ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.4 by pcg, Wed Apr 2 21:02:25 2003 UTC vs.
Revision 1.59 by pcg, Mon Dec 5 12:58:09 2005 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 8 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 9 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 10 (at your option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details. 15 GNU General Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17*/ 20*/
18 21
19#include "config.h" 22#include "config.h"
20
21extern "C" {
22# include "lzf/lzf.h"
23}
24 23
25#include <list> 24#include <list>
26 25
27#include <openssl/rand.h> 26#include <openssl/rand.h>
28#include <openssl/evp.h> 27#include <openssl/evp.h>
29#include <openssl/rsa.h> 28#include <openssl/rsa.h>
30#include <openssl/err.h> 29#include <openssl/err.h>
31
32#include "gettext.h"
33 30
34#include "conf.h" 31#include "conf.h"
35#include "slog.h" 32#include "slog.h"
36#include "device.h" 33#include "device.h"
37#include "vpn.h" 34#include "vpn.h"
38#include "connection.h" 35#include "connection.h"
39 36
37#include "netcompat.h"
38
40#if !HAVE_RAND_PSEUDO_BYTES 39#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 40# define RAND_pseudo_bytes RAND_bytes
42#endif 41#endif
43 42
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 43#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
45 44
45#define ULTRA_FAST 1
46#define HLOG 15
47#include "lzf/lzf.h"
48#include "lzf/lzf_c.c"
49#include "lzf/lzf_d.c"
50
46struct crypto_ctx 51struct crypto_ctx
47{ 52{
48 EVP_CIPHER_CTX cctx; 53 EVP_CIPHER_CTX cctx;
49 HMAC_CTX hctx; 54 HMAC_CTX hctx;
50 55
53}; 58};
54 59
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 60crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
56{ 61{
57 EVP_CIPHER_CTX_init (&cctx); 62 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 63 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
59 HMAC_CTX_init (&hctx); 64 HMAC_CTX_init (&hctx);
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 65 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 66}
62 67
63crypto_ctx::~crypto_ctx () 68crypto_ctx::~crypto_ctx ()
64{ 69{
65 EVP_CIPHER_CTX_cleanup (&cctx); 70 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 71 HMAC_CTX_cleanup (&hctx);
67} 72}
68 73
69static void 74static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 75rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
71{ 76{
72 EVP_MD_CTX ctx; 77 EVP_MD_CTX ctx;
73 78
74 EVP_MD_CTX_init (&ctx); 79 EVP_MD_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 80 require (EVP_DigestInit (&ctx, RSA_HASH));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 81 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
79 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
80} 85}
81 86
82struct rsa_entry { 87struct rsa_entry {
83 tstamp expire; 88 tstamp expire;
88struct rsa_cache : list<rsa_entry> 93struct rsa_cache : list<rsa_entry>
89{ 94{
90 void cleaner_cb (time_watcher &w); time_watcher cleaner; 95 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 96
92 bool find (const rsaid &id, rsachallenge &chg) 97 bool find (const rsaid &id, rsachallenge &chg)
93 { 98 {
94 for (iterator i = begin (); i != end (); ++i) 99 for (iterator i = begin (); i != end (); ++i)
95 { 100 {
96 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 101 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
97 { 102 {
98 memcpy (&chg, &i->chg, sizeof chg); 103 memcpy (&chg, &i->chg, sizeof chg);
99 104
100 erase (i); 105 erase (i);
101 return true; 106 return true;
102 } 107 }
103 } 108 }
104 109
105 if (cleaner.at < NOW) 110 if (cleaner.at < NOW)
106 cleaner.start (NOW + RSA_TTL); 111 cleaner.start (NOW + RSA_TTL);
107 112
108 return false; 113 return false;
109 } 114 }
110 115
111 void gen (rsaid &id, rsachallenge &chg) 116 void gen (rsaid &id, rsachallenge &chg)
112 { 117 {
113 rsa_entry e; 118 rsa_entry e;
114 119
115 RAND_bytes ((unsigned char *)&id, sizeof id); 120 RAND_bytes ((unsigned char *)&id, sizeof id);
116 RAND_bytes ((unsigned char *)&chg, sizeof chg); 121 RAND_bytes ((unsigned char *)&chg, sizeof chg);
117 122
118 e.expire = NOW + RSA_TTL; 123 e.expire = NOW + RSA_TTL;
119 e.id = id; 124 e.id = id;
120 memcpy (&e.chg, &chg, sizeof chg); 125 memcpy (&e.chg, &chg, sizeof chg);
121 126
122 push_back (e); 127 push_back (e);
123 128
124 if (cleaner.at < NOW) 129 if (cleaner.at < NOW)
125 cleaner.start (NOW + RSA_TTL); 130 cleaner.start (NOW + RSA_TTL);
126 } 131 }
127 132
128 rsa_cache () 133 rsa_cache ()
129 : cleaner (this, &rsa_cache::cleaner_cb) 134 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 135 { }
131 136
132} rsa_cache; 137} rsa_cache;
133 138
134void rsa_cache::cleaner_cb (time_watcher &w) 139void rsa_cache::cleaner_cb (time_watcher &w)
135{ 140{
136 if (empty ()) 141 if (!empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 142 {
140 w.at = NOW + RSA_TTL; 143 w.start (NOW + RSA_TTL);
141 144
142 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 146 if (i->expire <= NOW)
144 i = erase (i); 147 i = erase (i);
145 else 148 else
147 } 150 }
148} 151}
149 152
150////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
151 154
152void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
153{ 156{
154 if (queue[i]) 157 if (queue[i])
155 { 158 {
156 delete queue[i]; 159 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 163 queue[i] = p;
161 164
162 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
163} 166}
164 167
165tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
166{ 169{
167 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
168 171
169 if (p) 172 if (p)
170 { 173 {
171 queue[j] = 0; 174 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 205# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 206# define NRL_CUTOFF 10. // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
208# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
205 209
206 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 211 bool can (u32 host);
208}; 212};
209 213
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 215
214 iterator i; 218 iterator i;
215 219
216 for (i = begin (); i != end (); ) 220 for (i = begin (); i != end (); )
217 if (i->host == host) 221 if (i->host == host)
218 break; 222 break;
219 else if (i->last < NOW - EXPIRE) 223 else if (i->last < NOW - NRL_EXPIRE)
220 i = erase (i); 224 i = erase (i);
221 else 225 else
222 i++; 226 i++;
223 227
224 if (i == end ()) 228 if (i == end ())
225 { 229 {
226 net_rateinfo ri; 230 net_rateinfo ri;
227 231
228 ri.host = host; 232 ri.host = host;
229 ri.pcnt = 1.; 233 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = NRL_MAXDIF;
231 ri.last = NOW; 235 ri.last = NOW;
232 236
233 push_front (ri); 237 push_front (ri);
234 238
235 return true; 239 return true;
237 else 241 else
238 { 242 {
239 net_rateinfo ri (*i); 243 net_rateinfo ri (*i);
240 erase (i); 244 erase (i);
241 245
242 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * NRL_ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last);
244 248
245 ri.last = NOW; 249 ri.last = NOW;
246 250
251 double dif = ri.diff / ri.pcnt;
252
247 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > NRL_CUTOFF;
248 254
255 if (dif > NRL_MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = NRL_MAXDIF;
259 }
249 if (send) 260 else if (send)
250 ri.pcnt++; 261 ri.pcnt++;
251 262
252 push_front (ri); 263 push_front (ri);
253 264
254 return send; 265 return send;
285 hmac_gen (ctx); 296 hmac_gen (ctx);
286 297
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 298 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 299}
289 300
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 301void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 302{
292 this->type = type; 303 type = type_;
293 304
294 int src = THISNODE->id; 305 int src = THISNODE->id;
295 306
296 src1 = src; 307 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 308 srcdst = ((src >> 8) << 4) | (dst >> 8);
299} 310}
300 311
301#define MAXVPNDATA (MAX_MTU - 6 - 6) 312#define MAXVPNDATA (MAX_MTU - 6 - 6)
302#define DATAHDR (sizeof (u32) + RAND_SIZE) 313#define DATAHDR (sizeof (u32) + RAND_SIZE)
303 314
304struct vpndata_packet:vpn_packet 315struct vpndata_packet : vpn_packet
305 { 316 {
306 u8 data[MAXVPNDATA + DATAHDR]; // seqno 317 u8 data[MAXVPNDATA + DATAHDR]; // seqno
307 318
308 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 319 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
309 tap_packet *unpack (connection *conn, u32 &seqno); 320 tap_packet *unpack (connection *conn, u32 &seqno);
322 int outl = 0, outl2; 333 int outl = 0, outl2;
323 ptype type = PT_DATA_UNCOMPRESSED; 334 ptype type = PT_DATA_UNCOMPRESSED;
324 335
325#if ENABLE_COMPRESSION 336#if ENABLE_COMPRESSION
326 u8 cdata[MAX_MTU]; 337 u8 cdata[MAX_MTU];
327 u32 cl;
328 338
339 if (conn->features & ENABLE_COMPRESSION)
340 {
329 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 341 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
342
330 if (cl) 343 if (cl)
331 { 344 {
332 type = PT_DATA_COMPRESSED; 345 type = PT_DATA_COMPRESSED;
333 d = cdata; 346 d = cdata;
334 l = cl + 2; 347 l = cl + 2;
335 348
336 d[0] = cl >> 8; 349 d[0] = cl >> 8;
337 d[1] = cl; 350 d[1] = cl;
351 }
338 } 352 }
339#endif 353#endif
340 354
341 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 355 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
342 356
343 struct { 357 struct {
344#if RAND_SIZE 358#if RAND_SIZE
345 u8 rnd[RAND_SIZE]; 359 u8 rnd[RAND_SIZE];
346#endif 360#endif
350 datahdr.seqno = ntohl (seqno); 364 datahdr.seqno = ntohl (seqno);
351#if RAND_SIZE 365#if RAND_SIZE
352 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 366 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
353#endif 367#endif
354 368
355 EVP_EncryptUpdate (cctx, 369 require (EVP_EncryptUpdate (cctx,
356 (unsigned char *) data + outl, &outl2, 370 (unsigned char *) data + outl, &outl2,
357 (unsigned char *) &datahdr, DATAHDR); 371 (unsigned char *) &datahdr, DATAHDR));
358 outl += outl2; 372 outl += outl2;
359 373
360 EVP_EncryptUpdate (cctx, 374 require (EVP_EncryptUpdate (cctx,
361 (unsigned char *) data + outl, &outl2, 375 (unsigned char *) data + outl, &outl2,
362 (unsigned char *) d, l); 376 (unsigned char *) d, l));
363 outl += outl2; 377 outl += outl2;
364 378
365 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 379 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
366 outl += outl2; 380 outl += outl2;
367 381
368 len = outl + data_hdr_size (); 382 len = outl + data_hdr_size ();
369 383
370 set_hdr (type, dst); 384 set_hdr (type, dst);
379 int outl = 0, outl2; 393 int outl = 0, outl2;
380 tap_packet *p = new tap_packet; 394 tap_packet *p = new tap_packet;
381 u8 *d; 395 u8 *d;
382 u32 l = len - data_hdr_size (); 396 u32 l = len - data_hdr_size ();
383 397
384 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 398 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
385 399
386#if ENABLE_COMPRESSION 400#if ENABLE_COMPRESSION
387 u8 cdata[MAX_MTU]; 401 u8 cdata[MAX_MTU];
388 402
389 if (type == PT_DATA_COMPRESSED) 403 if (type == PT_DATA_COMPRESSED)
391 else 405 else
392#endif 406#endif
393 d = &(*p)[6 + 6 - DATAHDR]; 407 d = &(*p)[6 + 6 - DATAHDR];
394 408
395 /* this overwrites part of the src mac, but we fix that later */ 409 /* this overwrites part of the src mac, but we fix that later */
396 EVP_DecryptUpdate (cctx, 410 require (EVP_DecryptUpdate (cctx,
397 d, &outl2, 411 d, &outl2,
398 (unsigned char *)&data, len - data_hdr_size ()); 412 (unsigned char *)&data, len - data_hdr_size ()));
399 outl += outl2; 413 outl += outl2;
400 414
401 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 415 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
402 outl += outl2; 416 outl += outl2;
403 417
404 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 418 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
405 419
406 id2mac (dst () ? dst() : THISNODE->id, p->dst); 420 id2mac (dst () ? dst() : THISNODE->id, p->dst);
435{ 449{
436 // actually, hmaclen cannot be checked because the hmac 450 // actually, hmaclen cannot be checked because the hmac
437 // field comes before this data, so peers with other 451 // field comes before this data, so peers with other
438 // hmacs simply will not work. 452 // hmacs simply will not work.
439 u8 prot_major, prot_minor, randsize, hmaclen; 453 u8 prot_major, prot_minor, randsize, hmaclen;
440 u8 flags, challengelen, pad2, pad3; 454 u8 flags, challengelen, features, pad3;
441 u32 cipher_nid, digest_nid, hmac_nid; 455 u32 cipher_nid, digest_nid, hmac_nid;
442
443 const u8 curflags () const
444 {
445 return 0x80
446 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
447 }
448 456
449 void setup (ptype type, int dst); 457 void setup (ptype type, int dst);
450 bool chk_config () const; 458 bool chk_config () const;
459
460 static u8 get_features ()
461 {
462 u8 f = 0;
463#if ENABLE_COMPRESSION
464 f |= FEATURE_COMPRESSION;
465#endif
466#if ENABLE_ROHC
467 f |= FEATURE_ROHC;
468#endif
469#if ENABLE_BRIDGING
470 f |= FEATURE_BRIDGING;
471#endif
472 return f;
473 }
451}; 474};
452 475
453void config_packet::setup (ptype type, int dst) 476void config_packet::setup (ptype type, int dst)
454{ 477{
455 prot_major = PROTOCOL_MAJOR; 478 prot_major = PROTOCOL_MAJOR;
456 prot_minor = PROTOCOL_MINOR; 479 prot_minor = PROTOCOL_MINOR;
457 randsize = RAND_SIZE; 480 randsize = RAND_SIZE;
458 hmaclen = HMACLENGTH; 481 hmaclen = HMACLENGTH;
459 flags = curflags (); 482 flags = 0;
460 challengelen = sizeof (rsachallenge); 483 challengelen = sizeof (rsachallenge);
484 features = get_features ();
461 485
462 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 486 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
463 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 487 digest_nid = htonl (EVP_MD_type (RSA_HASH));
464 hmac_nid = htonl (EVP_MD_type (DIGEST)); 488 hmac_nid = htonl (EVP_MD_type (DIGEST));
465 489
467 set_hdr (type, dst); 491 set_hdr (type, dst);
468} 492}
469 493
470bool config_packet::chk_config () const 494bool config_packet::chk_config () const
471{ 495{
472 return prot_major == PROTOCOL_MAJOR 496 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 497 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 498 else if (randsize != RAND_SIZE)
475 && flags == curflags () 499 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
500 else if (hmaclen != HMACLENGTH)
501 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
476 && challengelen == sizeof (rsachallenge) 502 else if (challengelen != sizeof (rsachallenge))
503 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 504 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
505 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 506 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
507 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 508 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
509 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
510 else
511 return true;
512
513 return false;
480} 514}
481 515
482struct auth_req_packet : config_packet 516struct auth_req_packet : config_packet
483{ 517{
484 char magic[8]; 518 char magic[8];
485 u8 initiate; // false if this is just an automatic reply 519 u8 initiate; // false if this is just an automatic reply
486 u8 protocols; // supported protocols (will get patches on forward) 520 u8 protocols; // supported protocols (will be patched on forward)
487 u8 pad2, pad3; 521 u8 pad2, pad3;
488 rsaid id; 522 rsaid id;
489 rsaencrdata encr; 523 rsaencrdata encr;
490 524
491 auth_req_packet (int dst, bool initiate_, u8 protocols_) 525 auth_req_packet (int dst, bool initiate_, u8 protocols_)
546}; 580};
547 581
548///////////////////////////////////////////////////////////////////////////// 582/////////////////////////////////////////////////////////////////////////////
549 583
550void 584void
585connection::connection_established ()
586{
587 if (ictx && octx)
588 {
589 connectmode = conf->connectmode;
590
591 // make sure rekeying timeouts are slightly asymmetric
592 rekey.start (NOW + ::conf.rekey
593 + (conf->id > THISNODE->id ? 10 : 0));
594 keepalive.start (NOW + ::conf.keepalive);
595
596 // send queued packets
597 if (ictx && octx)
598 {
599 while (tap_packet *p = (tap_packet *)data_queue.get ())
600 {
601 send_data_packet (p);
602 delete p;
603 }
604
605 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
606 {
607 send_vpn_packet (p, si, IPTOS_RELIABILITY);
608 delete p;
609 }
610 }
611 }
612 else
613 {
614 retry_cnt = 0;
615 establish_connection.start (NOW + 5);
616 keepalive.stop ();
617 rekey.stop ();
618 }
619}
620
621void
551connection::reset_dstaddr () 622connection::reset_si ()
552{ 623{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 624 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 625
588 // mask out protocols we cannot establish 626 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 627 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 628 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
629 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
591 630
592 if (protocol) 631 if (protocol
632 && (!conf->can_direct (THISNODE)
633 || !THISNODE->can_direct (conf)))
634 {
635 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
636 protocol = 0;
593 { 637 }
594 rsachallenge chg;
595 638
596 rsa_cache.gen (pkt->id, chg); 639 si.set (conf, protocol);
640}
597 641
598 if (0 > RSA_public_encrypt (sizeof chg, 642// ensure sockinfo is valid, forward if necessary
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 643const sockinfo &
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 644connection::forward_si (const sockinfo &si) const
601 fatal ("RSA_public_encrypt error"); 645{
646 if (!si.valid ())
647 {
648 connection *r = vpn->find_router ();
602 649
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 650 if (r)
651 {
652 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
653 conf->nodename, r->conf->nodename, (const char *)r->si);
654 return r->si;
655 }
656 else
657 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
658 conf->nodename);
659 }
604 660
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 661 return si;
662}
663
664void
665connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
666{
667 if (!vpn->send_vpn_packet (pkt, si, tos))
668 reset_connection ();
669}
670
671void
672connection::send_ping (const sockinfo &si, u8 pong)
673{
674 ping_packet *pkt = new ping_packet;
675
676 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
677 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
678
679 delete pkt;
680}
681
682void
683connection::send_reset (const sockinfo &si)
684{
685 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
686 {
687 config_packet *pkt = new config_packet;
688
689 pkt->setup (vpn_packet::PT_RESET, conf->id);
690 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 691
607 delete pkt; 692 delete pkt;
608 } 693 }
609 else 694}
610 ; // silently fail 695
696void
697connection::send_auth_request (const sockinfo &si, bool initiate)
698{
699 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
700
701 rsachallenge chg;
702 rsa_cache.gen (pkt->id, chg);
703 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
704
705 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
706
707 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
708
709 delete pkt;
611} 710}
612 711
613void 712void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 713connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 714{
629} 728}
630 729
631void 730void
632connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 731connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
633{ 732{
634 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 733 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
635 conf->id, rid, (const char *)rsi); 734 conf->id, rid, (const char *)rsi);
636 735
637 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 736 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
638 737
639 r->hmac_set (octx); 738 r->hmac_set (octx);
643} 742}
644 743
645void 744void
646connection::establish_connection_cb (time_watcher &w) 745connection::establish_connection_cb (time_watcher &w)
647{ 746{
648 if (ictx || conf == THISNODE 747 if (!ictx
748 && conf != THISNODE
649 || connectmode == conf_node::C_NEVER 749 && connectmode != conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 750 && connectmode != conf_node::C_DISABLED
651 w.at = TSTAMP_CANCEL; 751 && NOW > w.at)
652 else if (w.at <= NOW)
653 { 752 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 753 w.at = TSTAMP_MAX; // first disable this watcher in case of recursion
655 754
656 if (retry_int < 3600 * 8) 755 double retry_int = double (retry_cnt & 3
756 ? (retry_cnt & 3) + 1
757 : 1 << (retry_cnt >> 2));
758
759 reset_si ();
760
761 bool slow = si.prot & PROT_SLOW;
762
763 if (si.prot && !si.host)
764 vpn->send_connect_request (conf->id);
765 else
766 {
767 const sockinfo &dsi = forward_si (si);
768
769 slow = slow || (dsi.prot & PROT_SLOW);
770
771 if (dsi.valid () && auth_rate_limiter.can (dsi))
772 {
773 if (retry_cnt < 4)
774 send_auth_request (dsi, true);
775 else
776 send_ping (dsi, 0);
777 }
778 }
779
780 retry_int *= slow ? 8. : 0.7;
781
782 if (retry_int < conf->max_retry)
657 retry_cnt++; 783 retry_cnt++;
658
659 w.at = NOW + retry_int;
660
661 if (conf->hostname)
662 {
663 reset_dstaddr ();
664 if (si.host && auth_rate_limiter.can (si))
665 {
666 if (retry_cnt < 4)
667 send_auth_request (si, true);
668 else
669 send_ping (si, 0);
670 }
671 }
672 else 784 else
673 vpn->connect_request (conf->id); 785 retry_int = conf->max_retry;
786
787 w.start (NOW + retry_int);
674 } 788 }
675} 789}
676 790
677void 791void
678connection::reset_connection () 792connection::reset_connection ()
681 { 795 {
682 slog (L_INFO, _("%s(%s): connection lost"), 796 slog (L_INFO, _("%s(%s): connection lost"),
683 conf->nodename, (const char *)si); 797 conf->nodename, (const char *)si);
684 798
685 if (::conf.script_node_down) 799 if (::conf.script_node_down)
686 run_script (run_script_cb (this, &connection::script_node_down), false); 800 if (!run_script (run_script_cb (this, &connection::script_node_down), false))
801 slog (L_WARN, _("node-down command execution failed, continuing."));
687 } 802 }
688 803
689 delete ictx; ictx = 0; 804 delete ictx; ictx = 0;
690 delete octx; octx = 0; 805 delete octx; octx = 0;
806#if ENABLE_DNS
807 dnsv4_reset_connection ();
808#endif
691 809
692 si.host= 0; 810 si.host = 0;
693 811
694 last_activity = 0; 812 last_activity = 0;
695 retry_cnt = 0; 813 retry_cnt = 0;
696 814
697 rekey.reset (); 815 rekey.stop ();
698 keepalive.reset (); 816 keepalive.stop ();
699 establish_connection.reset (); 817 establish_connection.stop ();
700} 818}
701 819
702void 820void
703connection::shutdown () 821connection::shutdown ()
704{ 822{
709} 827}
710 828
711void 829void
712connection::rekey_cb (time_watcher &w) 830connection::rekey_cb (time_watcher &w)
713{ 831{
714 w.at = TSTAMP_CANCEL;
715
716 reset_connection (); 832 reset_connection ();
717 establish_connection (); 833 establish_connection ();
718} 834}
719 835
720void 836void
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 837connection::send_data_packet (tap_packet *pkt)
722{ 838{
723 vpndata_packet *p = new vpndata_packet; 839 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 840 int tos = 0;
725 841
726 if (conf->inherit_tos 842 // I am not hilarious about peeking into packets, but so be it.
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 843 if (conf->inherit_tos && pkt->is_ipv4 ())
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 844 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 845
731 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 846 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732 send_vpn_packet (p, si, tos); 847 send_vpn_packet (p, si, tos);
733 848
734 delete p; 849 delete p;
735 850
736 if (oseqno > MAX_SEQNO) 851 if (oseqno > MAX_SEQNO)
737 rekey (); 852 rekey ();
738} 853}
739 854
740void 855void
741connection::inject_data_packet (tap_packet *pkt, bool broadcast) 856connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
742{ 857{
743 if (ictx && octx) 858 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 859 send_data_packet (pkt);
745 else 860 else
746 { 861 {
747 if (!broadcast)//DDDD 862 if (!broadcast)
748 queue.put (new tap_packet (*pkt)); 863 data_queue.put (new tap_packet (*pkt));
864
865 establish_connection ();
866 }
867}
868
869void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
870{
871 if (ictx && octx)
872 send_vpn_packet (pkt, si, tos);
873 else
874 {
875 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
749 876
750 establish_connection (); 877 establish_connection ();
751 } 878 }
752} 879}
753 880
812 if (p->initiate) 939 if (p->initiate)
813 send_auth_request (rsi, false); 940 send_auth_request (rsi, false);
814 941
815 rsachallenge k; 942 rsachallenge k;
816 943
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 944 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
818 (unsigned char *)&p->encr, (unsigned char *)&k, 945 {
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 946 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821 conf->nodename, (const char *)rsi); 947 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
948 break;
949 }
822 else 950 else
823 { 951 {
824 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;)
826 keepalive.reset ();
827 rekey.reset ();
828
829 delete ictx;
830 ictx = 0;
831
832 delete octx; 952 delete octx;
833 953
834 octx = new crypto_ctx (k, 1); 954 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 955 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836 956
837 conf->protocols = p->protocols; 957 conf->protocols = p->protocols;
958 features = p->features & config_packet::get_features ();
959
838 send_auth_response (rsi, p->id, k); 960 send_auth_response (rsi, p->id, k);
961
962 connection_established ();
839 963
840 break; 964 break;
841 } 965 }
842 } 966 }
967 else
968 slog (L_WARN, _("%s(%s): protocol mismatch"),
969 conf->nodename, (const char *)rsi);
843 970
844 send_reset (rsi); 971 send_reset (rsi);
845 } 972 }
846 973
847 break; 974 break;
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 987 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 988
862 rsachallenge chg; 989 rsachallenge chg;
863 990
864 if (!rsa_cache.find (p->id, chg)) 991 if (!rsa_cache.find (p->id, chg))
992 {
865 slog (L_ERR, _("%s(%s): unrequested auth response"), 993 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866 conf->nodename, (const char *)rsi); 994 conf->nodename, (const char *)rsi);
995 break;
996 }
867 else 997 else
868 { 998 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0); 999 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870 1000
871 if (!p->hmac_chk (cctx)) 1001 if (!p->hmac_chk (cctx))
1002 {
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1003 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 1004 "could be an attack, or just corruption or a synchronization error"),
874 conf->nodename, (const char *)rsi); 1005 conf->nodename, (const char *)rsi);
1006 break;
1007 }
875 else 1008 else
876 { 1009 {
877 rsaresponse h; 1010 rsaresponse h;
878 1011
879 rsa_hash (p->id, chg, h); 1012 rsa_hash (p->id, chg, h);
885 delete ictx; ictx = cctx; 1018 delete ictx; ictx = cctx;
886 1019
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1020 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 1021
889 si = rsi; 1022 si = rsi;
1023 protocol = rsi.prot;
890 1024
891 rekey.set (NOW + ::conf.rekey); 1025 connection_established ();
892 keepalive.set (NOW + ::conf.keepalive);
893 1026
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 1027 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 1028 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 1029 p->prot_major, p->prot_minor);
907 1030
908 if (::conf.script_node_up) 1031 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 1032 if (!run_script (run_script_cb (this, &connection::script_node_up), false))
1033 slog (L_WARN, _("node-up command execution failed, continuing."));
910 1034
911 break; 1035 break;
912 } 1036 }
913 else 1037 else
914 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1038 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
933 1057
934 if (ictx && octx) 1058 if (ictx && octx)
935 { 1059 {
936 vpndata_packet *p = (vpndata_packet *)pkt; 1060 vpndata_packet *p = (vpndata_packet *)pkt;
937 1061
938 if (rsi == si) 1062 if (!p->hmac_chk (ictx))
1063 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1064 "could be an attack, or just corruption or a synchronization error"),
1065 conf->nodename, (const char *)rsi);
1066 else
939 { 1067 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else 1068 u32 seqno;
1069 tap_packet *d = p->unpack (this, seqno);
1070
1071 if (iseqno.recv_ok (seqno))
945 { 1072 {
946 u32 seqno; 1073 vpn->tap->send (d);
947 tap_packet *d = p->unpack (this, seqno);
948 1074
949 if (iseqno.recv_ok (seqno)) 1075 if (si != rsi)
950 { 1076 {
951 vpn->tap->send (d); 1077 // fast re-sync on source address changes, useful especially for tcp/ip
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break; 1078 si = rsi;
1079
1080 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1081 conf->nodename, (const char *)si, (const char *)rsi);
965 } 1082 }
966 } 1083 }
1084
1085 delete d;
1086 break;
967 } 1087 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 } 1088 }
971 1089
972 send_reset (rsi); 1090 send_reset (rsi);
973 break; 1091 break;
974 1092
975 case vpn_packet::PT_CONNECT_REQ: 1093 case vpn_packet::PT_CONNECT_REQ:
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1094 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1095 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1096 connect_req_packet *p = (connect_req_packet *) pkt;
979 1097
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1098 if (p->id > 0 && p->id <= vpn->conns.size ())
981 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx);
986
987 if (c->ictx && c->octx)
988 { 1099 {
1100 connection *c = vpn->conns[p->id - 1];
1101 conf->protocols = p->protocols;
1102
1103 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1104 conf->id, p->id, c->ictx && c->octx);
1105
1106 if (c->ictx && c->octx)
1107 {
989 // send connect_info packets to both sides, in case one is 1108 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1109 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1110 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1111 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1112 }
1113 else
1114 c->establish_connection ();
993 } 1115 }
1116 else
1117 slog (L_WARN,
1118 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1119 p->id);
994 } 1120 }
995 1121
996 break; 1122 break;
997 1123
998 case vpn_packet::PT_CONNECT_INFO: 1124 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1125 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1126 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1127 connect_info_packet *p = (connect_info_packet *)pkt;
1002 1128
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1129 if (p->id > 0 && p->id <= vpn->conns.size ())
1004 conf->protocols = p->protocols; 1130 {
1005 connection *c = vpn->conns[p->id - 1]; 1131 connection *c = vpn->conns[p->id - 1];
1006 1132
1133 c->conf->protocols = p->protocols;
1134 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1135 p->si.upgrade_protocol (protocol, c->conf);
1136
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1137 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1138 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1139
1140 const sockinfo &dsi = forward_si (p->si);
1141
1142 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1143 c->send_auth_request (dsi, true);
1144 }
1145 else
1146 slog (L_WARN,
1147 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1148 p->id);
1011 } 1149 }
1012 1150
1013 break; 1151 break;
1014 1152
1015 default: 1153 default:
1024 { 1162 {
1025 reset_connection (); 1163 reset_connection ();
1026 establish_connection (); 1164 establish_connection ();
1027 } 1165 }
1028 else if (NOW < last_activity + ::conf.keepalive) 1166 else if (NOW < last_activity + ::conf.keepalive)
1029 w.at = last_activity + ::conf.keepalive; 1167 w.start (last_activity + ::conf.keepalive);
1030 else if (conf->connectmode != conf_node::C_ONDEMAND 1168 else if (conf->connectmode != conf_node::C_ONDEMAND
1031 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1169 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1032 { 1170 {
1033 send_ping (si); 1171 send_ping (si);
1034 w.at = NOW + 5; 1172 w.start (NOW + 5);
1035 } 1173 }
1174 else if (NOW < last_activity + ::conf.keepalive + 10)
1175 // hold ondemand connections implicitly a few seconds longer
1176 // should delete octx, though, or something like that ;)
1177 w.start (last_activity + ::conf.keepalive + 10);
1036 else 1178 else
1037 reset_connection (); 1179 reset_connection ();
1038} 1180}
1039 1181
1040void connection::connect_request (int id) 1182void connection::send_connect_request (int id)
1041{ 1183{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1184 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1185
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1186 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1187 p->hmac_set (octx);
1046 send_vpn_packet (p, si); 1188 send_vpn_packet (p, si);
1047 1189
1048 delete p; 1190 delete p;
1049} 1191}
1050 1192
1193void connection::script_init_env (const char *ext)
1194{
1195 char *env;
1196 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1197 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1198 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1199 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1200 conf->id & 0xff); putenv (env);
1201}
1202
1051void connection::script_node () 1203void connection::script_init_connect_env ()
1052{ 1204{
1053 vpn->script_if_up (); 1205 vpn->script_init_env ();
1054 1206
1055 char *env; 1207 char *env;
1056 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1208 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1057 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1209 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1058 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1210 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1059 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1211 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1060} 1212}
1061 1213
1062const char *connection::script_node_up () 1214const char *connection::script_node_up ()
1063{ 1215{
1064 script_node (); 1216 script_init_connect_env ();
1065 1217
1066 putenv ("STATE=up"); 1218 putenv ("STATE=up");
1067 1219
1220 char *filename;
1221 asprintf (&filename,
1222 "%s/%s",
1223 confbase,
1068 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1224 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1225
1226 return filename;
1069} 1227}
1070 1228
1071const char *connection::script_node_down () 1229const char *connection::script_node_down ()
1072{ 1230{
1073 script_node (); 1231 script_init_connect_env ();
1074 1232
1075 putenv ("STATE=down"); 1233 putenv ("STATE=down");
1076 1234
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1235 char *filename;
1078} 1236 asprintf (&filename,
1237 "%s/%s",
1238 confbase,
1239 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1079 1240
1080// send a vpn packet out to other hosts 1241 return filename;
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094 case PROT_TCPv4:
1095 vpn->send_tcpv4_packet (pkt, si, tos);
1096 break;
1097 }
1098} 1242}
1099 1243
1100connection::connection(struct vpn *vpn_) 1244connection::connection (struct vpn *vpn, conf_node *conf)
1101: vpn(vpn_) 1245: vpn(vpn), conf(conf)
1102, rekey (this, &connection::rekey_cb) 1246, rekey (this, &connection::rekey_cb)
1103, keepalive (this, &connection::keepalive_cb) 1247, keepalive (this, &connection::keepalive_cb)
1104, establish_connection (this, &connection::establish_connection_cb) 1248, establish_connection (this, &connection::establish_connection_cb)
1249#if ENABLE_DNS
1250, dns (0)
1251#endif
1105{ 1252{
1106 octx = ictx = 0; 1253 octx = ictx = 0;
1107 retry_cnt = 0; 1254 retry_cnt = 0;
1108 1255
1256 if (!conf->protocols) // make sure some protocol is enabled
1257 conf->protocols = PROT_UDPv4;
1258
1109 connectmode = conf_node::C_ALWAYS; // initial setting 1259 connectmode = conf_node::C_ALWAYS; // initial setting
1110 reset_connection (); 1260 reset_connection ();
1111} 1261}
1112 1262
1113connection::~connection () 1263connection::~connection ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines