzf_d.c" 61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
54 103
55struct crypto_ctx 104struct crypto_ctx
56{ 105{
57 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
58 HMAC_CTX hctx; 107 HMAC_CTX hctx;
86 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
87 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
88 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
89} 138}
90 139
91struct rsa_entry { 140struct rsa_entry
141{
92 tstamp expire; 142 tstamp expire;
93 rsaid id; 143 rsaid id;
94 rsachallenge chg; 144 rsachallenge chg;
95}; 145};
96 146
97struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
98{ 148{
99 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
100 150
101 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
102 { 152 {
103 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
104 { 154 {
105 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
106 { 156 {
107 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
108 158
109 erase (i); 159 erase (i);
110 return true; 160 return true;
111 } 161 }
112 } 162 }
113 163
114 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
115 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
116 166
117 return false; 167 return false;
118 } 168 }
119 169
120 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
121 { 171 {
122 rsa_entry e; 172 rsa_entry e;
123 173
124 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
125 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
126 176
127 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
128 e.id = id; 178 e.id = id;
129 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
130 180
131 push_back (e); 181 push_back (e);
132 182
133 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
134 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
135 } 185 }
136 186
137 rsa_cache () 187 rsa_cache ()
138 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
139 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
140 192
141} rsa_cache; 193} rsa_cache;
142 194
143void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
144{ 196{
145 if (!empty ()) 197 if (empty ())
198 w.stop ();
199 else
146 { 200 {
147 w.start (NOW + RSA_TTL);
148
149 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
150 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
151 i = erase (i); 203 i = erase (i);
152 else 204 else
153 ++i; 205 ++i;
154 } 206 }
155} 207}
156 208
157////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
158 210
159void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
160{ 213{
161 if (queue[i]) 214 queue = new pkt [max_queue];
162 {
163 delete queue[i];
164 j = (j + 1) % QUEUEDEPTH;
165 }
166 215
167 queue[i] = p;
168
169 i = (i + 1) % QUEUEDEPTH;
170}
171
172net_packet *pkt_queue::get ()
173{
174 net_packet *p = queue[j];
175
176 if (p)
177 {
178 queue[j] = 0;
179 j = (j + 1) % QUEUEDEPTH;
180 }
181
182 return p;
183}
184
185pkt_queue::pkt_queue ()
186{
187 memset (queue, 0, sizeof (queue));
188 i = 0; 216 i = 0;
189 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
190} 220}
191 221
192pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
193{ 223{
194 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
195 delete queue[i]; 227 delete [] queue;
196} 228}
197 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
198struct net_rateinfo { 283struct net_rateinfo
284{
199 u32 host; 285 u32 host;
200 double pcnt, diff; 286 double pcnt, diff;
201 tstamp last; 287 tstamp last;
202}; 288};
203 289
222 iterator i; 308 iterator i;
223 309
224 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
225 if (i->host == host) 311 if (i->host == host)
226 break; 312 break;
227 else if (i->last < NOW - NRL_EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
228 i = erase (i); 314 i = erase (i);
229 else 315 else
230 i++; 316 i++;
231 317
232 if (i == end ()) 318 if (i == end ())
234 net_rateinfo ri; 320 net_rateinfo ri;
235 321
236 ri.host = host; 322 ri.host = host;
237 ri.pcnt = 1.; 323 ri.pcnt = 1.;
238 ri.diff = NRL_MAXDIF; 324 ri.diff = NRL_MAXDIF;
239 ri.last = NOW; 325 ri.last = ev_now ();
240 326
241 push_front (ri); 327 push_front (ri);
242 328
243 return true; 329 return true;
244 } 330 }
246 { 332 {
247 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
248 erase (i); 334 erase (i);
249 335
250 ri.pcnt = ri.pcnt * NRL_ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
251 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
252 338
253 ri.last = NOW; 339 ri.last = ev_now ();
254 340
255 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
256 342
257 bool send = dif > NRL_CUTOFF; 343 bool send = dif > NRL_CUTOFF;
258 344
468 f |= FEATURE_COMPRESSION; 554 f |= FEATURE_COMPRESSION;
469#endif 555#endif
470#if ENABLE_ROHC 556#if ENABLE_ROHC
471 f |= FEATURE_ROHC; 557 f |= FEATURE_ROHC;
472#endif 558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
473 return f; 562 return f;
474 } 563 }
475}; 564};
476 565
477void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
478{ 567{
479 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
480 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
481 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
482 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
483 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 572 flags = 0;
484 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
485 features = get_features (); 574 features = get_features ();
486 575
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
498 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503#if 0 // this implementation should handle all flag settings
504 else if (flags != curflags ())
505 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
506#endif
507 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
508 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
509 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
510 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
511 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
587///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
588 673
589void 674void
590connection::connection_established () 675connection::connection_established ()
591{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
592 if (ictx && octx) 679 if (ictx && octx)
593 { 680 {
594 connectmode = conf->connectmode;
595
596 // make sure rekeying timeouts are slightly asymmetric 681 // make sure rekeying timeouts are slightly asymmetric
597 rekey.start (NOW + ::conf.rekey 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
598 + (conf->id > THISNODE->id ? 10 : 0)); 683 rekey.start (rekey_interval, rekey_interval);
599 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
600 685
601 // send queued packets 686 // send queued packets
602 if (ictx && octx) 687 if (ictx && octx)
603 { 688 {
604 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
605 { 690 {
606 send_data_packet (p); 691 if (p->len) send_data_packet (p);
607 delete p; 692 delete p;
608 } 693 }
609 694
610 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
611 { 696 {
612 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
613 delete p; 698 delete p;
614 } 699 }
615 } 700 }
616 } 701 }
617 else 702 else
618 { 703 {
619 retry_cnt = 0; 704 retry_cnt = 0;
620 establish_connection.start (NOW + 5); 705 establish_connection.start (5);
621 keepalive.stop (); 706 keepalive.stop ();
622 rekey.stop (); 707 rekey.stop ();
623 } 708 }
624} 709}
625 710
626void 711void
627connection::reset_si () 712connection::reset_si ()
628{ 713{
629 protocol = best_protocol (THISNODE->protocols & conf->protocols); 714 protocol = best_protocol (THISNODE->protocols & conf->protocols);
630 715
631 // mask out protocols we cannot establish 716 // mask out endpoints we can't connect to
632 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 717 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
633 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 718 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
634 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 719 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
635 720
721 if (protocol
722 && (!conf->can_direct (THISNODE)
723 || !THISNODE->can_direct (conf)))
724 {
725 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
726 protocol = 0;
727 }
728
636 si.set (conf, protocol); 729 si.set (conf, protocol);
637} 730}
638 731
639// ensure sockinfo is valid, forward if necessary 732// ensure sockinfo is valid, forward if necessary
640const sockinfo & 733const sockinfo &
644 { 737 {
645 connection *r = vpn->find_router (); 738 connection *r = vpn->find_router ();
646 739
647 if (r) 740 if (r)
648 { 741 {
649 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 742 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
650 conf->nodename, r->conf->nodename); 743 conf->nodename, r->conf->nodename, (const char *)r->si);
651 return r->si; 744 return r->si;
652 } 745 }
653 else 746 else
654 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 747 slog (L_DEBUG, _("%s: node unreachable, no common protocol, no router"),
655 conf->nodename); 748 conf->nodename);
656 } 749 }
657 750
658 return si; 751 return si;
659} 752}
660 753
661void 754void
662connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) 755connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
663{ 756{
664 bool ok; 757 if (!vpn->send_vpn_packet (pkt, si, tos))
665
666 switch (si.prot)
667 {
668 case PROT_IPv4:
669 ok = vpn->send_ipv4_packet (pkt, si, tos); break;
670 case PROT_UDPv4:
671 ok = vpn->send_udpv4_packet (pkt, si, tos); break;
672#if ENABLE_TCP
673 case PROT_TCPv4:
674 ok = vpn->send_tcpv4_packet (pkt, si, tos); break;
675#endif
676#if ENABLE_ICMP
677 case PROT_ICMPv4:
678 ok = vpn->send_icmpv4_packet (pkt, si, tos); break;
679#endif
680#if ENABLE_DNS
681 case PROT_DNSv4:
682 ok = send_dnsv4_packet (pkt, si, tos); break;
683#endif
684
685 default:
686 slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol"), (const char *)si);
687 ok = false;
688 }
689
690 if (!ok)
691 reset_connection (); 758 reset_connection ();
692} 759}
693 760
694void 761void
695connection::send_ping (const sockinfo &si, u8 pong) 762connection::send_ping (const sockinfo &si, u8 pong)
751} 818}
752 819
753void 820void
754connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
755{ 822{
756 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
757 conf->id, rid, (const char *)rsi); 824 conf->id, rid, (const char *)rsi);
758 825
759 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
760 827
761 r->hmac_set (octx); 828 r->hmac_set (octx);
762 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
763 830
764 delete r; 831 delete r;
765} 832}
766 833
767void 834inline void
768connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
769{ 836{
770 if (!ictx 837 if (!ictx
771 && conf != THISNODE 838 && conf != THISNODE
772 && connectmode != conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
773 && connectmode != conf_node::C_DISABLED 840 && connectmode != conf_node::C_DISABLED
774 && NOW > w.at) 841 && !w.is_active ())
775 { 842 {
776 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
777 844 // and stop trying. should probably be handled by a per-connection expire handler.
778 if (retry_int < conf->max_retry) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
779 retry_cnt++; 848 return;
780 else 849 }
781 retry_int = conf->max_retry;
782 850
783 w.start (NOW + retry_int); 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
784 856
785 reset_si (); 857 reset_si ();
786 858
859 bool slow = si.prot & PROT_SLOW;
860
787 if (si.prot && !si.host) 861 if (si.prot && !si.host)
862 {
863 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
864 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1);
788 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (conf->id);
867 }
789 else 868 else
790 { 869 {
870 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
871
791 const sockinfo &dsi = forward_si (si); 872 const sockinfo &dsi = forward_si (si);
873
874 slow = slow || (dsi.prot & PROT_SLOW);
792 875
793 if (dsi.valid () && auth_rate_limiter.can (dsi)) 876 if (dsi.valid () && auth_rate_limiter.can (dsi))
794 { 877 {
795 if (retry_cnt < 4) 878 if (retry_cnt < 4)
796 send_auth_request (dsi, true); 879 send_auth_request (dsi, true);
797 else 880 else
798 send_ping (dsi, 0); 881 send_ping (dsi, 0);
799 } 882 }
800 } 883 }
884
885 retry_int *= slow ? 8. : 0.9;
886
887 if (retry_int < conf->max_retry)
888 retry_cnt++;
889 else
890 retry_int = conf->max_retry;
891
892 w.start (retry_int);
801 } 893 }
802} 894}
803 895
804void 896void
805connection::reset_connection () 897connection::reset_connection ()
808 { 900 {
809 slog (L_INFO, _("%s(%s): connection lost"), 901 slog (L_INFO, _("%s(%s): connection lost"),
810 conf->nodename, (const char *)si); 902 conf->nodename, (const char *)si);
811 903
812 if (::conf.script_node_down) 904 if (::conf.script_node_down)
813 run_script (run_script_cb (this, &connection::script_node_down), false); 905 {
906 run_script_cb *cb = new run_script_cb;
907 cb->set<connection, &connection::script_node_down> (this);
908 run_script_queued (cb, _("node-down command execution failed, continuing."));
909 }
814 } 910 }
815 911
816 delete ictx; ictx = 0; 912 delete ictx; ictx = 0;
817 delete octx; octx = 0; 913 delete octx; octx = 0;
914#if ENABLE_DNS
915 dnsv4_reset_connection ();
916#endif
818 917
819 si.host = 0; 918 si.host = 0;
820 919
821 last_activity = 0; 920 last_activity = 0;
822 retry_cnt = 0; 921 retry_cnt = 0;
833 send_reset (si); 932 send_reset (si);
834 933
835 reset_connection (); 934 reset_connection ();
836} 935}
837 936
838void 937inline void
839connection::rekey_cb (time_watcher &w) 938connection::rekey_cb (ev::timer &w, int revents)
840{ 939{
841 reset_connection (); 940 reset_connection ();
842 establish_connection (); 941 establish_connection ();
843} 942}
844 943
860 if (oseqno > MAX_SEQNO) 959 if (oseqno > MAX_SEQNO)
861 rekey (); 960 rekey ();
862} 961}
863 962
864void 963void
964connection::post_inject_queue ()
965{
966 // force a connection every now and when when packets are sent (max 1/s)
967 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
968 establish_connection.stop ();
969
970 establish_connection ();
971}
972
973void
865connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 974connection::inject_data_packet (tap_packet *pkt)
866{ 975{
867 if (ictx && octx) 976 if (ictx && octx)
868 send_data_packet (pkt); 977 send_data_packet (pkt);
869 else 978 else
870 { 979 {
871 if (!broadcast)//DDDD
872 data_queue.put (new tap_packet (*pkt)); 980 data_queue.put (new tap_packet (*pkt));
873 981 post_inject_queue ();
874 establish_connection ();
875 } 982 }
876} 983}
877 984
878void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 985void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
879{ 986{
880 if (ictx && octx) 987 if (ictx && octx)
881 send_vpn_packet (pkt, si, tos); 988 send_vpn_packet (pkt, si, tos);
882 else 989 else
883 { 990 {
884 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt)); 991 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
885 992 post_inject_queue ();
886 establish_connection ();
887 } 993 }
888} 994}
889 995
890void 996void
891connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 997connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
892{ 998{
893 last_activity = NOW; 999 last_activity = ev_now ();
894 1000
895 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1001 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
896 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1002 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1003
1004 if (connectmode == conf_node::C_DISABLED)
1005 return;
897 1006
898 switch (pkt->typ ()) 1007 switch (pkt->typ ())
899 { 1008 {
900 case vpn_packet::PT_PING: 1009 case vpn_packet::PT_PING:
901 // we send pings instead of auth packets after some retries, 1010 // we send pings instead of auth packets after some retries,
961 delete octx; 1070 delete octx;
962 1071
963 octx = new crypto_ctx (k, 1); 1072 octx = new crypto_ctx (k, 1);
964 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1073 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
965 1074
966 // compatibility code, remove when no longer required
967 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
968
969 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
970 features = p->features & config_packet::get_features (); 1076 features = p->features & config_packet::get_features ();
971 1077
972 send_auth_response (rsi, p->id, k); 1078 send_auth_response (rsi, p->id, k);
973 1079
1039 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1145 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1040 conf->nodename, (const char *)rsi, 1146 conf->nodename, (const char *)rsi,
1041 p->prot_major, p->prot_minor); 1147 p->prot_major, p->prot_minor);
1042 1148
1043 if (::conf.script_node_up) 1149 if (::conf.script_node_up)
1044 run_script (run_script_cb (this, &connection::script_node_up), false); 1150 {
1151 run_script_cb *cb = new run_script_cb;
1152 cb->set<connection, &connection::script_node_up> (this);
1153 run_script_queued (cb, _("node-up command execution failed, continuing."));
1154 }
1045 1155
1046 break; 1156 break;
1047 } 1157 }
1048 else 1158 else
1049 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1159 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1083 { 1193 {
1084 vpn->tap->send (d); 1194 vpn->tap->send (d);
1085 1195
1086 if (si != rsi) 1196 if (si != rsi)
1087 { 1197 {
1088 // fast re-sync on connection changes, useful especially for tcp/ip 1198 // fast re-sync on source address changes, useful especially for tcp/ip
1089 si = rsi; 1199 si = rsi;
1090 1200
1091 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1201 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1092 conf->nodename, (const char *)si, (const char *)rsi); 1202 conf->nodename, (const char *)si, (const char *)rsi);
1093 } 1203 }
1104 case vpn_packet::PT_CONNECT_REQ: 1214 case vpn_packet::PT_CONNECT_REQ:
1105 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1215 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1106 { 1216 {
1107 connect_req_packet *p = (connect_req_packet *) pkt; 1217 connect_req_packet *p = (connect_req_packet *) pkt;
1108 1218
1109 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1219 if (p->id > 0 && p->id <= vpn->conns.size ())
1110 connection *c = vpn->conns[p->id - 1];
1111 conf->protocols = p->protocols;
1112
1113 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1114 conf->id, p->id, c->ictx && c->octx);
1115
1116 if (c->ictx && c->octx)
1117 { 1220 {
1221 connection *c = vpn->conns[p->id - 1];
1222 conf->protocols = p->protocols;
1223
1224 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1225 conf->id, p->id, c->ictx && c->octx);
1226
1227 if (c->ictx && c->octx)
1228 {
1118 // send connect_info packets to both sides, in case one is 1229 // send connect_info packets to both sides, in case one is
1119 // behind a nat firewall (or both ;) 1230 // behind a nat firewall (or both ;)
1120 c->send_connect_info (conf->id, si, conf->protocols); 1231 c->send_connect_info (conf->id, si, conf->protocols);
1121 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1232 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1233 }
1234 else
1235 c->establish_connection ();
1122 } 1236 }
1123 else 1237 else
1124 c->establish_connection (); 1238 slog (L_WARN,
1239 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1240 p->id);
1125 } 1241 }
1126 1242
1127 break; 1243 break;
1128 1244
1129 case vpn_packet::PT_CONNECT_INFO: 1245 case vpn_packet::PT_CONNECT_INFO:
1130 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1246 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1131 { 1247 {
1132 connect_info_packet *p = (connect_info_packet *)pkt; 1248 connect_info_packet *p = (connect_info_packet *)pkt;
1133 1249
1134 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1250 if (p->id > 0 && p->id <= vpn->conns.size ())
1135 { 1251 {
1136 connection *c = vpn->conns[p->id - 1]; 1252 connection *c = vpn->conns[p->id - 1];
1137 1253
1138 c->conf->protocols = p->protocols; 1254 c->conf->protocols = p->protocols;
1139 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1255 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1145 const sockinfo &dsi = forward_si (p->si); 1261 const sockinfo &dsi = forward_si (p->si);
1146 1262
1147 if (dsi.valid ()) 1263 if (dsi.valid ())
1148 c->send_auth_request (dsi, true); 1264 c->send_auth_request (dsi, true);
1149 } 1265 }
1266 else
1267 slog (L_WARN,
1268 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269 p->id);
1150 } 1270 }
1151 1271
1152 break; 1272 break;
1153 1273
1154 default: 1274 default:
1155 send_reset (rsi); 1275 send_reset (rsi);
1156 break; 1276 break;
1157 } 1277 }
1158} 1278}
1159 1279
1160void connection::keepalive_cb (time_watcher &w) 1280inline void
1281connection::keepalive_cb (ev::timer &w, int revents)
1161{ 1282{
1162 if (NOW >= last_activity + ::conf.keepalive + 30) 1283 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1163 { 1284 {
1164 reset_connection (); 1285 reset_connection ();
1165 establish_connection (); 1286 establish_connection ();
1166 } 1287 }
1167 else if (NOW < last_activity + ::conf.keepalive) 1288 else if (ev_now () < last_activity + ::conf.keepalive)
1168 w.start (last_activity + ::conf.keepalive); 1289 w.start (last_activity + ::conf.keepalive - ev::now ());
1169 else if (conf->connectmode != conf_node::C_ONDEMAND 1290 else if (conf->connectmode != conf_node::C_ONDEMAND
1170 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1291 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1171 { 1292 {
1172 send_ping (si); 1293 send_ping (si);
1173 w.start (NOW + 5); 1294 w.start (5);
1174 } 1295 }
1175 else if (NOW < last_activity + ::conf.keepalive + 10) 1296 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1176 // hold ondemand connections implicitly a few seconds longer 1297 // hold ondemand connections implicitly a few seconds longer
1177 // should delete octx, though, or something like that ;) 1298 // should delete octx, though, or something like that ;)
1178 w.start (last_activity + ::conf.keepalive + 10); 1299 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1179 else 1300 else
1180 reset_connection (); 1301 reset_connection ();
1181} 1302}
1182 1303
1183void connection::send_connect_request (int id) 1304void connection::send_connect_request (int id)
1189 send_vpn_packet (p, si); 1310 send_vpn_packet (p, si);
1190 1311
1191 delete p; 1312 delete p;
1192} 1313}
1193 1314
1315void connection::script_init_env (const char *ext)
1316{
1317 char *env;
1318 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1319 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1320 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1321 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1322 conf->id & 0xff); putenv (env);
1323}
1324
1194void connection::script_node () 1325void connection::script_init_connect_env ()
1195{ 1326{
1196 vpn->script_if_up (); 1327 vpn->script_init_env ();
1197 1328
1198 char *env; 1329 char *env;
1199 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1330 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1200 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1331 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1201 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1332 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1202 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1333 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1203} 1334}
1204 1335
1336inline const char *
1205const char *connection::script_node_up () 1337connection::script_node_up ()
1206{ 1338{
1207 script_node (); 1339 script_init_connect_env ();
1208 1340
1209 putenv ("STATE=up"); 1341 putenv ((char *)"STATE=up");
1210 1342
1343 char *filename;
1344 asprintf (&filename,
1345 "%s/%s",
1346 confbase,
1211 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1347 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1212}
1213 1348
1349 return filename;
1350}
1351
1352inline const char *
1214const char *connection::script_node_down () 1353connection::script_node_down ()
1215{ 1354{
1216 script_node (); 1355 script_init_connect_env ();
1217 1356
1218 putenv ("STATE=down"); 1357 putenv ((char *)"STATE=down");
1219 1358
1220 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1359 char *filename;
1360 asprintf (&filename,
1361 "%s/%s",
1362 confbase,
1363 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1364
1365 return filename;
1221} 1366}
1222 1367
1223connection::connection (struct vpn *vpn, conf_node *conf) 1368connection::connection (struct vpn *vpn, conf_node *conf)
1224: vpn(vpn), conf(conf) 1369: vpn(vpn), conf(conf),
1225, rekey (this, &connection::rekey_cb)
1226, keepalive (this, &connection::keepalive_cb)
1227, establish_connection (this, &connection::establish_connection_cb)
1228#if ENABLE_DNS 1370#if ENABLE_DNS
1229, dnsv4_tw (this, &connection::dnsv4_cb) 1371 dns (0),
1230, dns_rcvdq (0), dns_snddq (0)
1231, dns_rcvseq (0), dns_sndseq (0)
1232#endif 1372#endif
1373 data_queue(conf->max_ttl, conf->max_queue),
1374 vpn_queue(conf->max_ttl, conf->max_queue)
1233{ 1375{
1376 rekey .set<connection, &connection::rekey_cb > (this);
1377 keepalive .set<connection, &connection::keepalive_cb > (this);
1378 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1379
1380 last_establish_attempt = 0.;
1234 octx = ictx = 0; 1381 octx = ictx = 0;
1235 retry_cnt = 0;
1236 1382
1237 if (!conf->protocols) // make sure some protocol is enabled 1383 if (!conf->protocols) // make sure some protocol is enabled
1238 conf->protocols = PROT_UDPv4; 1384 conf->protocols = PROT_UDPv4;
1239 1385
1240 connectmode = conf_node::C_ALWAYS; // initial setting 1386 connectmode = conf->connectmode;
1387
1388 // queue a dummy packet to force an initial connection attempt
1389 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1390 vpn_queue.put (new net_packet);
1391
1241 reset_connection (); 1392 reset_connection ();
1242} 1393}
1243 1394
1244connection::~connection () 1395connection::~connection ()
1245{ 1396{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines