ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.46 by pcg, Sat Mar 5 19:13:15 2005 UTC vs.
Revision 1.59 by pcg, Mon Dec 5 12:58:09 2005 UTC

14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details. 15 GNU General Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
18 along with gvpe; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
19 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20*/ 20*/
21 21
22#include "config.h" 22#include "config.h"
23
24#include <cassert>
25 23
26#include <list> 24#include <list>
27 25
28#include <openssl/rand.h> 26#include <openssl/rand.h>
29#include <openssl/evp.h> 27#include <openssl/evp.h>
30#include <openssl/rsa.h> 28#include <openssl/rsa.h>
31#include <openssl/err.h> 29#include <openssl/err.h>
32
33#include "gettext.h"
34 30
35#include "conf.h" 31#include "conf.h"
36#include "slog.h" 32#include "slog.h"
37#include "device.h" 33#include "device.h"
38#include "vpn.h" 34#include "vpn.h"
97struct rsa_cache : list<rsa_entry> 93struct rsa_cache : list<rsa_entry>
98{ 94{
99 void cleaner_cb (time_watcher &w); time_watcher cleaner; 95 void cleaner_cb (time_watcher &w); time_watcher cleaner;
100 96
101 bool find (const rsaid &id, rsachallenge &chg) 97 bool find (const rsaid &id, rsachallenge &chg)
102 { 98 {
103 for (iterator i = begin (); i != end (); ++i) 99 for (iterator i = begin (); i != end (); ++i)
104 { 100 {
105 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 101 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
106 { 102 {
107 memcpy (&chg, &i->chg, sizeof chg); 103 memcpy (&chg, &i->chg, sizeof chg);
108 104
109 erase (i); 105 erase (i);
110 return true; 106 return true;
111 } 107 }
112 } 108 }
113 109
114 if (cleaner.at < NOW) 110 if (cleaner.at < NOW)
115 cleaner.start (NOW + RSA_TTL); 111 cleaner.start (NOW + RSA_TTL);
116 112
117 return false; 113 return false;
118 } 114 }
119 115
120 void gen (rsaid &id, rsachallenge &chg) 116 void gen (rsaid &id, rsachallenge &chg)
121 { 117 {
122 rsa_entry e; 118 rsa_entry e;
123 119
124 RAND_bytes ((unsigned char *)&id, sizeof id); 120 RAND_bytes ((unsigned char *)&id, sizeof id);
125 RAND_bytes ((unsigned char *)&chg, sizeof chg); 121 RAND_bytes ((unsigned char *)&chg, sizeof chg);
126 122
127 e.expire = NOW + RSA_TTL; 123 e.expire = NOW + RSA_TTL;
128 e.id = id; 124 e.id = id;
129 memcpy (&e.chg, &chg, sizeof chg); 125 memcpy (&e.chg, &chg, sizeof chg);
130 126
131 push_back (e); 127 push_back (e);
132 128
133 if (cleaner.at < NOW) 129 if (cleaner.at < NOW)
134 cleaner.start (NOW + RSA_TTL); 130 cleaner.start (NOW + RSA_TTL);
135 } 131 }
136 132
137 rsa_cache () 133 rsa_cache ()
138 : cleaner (this, &rsa_cache::cleaner_cb) 134 : cleaner (this, &rsa_cache::cleaner_cb)
139 { } 135 { }
140 136
141} rsa_cache; 137} rsa_cache;
142 138
143void rsa_cache::cleaner_cb (time_watcher &w) 139void rsa_cache::cleaner_cb (time_watcher &w)
144{ 140{
468 f |= FEATURE_COMPRESSION; 464 f |= FEATURE_COMPRESSION;
469#endif 465#endif
470#if ENABLE_ROHC 466#if ENABLE_ROHC
471 f |= FEATURE_ROHC; 467 f |= FEATURE_ROHC;
472#endif 468#endif
469#if ENABLE_BRIDGING
470 f |= FEATURE_BRIDGING;
471#endif
473 return f; 472 return f;
474 } 473 }
475}; 474};
476 475
477void config_packet::setup (ptype type, int dst) 476void config_packet::setup (ptype type, int dst)
478{ 477{
479 prot_major = PROTOCOL_MAJOR; 478 prot_major = PROTOCOL_MAJOR;
480 prot_minor = PROTOCOL_MINOR; 479 prot_minor = PROTOCOL_MINOR;
481 randsize = RAND_SIZE; 480 randsize = RAND_SIZE;
482 hmaclen = HMACLENGTH; 481 hmaclen = HMACLENGTH;
483 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 482 flags = 0;
484 challengelen = sizeof (rsachallenge); 483 challengelen = sizeof (rsachallenge);
485 features = get_features (); 484 features = get_features ();
486 485
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 486 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 487 digest_nid = htonl (EVP_MD_type (RSA_HASH));
498 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 497 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 498 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 499 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 500 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 501 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503#if 0 // this implementation should handle all flag settings
504 else if (flags != curflags ())
505 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
506#endif
507 else if (challengelen != sizeof (rsachallenge)) 502 else if (challengelen != sizeof (rsachallenge))
508 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 503 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
509 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 504 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
510 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 505 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
511 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 506 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
631 // mask out protocols we cannot establish 626 // mask out protocols we cannot establish
632 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 627 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
633 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 628 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
634 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 629 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
635 630
631 if (protocol
632 && (!conf->can_direct (THISNODE)
633 || !THISNODE->can_direct (conf)))
634 {
635 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
636 protocol = 0;
637 }
638
636 si.set (conf, protocol); 639 si.set (conf, protocol);
637} 640}
638 641
639// ensure sockinfo is valid, forward if necessary 642// ensure sockinfo is valid, forward if necessary
640const sockinfo & 643const sockinfo &
725} 728}
726 729
727void 730void
728connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 731connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
729{ 732{
730 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 733 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
731 conf->id, rid, (const char *)rsi); 734 conf->id, rid, (const char *)rsi);
732 735
733 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 736 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
734 737
735 r->hmac_set (octx); 738 r->hmac_set (octx);
745 && conf != THISNODE 748 && conf != THISNODE
746 && connectmode != conf_node::C_NEVER 749 && connectmode != conf_node::C_NEVER
747 && connectmode != conf_node::C_DISABLED 750 && connectmode != conf_node::C_DISABLED
748 && NOW > w.at) 751 && NOW > w.at)
749 { 752 {
750 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 753 w.at = TSTAMP_MAX; // first disable this watcher in case of recursion
751 754
752 if (retry_int < conf->max_retry) 755 double retry_int = double (retry_cnt & 3
753 retry_cnt++; 756 ? (retry_cnt & 3) + 1
754 else 757 : 1 << (retry_cnt >> 2));
755 retry_int = conf->max_retry;
756
757 w.start (NOW + retry_int);
758 758
759 reset_si (); 759 reset_si ();
760
761 bool slow = si.prot & PROT_SLOW;
760 762
761 if (si.prot && !si.host) 763 if (si.prot && !si.host)
762 vpn->send_connect_request (conf->id); 764 vpn->send_connect_request (conf->id);
763 else 765 else
764 { 766 {
765 const sockinfo &dsi = forward_si (si); 767 const sockinfo &dsi = forward_si (si);
768
769 slow = slow || (dsi.prot & PROT_SLOW);
766 770
767 if (dsi.valid () && auth_rate_limiter.can (dsi)) 771 if (dsi.valid () && auth_rate_limiter.can (dsi))
768 { 772 {
769 if (retry_cnt < 4) 773 if (retry_cnt < 4)
770 send_auth_request (dsi, true); 774 send_auth_request (dsi, true);
771 else 775 else
772 send_ping (dsi, 0); 776 send_ping (dsi, 0);
773 } 777 }
774 } 778 }
779
780 retry_int *= slow ? 8. : 0.7;
781
782 if (retry_int < conf->max_retry)
783 retry_cnt++;
784 else
785 retry_int = conf->max_retry;
786
787 w.start (NOW + retry_int);
775 } 788 }
776} 789}
777 790
778void 791void
779connection::reset_connection () 792connection::reset_connection ()
782 { 795 {
783 slog (L_INFO, _("%s(%s): connection lost"), 796 slog (L_INFO, _("%s(%s): connection lost"),
784 conf->nodename, (const char *)si); 797 conf->nodename, (const char *)si);
785 798
786 if (::conf.script_node_down) 799 if (::conf.script_node_down)
787 run_script (run_script_cb (this, &connection::script_node_down), false); 800 if (!run_script (run_script_cb (this, &connection::script_node_down), false))
801 slog (L_WARN, _("node-down command execution failed, continuing."));
788 } 802 }
789 803
790 delete ictx; ictx = 0; 804 delete ictx; ictx = 0;
791 delete octx; octx = 0; 805 delete octx; octx = 0;
792#if ENABLE_DNS 806#if ENABLE_DNS
843{ 857{
844 if (ictx && octx) 858 if (ictx && octx)
845 send_data_packet (pkt); 859 send_data_packet (pkt);
846 else 860 else
847 { 861 {
848 if (!broadcast)//DDDD 862 if (!broadcast)
849 data_queue.put (new tap_packet (*pkt)); 863 data_queue.put (new tap_packet (*pkt));
850 864
851 establish_connection (); 865 establish_connection ();
852 } 866 }
853} 867}
938 delete octx; 952 delete octx;
939 953
940 octx = new crypto_ctx (k, 1); 954 octx = new crypto_ctx (k, 1);
941 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 955 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
942 956
943 // compatibility code, remove when no longer required
944 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
945
946 conf->protocols = p->protocols; 957 conf->protocols = p->protocols;
947 features = p->features & config_packet::get_features (); 958 features = p->features & config_packet::get_features ();
948 959
949 send_auth_response (rsi, p->id, k); 960 send_auth_response (rsi, p->id, k);
950 961
1016 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1027 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1017 conf->nodename, (const char *)rsi, 1028 conf->nodename, (const char *)rsi,
1018 p->prot_major, p->prot_minor); 1029 p->prot_major, p->prot_minor);
1019 1030
1020 if (::conf.script_node_up) 1031 if (::conf.script_node_up)
1021 run_script (run_script_cb (this, &connection::script_node_up), false); 1032 if (!run_script (run_script_cb (this, &connection::script_node_up), false))
1033 slog (L_WARN, _("node-up command execution failed, continuing."));
1022 1034
1023 break; 1035 break;
1024 } 1036 }
1025 else 1037 else
1026 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1038 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1060 { 1072 {
1061 vpn->tap->send (d); 1073 vpn->tap->send (d);
1062 1074
1063 if (si != rsi) 1075 if (si != rsi)
1064 { 1076 {
1065 // fast re-sync on connection changes, useful especially for tcp/ip 1077 // fast re-sync on source address changes, useful especially for tcp/ip
1066 si = rsi; 1078 si = rsi;
1067 1079
1068 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1080 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1069 conf->nodename, (const char *)si, (const char *)rsi); 1081 conf->nodename, (const char *)si, (const char *)rsi);
1070 } 1082 }
1081 case vpn_packet::PT_CONNECT_REQ: 1093 case vpn_packet::PT_CONNECT_REQ:
1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1094 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1083 { 1095 {
1084 connect_req_packet *p = (connect_req_packet *) pkt; 1096 connect_req_packet *p = (connect_req_packet *) pkt;
1085 1097
1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1098 if (p->id > 0 && p->id <= vpn->conns.size ())
1087 connection *c = vpn->conns[p->id - 1];
1088 conf->protocols = p->protocols;
1089
1090 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1091 conf->id, p->id, c->ictx && c->octx);
1092
1093 if (c->ictx && c->octx)
1094 { 1099 {
1100 connection *c = vpn->conns[p->id - 1];
1101 conf->protocols = p->protocols;
1102
1103 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1104 conf->id, p->id, c->ictx && c->octx);
1105
1106 if (c->ictx && c->octx)
1107 {
1095 // send connect_info packets to both sides, in case one is 1108 // send connect_info packets to both sides, in case one is
1096 // behind a nat firewall (or both ;) 1109 // behind a nat firewall (or both ;)
1097 c->send_connect_info (conf->id, si, conf->protocols); 1110 c->send_connect_info (conf->id, si, conf->protocols);
1098 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1111 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1112 }
1113 else
1114 c->establish_connection ();
1099 } 1115 }
1100 else 1116 else
1101 c->establish_connection (); 1117 slog (L_WARN,
1118 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1119 p->id);
1102 } 1120 }
1103 1121
1104 break; 1122 break;
1105 1123
1106 case vpn_packet::PT_CONNECT_INFO: 1124 case vpn_packet::PT_CONNECT_INFO:
1107 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1125 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1108 { 1126 {
1109 connect_info_packet *p = (connect_info_packet *)pkt; 1127 connect_info_packet *p = (connect_info_packet *)pkt;
1110 1128
1111 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1129 if (p->id > 0 && p->id <= vpn->conns.size ())
1112 { 1130 {
1113 connection *c = vpn->conns[p->id - 1]; 1131 connection *c = vpn->conns[p->id - 1];
1114 1132
1115 c->conf->protocols = p->protocols; 1133 c->conf->protocols = p->protocols;
1116 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1134 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1122 const sockinfo &dsi = forward_si (p->si); 1140 const sockinfo &dsi = forward_si (p->si);
1123 1141
1124 if (dsi.valid ()) 1142 if (dsi.valid ())
1125 c->send_auth_request (dsi, true); 1143 c->send_auth_request (dsi, true);
1126 } 1144 }
1145 else
1146 slog (L_WARN,
1147 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1148 p->id);
1127 } 1149 }
1128 1150
1129 break; 1151 break;
1130 1152
1131 default: 1153 default:
1166 send_vpn_packet (p, si); 1188 send_vpn_packet (p, si);
1167 1189
1168 delete p; 1190 delete p;
1169} 1191}
1170 1192
1193void connection::script_init_env (const char *ext)
1194{
1195 char *env;
1196 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1197 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1198 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1199 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1200 conf->id & 0xff); putenv (env);
1201}
1202
1171void connection::script_node () 1203void connection::script_init_connect_env ()
1172{ 1204{
1173 vpn->script_if_up (); 1205 vpn->script_init_env ();
1174 1206
1175 char *env; 1207 char *env;
1176 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1208 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1177 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1209 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1178 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1210 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1179 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1211 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1180} 1212}
1181 1213
1182const char *connection::script_node_up () 1214const char *connection::script_node_up ()
1183{ 1215{
1184 script_node (); 1216 script_init_connect_env ();
1185 1217
1186 putenv ("STATE=up"); 1218 putenv ("STATE=up");
1187 1219
1220 char *filename;
1221 asprintf (&filename,
1222 "%s/%s",
1223 confbase,
1188 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1224 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1225
1226 return filename;
1189} 1227}
1190 1228
1191const char *connection::script_node_down () 1229const char *connection::script_node_down ()
1192{ 1230{
1193 script_node (); 1231 script_init_connect_env ();
1194 1232
1195 putenv ("STATE=down"); 1233 putenv ("STATE=down");
1196 1234
1197 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1235 char *filename;
1236 asprintf (&filename,
1237 "%s/%s",
1238 confbase,
1239 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1240
1241 return filename;
1198} 1242}
1199 1243
1200connection::connection (struct vpn *vpn, conf_node *conf) 1244connection::connection (struct vpn *vpn, conf_node *conf)
1201: vpn(vpn), conf(conf) 1245: vpn(vpn), conf(conf)
1202, rekey (this, &connection::rekey_cb) 1246, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines