ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.46 by pcg, Sat Mar 5 19:13:15 2005 UTC vs.
Revision 1.65 by pcg, Tue Dec 4 17:17:20 2007 UTC

14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details. 15 GNU General Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
18 along with gvpe; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
19 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20*/ 20*/
21 21
22#include "config.h" 22#include "config.h"
23
24#include <cassert>
25 23
26#include <list> 24#include <list>
27 25
28#include <openssl/rand.h> 26#include <openssl/rand.h>
29#include <openssl/evp.h> 27#include <openssl/evp.h>
30#include <openssl/rsa.h> 28#include <openssl/rsa.h>
31#include <openssl/err.h> 29#include <openssl/err.h>
32
33#include "gettext.h"
34 30
35#include "conf.h" 31#include "conf.h"
36#include "slog.h" 32#include "slog.h"
37#include "device.h" 33#include "device.h"
38#include "vpn.h" 34#include "vpn.h"
86 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
87 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
88 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
89} 85}
90 86
91struct rsa_entry { 87struct rsa_entry
88{
92 tstamp expire; 89 tstamp expire;
93 rsaid id; 90 rsaid id;
94 rsachallenge chg; 91 rsachallenge chg;
95}; 92};
96 93
97struct rsa_cache : list<rsa_entry> 94struct rsa_cache : list<rsa_entry>
98{ 95{
99 void cleaner_cb (time_watcher &w); time_watcher cleaner; 96 void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
100 97
101 bool find (const rsaid &id, rsachallenge &chg) 98 bool find (const rsaid &id, rsachallenge &chg)
102 { 99 {
103 for (iterator i = begin (); i != end (); ++i) 100 for (iterator i = begin (); i != end (); ++i)
104 { 101 {
105 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 102 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
106 { 103 {
107 memcpy (&chg, &i->chg, sizeof chg); 104 memcpy (&chg, &i->chg, sizeof chg);
108 105
109 erase (i); 106 erase (i);
110 return true; 107 return true;
111 } 108 }
112 } 109 }
113 110
114 if (cleaner.at < NOW) 111 if (!cleaner.is_active ())
115 cleaner.start (NOW + RSA_TTL); 112 cleaner.again ();
116 113
117 return false; 114 return false;
118 } 115 }
119 116
120 void gen (rsaid &id, rsachallenge &chg) 117 void gen (rsaid &id, rsachallenge &chg)
121 { 118 {
122 rsa_entry e; 119 rsa_entry e;
123 120
124 RAND_bytes ((unsigned char *)&id, sizeof id); 121 RAND_bytes ((unsigned char *)&id, sizeof id);
125 RAND_bytes ((unsigned char *)&chg, sizeof chg); 122 RAND_bytes ((unsigned char *)&chg, sizeof chg);
126 123
127 e.expire = NOW + RSA_TTL; 124 e.expire = ev_now () + RSA_TTL;
128 e.id = id; 125 e.id = id;
129 memcpy (&e.chg, &chg, sizeof chg); 126 memcpy (&e.chg, &chg, sizeof chg);
130 127
131 push_back (e); 128 push_back (e);
132 129
133 if (cleaner.at < NOW) 130 if (!cleaner.is_active ())
134 cleaner.start (NOW + RSA_TTL); 131 cleaner.again ();
135 } 132 }
136 133
137 rsa_cache () 134 rsa_cache ()
138 : cleaner (this, &rsa_cache::cleaner_cb) 135 {
139 { } 136 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
137 cleaner.set (RSA_TTL, RSA_TTL);
138 }
140 139
141} rsa_cache; 140} rsa_cache;
142 141
143void rsa_cache::cleaner_cb (time_watcher &w) 142void rsa_cache::cleaner_cb (ev::timer &w, int revents)
144{ 143{
145 if (!empty ()) 144 if (empty ())
145 w.stop ();
146 else
146 { 147 {
147 w.start (NOW + RSA_TTL);
148
149 for (iterator i = begin (); i != end (); ) 148 for (iterator i = begin (); i != end (); )
150 if (i->expire <= NOW) 149 if (i->expire <= ev_now ())
151 i = erase (i); 150 i = erase (i);
152 else 151 else
153 ++i; 152 ++i;
154 } 153 }
155} 154}
193{ 192{
194 for (i = QUEUEDEPTH; --i > 0; ) 193 for (i = QUEUEDEPTH; --i > 0; )
195 delete queue[i]; 194 delete queue[i];
196} 195}
197 196
198struct net_rateinfo { 197struct net_rateinfo
198{
199 u32 host; 199 u32 host;
200 double pcnt, diff; 200 double pcnt, diff;
201 tstamp last; 201 tstamp last;
202}; 202};
203 203
222 iterator i; 222 iterator i;
223 223
224 for (i = begin (); i != end (); ) 224 for (i = begin (); i != end (); )
225 if (i->host == host) 225 if (i->host == host)
226 break; 226 break;
227 else if (i->last < NOW - NRL_EXPIRE) 227 else if (i->last < ev_now () - NRL_EXPIRE)
228 i = erase (i); 228 i = erase (i);
229 else 229 else
230 i++; 230 i++;
231 231
232 if (i == end ()) 232 if (i == end ())
234 net_rateinfo ri; 234 net_rateinfo ri;
235 235
236 ri.host = host; 236 ri.host = host;
237 ri.pcnt = 1.; 237 ri.pcnt = 1.;
238 ri.diff = NRL_MAXDIF; 238 ri.diff = NRL_MAXDIF;
239 ri.last = NOW; 239 ri.last = ev_now ();
240 240
241 push_front (ri); 241 push_front (ri);
242 242
243 return true; 243 return true;
244 } 244 }
246 { 246 {
247 net_rateinfo ri (*i); 247 net_rateinfo ri (*i);
248 erase (i); 248 erase (i);
249 249
250 ri.pcnt = ri.pcnt * NRL_ALPHA; 250 ri.pcnt = ri.pcnt * NRL_ALPHA;
251 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last); 251 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
252 252
253 ri.last = NOW; 253 ri.last = ev_now ();
254 254
255 double dif = ri.diff / ri.pcnt; 255 double dif = ri.diff / ri.pcnt;
256 256
257 bool send = dif > NRL_CUTOFF; 257 bool send = dif > NRL_CUTOFF;
258 258
468 f |= FEATURE_COMPRESSION; 468 f |= FEATURE_COMPRESSION;
469#endif 469#endif
470#if ENABLE_ROHC 470#if ENABLE_ROHC
471 f |= FEATURE_ROHC; 471 f |= FEATURE_ROHC;
472#endif 472#endif
473#if ENABLE_BRIDGING
474 f |= FEATURE_BRIDGING;
475#endif
473 return f; 476 return f;
474 } 477 }
475}; 478};
476 479
477void config_packet::setup (ptype type, int dst) 480void config_packet::setup (ptype type, int dst)
478{ 481{
479 prot_major = PROTOCOL_MAJOR; 482 prot_major = PROTOCOL_MAJOR;
480 prot_minor = PROTOCOL_MINOR; 483 prot_minor = PROTOCOL_MINOR;
481 randsize = RAND_SIZE; 484 randsize = RAND_SIZE;
482 hmaclen = HMACLENGTH; 485 hmaclen = HMACLENGTH;
483 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 486 flags = 0;
484 challengelen = sizeof (rsachallenge); 487 challengelen = sizeof (rsachallenge);
485 features = get_features (); 488 features = get_features ();
486 489
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 490 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 491 digest_nid = htonl (EVP_MD_type (RSA_HASH));
498 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 501 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 502 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 503 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 504 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 505 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503#if 0 // this implementation should handle all flag settings
504 else if (flags != curflags ())
505 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
506#endif
507 else if (challengelen != sizeof (rsachallenge)) 506 else if (challengelen != sizeof (rsachallenge))
508 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 507 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
509 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 508 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
510 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 509 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
511 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 510 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
587///////////////////////////////////////////////////////////////////////////// 586/////////////////////////////////////////////////////////////////////////////
588 587
589void 588void
590connection::connection_established () 589connection::connection_established ()
591{ 590{
591 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
592
592 if (ictx && octx) 593 if (ictx && octx)
593 { 594 {
594 connectmode = conf->connectmode; 595 connectmode = conf->connectmode;
595 596
596 // make sure rekeying timeouts are slightly asymmetric 597 // make sure rekeying timeouts are slightly asymmetric
597 rekey.start (NOW + ::conf.rekey 598 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
598 + (conf->id > THISNODE->id ? 10 : 0)); 599 rekey.start (rekey_interval, rekey_interval);
599 keepalive.start (NOW + ::conf.keepalive); 600 keepalive.start (::conf.keepalive);
600 601
601 // send queued packets 602 // send queued packets
602 if (ictx && octx) 603 if (ictx && octx)
603 { 604 {
604 while (tap_packet *p = (tap_packet *)data_queue.get ()) 605 while (tap_packet *p = (tap_packet *)data_queue.get ())
615 } 616 }
616 } 617 }
617 else 618 else
618 { 619 {
619 retry_cnt = 0; 620 retry_cnt = 0;
620 establish_connection.start (NOW + 5); 621 establish_connection.start (5);
621 keepalive.stop (); 622 keepalive.stop ();
622 rekey.stop (); 623 rekey.stop ();
623 } 624 }
624} 625}
625 626
630 631
631 // mask out protocols we cannot establish 632 // mask out protocols we cannot establish
632 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 633 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
633 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 634 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
634 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 635 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
636
637 if (protocol
638 && (!conf->can_direct (THISNODE)
639 || !THISNODE->can_direct (conf)))
640 {
641 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
642 protocol = 0;
643 }
635 644
636 si.set (conf, protocol); 645 si.set (conf, protocol);
637} 646}
638 647
639// ensure sockinfo is valid, forward if necessary 648// ensure sockinfo is valid, forward if necessary
725} 734}
726 735
727void 736void
728connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 737connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
729{ 738{
730 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 739 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
731 conf->id, rid, (const char *)rsi); 740 conf->id, rid, (const char *)rsi);
732 741
733 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 742 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
734 743
735 r->hmac_set (octx); 744 r->hmac_set (octx);
737 746
738 delete r; 747 delete r;
739} 748}
740 749
741void 750void
742connection::establish_connection_cb (time_watcher &w) 751connection::establish_connection_cb (ev::timer &w, int revents)
743{ 752{
744 if (!ictx 753 if (!ictx
745 && conf != THISNODE 754 && conf != THISNODE
746 && connectmode != conf_node::C_NEVER 755 && connectmode != conf_node::C_NEVER
747 && connectmode != conf_node::C_DISABLED 756 && connectmode != conf_node::C_DISABLED
748 && NOW > w.at) 757 && !w.is_active ())
749 { 758 {
750 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 759 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
751 760 ? (retry_cnt & 3) + 1
752 if (retry_int < conf->max_retry) 761 : 1 << (retry_cnt >> 2));
753 retry_cnt++;
754 else
755 retry_int = conf->max_retry;
756
757 w.start (NOW + retry_int);
758 762
759 reset_si (); 763 reset_si ();
760 764
765 bool slow = si.prot & PROT_SLOW;
766
761 if (si.prot && !si.host) 767 if (si.prot && !si.host)
768 {
769 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
770 /*TODO*/ /* start the timer so we don't recurse endlessly */
771 w.start (1);
762 vpn->send_connect_request (conf->id); 772 vpn->send_connect_request (conf->id);
773 }
763 else 774 else
764 { 775 {
776 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
777
765 const sockinfo &dsi = forward_si (si); 778 const sockinfo &dsi = forward_si (si);
779
780 slow = slow || (dsi.prot & PROT_SLOW);
766 781
767 if (dsi.valid () && auth_rate_limiter.can (dsi)) 782 if (dsi.valid () && auth_rate_limiter.can (dsi))
768 { 783 {
769 if (retry_cnt < 4) 784 if (retry_cnt < 4)
770 send_auth_request (dsi, true); 785 send_auth_request (dsi, true);
771 else 786 else
772 send_ping (dsi, 0); 787 send_ping (dsi, 0);
773 } 788 }
774 } 789 }
790
791 retry_int *= slow ? 8. : 0.7;
792
793 if (retry_int < conf->max_retry)
794 retry_cnt++;
795 else
796 retry_int = conf->max_retry;
797
798 w.start (retry_int);
775 } 799 }
776} 800}
777 801
778void 802void
779connection::reset_connection () 803connection::reset_connection ()
782 { 806 {
783 slog (L_INFO, _("%s(%s): connection lost"), 807 slog (L_INFO, _("%s(%s): connection lost"),
784 conf->nodename, (const char *)si); 808 conf->nodename, (const char *)si);
785 809
786 if (::conf.script_node_down) 810 if (::conf.script_node_down)
787 run_script (run_script_cb (this, &connection::script_node_down), false); 811 {
812 run_script_cb cb;
813 cb.set<connection, &connection::script_node_down> (this);
814 if (!run_script (cb, false))
815 slog (L_WARN, _("node-down command execution failed, continuing."));
816 }
788 } 817 }
789 818
790 delete ictx; ictx = 0; 819 delete ictx; ictx = 0;
791 delete octx; octx = 0; 820 delete octx; octx = 0;
792#if ENABLE_DNS 821#if ENABLE_DNS
811 840
812 reset_connection (); 841 reset_connection ();
813} 842}
814 843
815void 844void
816connection::rekey_cb (time_watcher &w) 845connection::rekey_cb (ev::timer &w, int revents)
817{ 846{
818 reset_connection (); 847 reset_connection ();
819 establish_connection (); 848 establish_connection ();
820} 849}
821 850
843{ 872{
844 if (ictx && octx) 873 if (ictx && octx)
845 send_data_packet (pkt); 874 send_data_packet (pkt);
846 else 875 else
847 { 876 {
848 if (!broadcast)//DDDD 877 if (!broadcast)
849 data_queue.put (new tap_packet (*pkt)); 878 data_queue.put (new tap_packet (*pkt));
850 879
851 establish_connection (); 880 establish_connection ();
852 } 881 }
853} 882}
865} 894}
866 895
867void 896void
868connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 897connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
869{ 898{
870 last_activity = NOW; 899 last_activity = ev_now ();
871 900
872 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 901 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
873 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 902 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
903
904 if (connectmode == conf_node::C_DISABLED)
905 return;
874 906
875 switch (pkt->typ ()) 907 switch (pkt->typ ())
876 { 908 {
877 case vpn_packet::PT_PING: 909 case vpn_packet::PT_PING:
878 // we send pings instead of auth packets after some retries, 910 // we send pings instead of auth packets after some retries,
938 delete octx; 970 delete octx;
939 971
940 octx = new crypto_ctx (k, 1); 972 octx = new crypto_ctx (k, 1);
941 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 973 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
942 974
943 // compatibility code, remove when no longer required
944 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
945
946 conf->protocols = p->protocols; 975 conf->protocols = p->protocols;
947 features = p->features & config_packet::get_features (); 976 features = p->features & config_packet::get_features ();
948 977
949 send_auth_response (rsi, p->id, k); 978 send_auth_response (rsi, p->id, k);
950 979
1016 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1045 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1017 conf->nodename, (const char *)rsi, 1046 conf->nodename, (const char *)rsi,
1018 p->prot_major, p->prot_minor); 1047 p->prot_major, p->prot_minor);
1019 1048
1020 if (::conf.script_node_up) 1049 if (::conf.script_node_up)
1021 run_script (run_script_cb (this, &connection::script_node_up), false); 1050 {
1051 run_script_cb cb;
1052 cb.set<connection, &connection::script_node_up> (this);
1053 if (!run_script (cb, false))
1054 slog (L_WARN, _("node-up command execution failed, continuing."));
1055 }
1022 1056
1023 break; 1057 break;
1024 } 1058 }
1025 else 1059 else
1026 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1060 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1060 { 1094 {
1061 vpn->tap->send (d); 1095 vpn->tap->send (d);
1062 1096
1063 if (si != rsi) 1097 if (si != rsi)
1064 { 1098 {
1065 // fast re-sync on connection changes, useful especially for tcp/ip 1099 // fast re-sync on source address changes, useful especially for tcp/ip
1066 si = rsi; 1100 si = rsi;
1067 1101
1068 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1102 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1069 conf->nodename, (const char *)si, (const char *)rsi); 1103 conf->nodename, (const char *)si, (const char *)rsi);
1070 } 1104 }
1081 case vpn_packet::PT_CONNECT_REQ: 1115 case vpn_packet::PT_CONNECT_REQ:
1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1116 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1083 { 1117 {
1084 connect_req_packet *p = (connect_req_packet *) pkt; 1118 connect_req_packet *p = (connect_req_packet *) pkt;
1085 1119
1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1120 if (p->id > 0 && p->id <= vpn->conns.size ())
1087 connection *c = vpn->conns[p->id - 1];
1088 conf->protocols = p->protocols;
1089
1090 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1091 conf->id, p->id, c->ictx && c->octx);
1092
1093 if (c->ictx && c->octx)
1094 { 1121 {
1122 connection *c = vpn->conns[p->id - 1];
1123 conf->protocols = p->protocols;
1124
1125 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1126 conf->id, p->id, c->ictx && c->octx);
1127
1128 if (c->ictx && c->octx)
1129 {
1095 // send connect_info packets to both sides, in case one is 1130 // send connect_info packets to both sides, in case one is
1096 // behind a nat firewall (or both ;) 1131 // behind a nat firewall (or both ;)
1097 c->send_connect_info (conf->id, si, conf->protocols); 1132 c->send_connect_info (conf->id, si, conf->protocols);
1098 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1133 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1134 }
1135 else
1136 c->establish_connection ();
1099 } 1137 }
1100 else 1138 else
1101 c->establish_connection (); 1139 slog (L_WARN,
1140 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1141 p->id);
1102 } 1142 }
1103 1143
1104 break; 1144 break;
1105 1145
1106 case vpn_packet::PT_CONNECT_INFO: 1146 case vpn_packet::PT_CONNECT_INFO:
1107 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1147 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1108 { 1148 {
1109 connect_info_packet *p = (connect_info_packet *)pkt; 1149 connect_info_packet *p = (connect_info_packet *)pkt;
1110 1150
1111 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1151 if (p->id > 0 && p->id <= vpn->conns.size ())
1112 { 1152 {
1113 connection *c = vpn->conns[p->id - 1]; 1153 connection *c = vpn->conns[p->id - 1];
1114 1154
1115 c->conf->protocols = p->protocols; 1155 c->conf->protocols = p->protocols;
1116 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1156 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1122 const sockinfo &dsi = forward_si (p->si); 1162 const sockinfo &dsi = forward_si (p->si);
1123 1163
1124 if (dsi.valid ()) 1164 if (dsi.valid ())
1125 c->send_auth_request (dsi, true); 1165 c->send_auth_request (dsi, true);
1126 } 1166 }
1167 else
1168 slog (L_WARN,
1169 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1170 p->id);
1127 } 1171 }
1128 1172
1129 break; 1173 break;
1130 1174
1131 default: 1175 default:
1132 send_reset (rsi); 1176 send_reset (rsi);
1133 break; 1177 break;
1134 } 1178 }
1135} 1179}
1136 1180
1137void connection::keepalive_cb (time_watcher &w) 1181void connection::keepalive_cb (ev::timer &w, int revents)
1138{ 1182{
1139 if (NOW >= last_activity + ::conf.keepalive + 30) 1183 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1140 { 1184 {
1141 reset_connection (); 1185 reset_connection ();
1142 establish_connection (); 1186 establish_connection ();
1143 } 1187 }
1144 else if (NOW < last_activity + ::conf.keepalive) 1188 else if (ev_now () < last_activity + ::conf.keepalive)
1145 w.start (last_activity + ::conf.keepalive); 1189 w.start (last_activity + ::conf.keepalive - ev::now ());
1146 else if (conf->connectmode != conf_node::C_ONDEMAND 1190 else if (conf->connectmode != conf_node::C_ONDEMAND
1147 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1191 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1148 { 1192 {
1149 send_ping (si); 1193 send_ping (si);
1150 w.start (NOW + 5); 1194 w.start (5);
1151 } 1195 }
1152 else if (NOW < last_activity + ::conf.keepalive + 10) 1196 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1153 // hold ondemand connections implicitly a few seconds longer 1197 // hold ondemand connections implicitly a few seconds longer
1154 // should delete octx, though, or something like that ;) 1198 // should delete octx, though, or something like that ;)
1155 w.start (last_activity + ::conf.keepalive + 10); 1199 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1156 else 1200 else
1157 reset_connection (); 1201 reset_connection ();
1158} 1202}
1159 1203
1160void connection::send_connect_request (int id) 1204void connection::send_connect_request (int id)
1166 send_vpn_packet (p, si); 1210 send_vpn_packet (p, si);
1167 1211
1168 delete p; 1212 delete p;
1169} 1213}
1170 1214
1215void connection::script_init_env (const char *ext)
1216{
1217 char *env;
1218 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1219 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1220 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1221 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1222 conf->id & 0xff); putenv (env);
1223}
1224
1171void connection::script_node () 1225void connection::script_init_connect_env ()
1172{ 1226{
1173 vpn->script_if_up (); 1227 vpn->script_init_env ();
1174 1228
1175 char *env; 1229 char *env;
1176 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1230 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1177 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1231 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1178 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1232 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1179 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1233 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1180} 1234}
1181 1235
1182const char *connection::script_node_up () 1236const char *connection::script_node_up ()
1183{ 1237{
1184 script_node (); 1238 script_init_connect_env ();
1185 1239
1186 putenv ("STATE=up"); 1240 putenv ((char *)"STATE=up");
1187 1241
1242 char *filename;
1243 asprintf (&filename,
1244 "%s/%s",
1245 confbase,
1188 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1246 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1247
1248 return filename;
1189} 1249}
1190 1250
1191const char *connection::script_node_down () 1251const char *connection::script_node_down ()
1192{ 1252{
1193 script_node (); 1253 script_init_connect_env ();
1194 1254
1195 putenv ("STATE=down"); 1255 putenv ((char *)"STATE=down");
1196 1256
1197 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1257 char *filename;
1258 asprintf (&filename,
1259 "%s/%s",
1260 confbase,
1261 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1262
1263 return filename;
1198} 1264}
1199 1265
1200connection::connection (struct vpn *vpn, conf_node *conf) 1266connection::connection (struct vpn *vpn, conf_node *conf)
1201: vpn(vpn), conf(conf) 1267: vpn(vpn), conf(conf)
1202, rekey (this, &connection::rekey_cb)
1203, keepalive (this, &connection::keepalive_cb)
1204, establish_connection (this, &connection::establish_connection_cb)
1205#if ENABLE_DNS 1268#if ENABLE_DNS
1206, dns (0) 1269, dns (0)
1207#endif 1270#endif
1208{ 1271{
1272 rekey .set<connection, &connection::rekey_cb > (this);
1273 keepalive .set<connection, &connection::keepalive_cb > (this);
1274 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1275
1209 octx = ictx = 0; 1276 octx = ictx = 0;
1210 retry_cnt = 0; 1277 retry_cnt = 0;
1211 1278
1212 if (!conf->protocols) // make sure some protocol is enabled 1279 if (!conf->protocols) // make sure some protocol is enabled
1213 conf->protocols = PROT_UDPv4; 1280 conf->protocols = PROT_UDPv4;

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines