ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.47 by pcg, Mon Mar 7 01:31:26 2005 UTC vs.
Revision 1.67 by pcg, Thu Aug 7 16:34:21 2008 UTC

14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details. 15 GNU General Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
18 along with gvpe; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
19 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20*/ 20*/
21 21
22#include "config.h" 22#include "config.h"
23
24#include <cassert>
25 23
26#include <list> 24#include <list>
27 25
28#include <openssl/rand.h> 26#include <openssl/rand.h>
29#include <openssl/evp.h> 27#include <openssl/evp.h>
30#include <openssl/rsa.h> 28#include <openssl/rsa.h>
31#include <openssl/err.h> 29#include <openssl/err.h>
32
33#include "gettext.h"
34 30
35#include "conf.h" 31#include "conf.h"
36#include "slog.h" 32#include "slog.h"
37#include "device.h" 33#include "device.h"
38#include "vpn.h" 34#include "vpn.h"
86 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
87 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
88 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
89} 85}
90 86
91struct rsa_entry { 87struct rsa_entry
88{
92 tstamp expire; 89 tstamp expire;
93 rsaid id; 90 rsaid id;
94 rsachallenge chg; 91 rsachallenge chg;
95}; 92};
96 93
97struct rsa_cache : list<rsa_entry> 94struct rsa_cache : list<rsa_entry>
98{ 95{
99 void cleaner_cb (time_watcher &w); time_watcher cleaner; 96 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
100 97
101 bool find (const rsaid &id, rsachallenge &chg) 98 bool find (const rsaid &id, rsachallenge &chg)
102 { 99 {
103 for (iterator i = begin (); i != end (); ++i) 100 for (iterator i = begin (); i != end (); ++i)
104 { 101 {
105 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 102 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
106 { 103 {
107 memcpy (&chg, &i->chg, sizeof chg); 104 memcpy (&chg, &i->chg, sizeof chg);
108 105
109 erase (i); 106 erase (i);
110 return true; 107 return true;
111 } 108 }
112 } 109 }
113 110
114 if (cleaner.at < NOW) 111 if (!cleaner.is_active ())
115 cleaner.start (NOW + RSA_TTL); 112 cleaner.again ();
116 113
117 return false; 114 return false;
118 } 115 }
119 116
120 void gen (rsaid &id, rsachallenge &chg) 117 void gen (rsaid &id, rsachallenge &chg)
121 { 118 {
122 rsa_entry e; 119 rsa_entry e;
123 120
124 RAND_bytes ((unsigned char *)&id, sizeof id); 121 RAND_bytes ((unsigned char *)&id, sizeof id);
125 RAND_bytes ((unsigned char *)&chg, sizeof chg); 122 RAND_bytes ((unsigned char *)&chg, sizeof chg);
126 123
127 e.expire = NOW + RSA_TTL; 124 e.expire = ev_now () + RSA_TTL;
128 e.id = id; 125 e.id = id;
129 memcpy (&e.chg, &chg, sizeof chg); 126 memcpy (&e.chg, &chg, sizeof chg);
130 127
131 push_back (e); 128 push_back (e);
132 129
133 if (cleaner.at < NOW) 130 if (!cleaner.is_active ())
134 cleaner.start (NOW + RSA_TTL); 131 cleaner.again ();
135 } 132 }
136 133
137 rsa_cache () 134 rsa_cache ()
138 : cleaner (this, &rsa_cache::cleaner_cb) 135 {
139 { } 136 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
137 cleaner.set (RSA_TTL, RSA_TTL);
138 }
140 139
141} rsa_cache; 140} rsa_cache;
142 141
143void rsa_cache::cleaner_cb (time_watcher &w) 142void rsa_cache::cleaner_cb (ev::timer &w, int revents)
144{ 143{
145 if (!empty ()) 144 if (empty ())
145 w.stop ();
146 else
146 { 147 {
147 w.start (NOW + RSA_TTL);
148
149 for (iterator i = begin (); i != end (); ) 148 for (iterator i = begin (); i != end (); )
150 if (i->expire <= NOW) 149 if (i->expire <= ev_now ())
151 i = erase (i); 150 i = erase (i);
152 else 151 else
153 ++i; 152 ++i;
154 } 153 }
155} 154}
156 155
157////////////////////////////////////////////////////////////////////////////// 156//////////////////////////////////////////////////////////////////////////////
158 157
159void pkt_queue::put (net_packet *p) 158pkt_queue::pkt_queue (double max_ttl, int max_queue)
159: max_ttl (max_ttl), max_queue (max_queue)
160{ 160{
161 if (queue[i]) 161 queue = new pkt [max_queue];
162 {
163 delete queue[i];
164 j = (j + 1) % QUEUEDEPTH;
165 }
166 162
167 queue[i] = p;
168
169 i = (i + 1) % QUEUEDEPTH;
170}
171
172net_packet *pkt_queue::get ()
173{
174 net_packet *p = queue[j];
175
176 if (p)
177 {
178 queue[j] = 0;
179 j = (j + 1) % QUEUEDEPTH;
180 }
181
182 return p;
183}
184
185pkt_queue::pkt_queue ()
186{
187 memset (queue, 0, sizeof (queue));
188 i = 0; 163 i = 0;
189 j = 0; 164 j = 0;
165
166 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
190} 167}
191 168
192pkt_queue::~pkt_queue () 169pkt_queue::~pkt_queue ()
193{ 170{
194 for (i = QUEUEDEPTH; --i > 0; ) 171 while (net_packet *p = get ())
172 delete p;
173
195 delete queue[i]; 174 delete [] queue;
196} 175}
197 176
177void pkt_queue::expire_cb (ev::timer &w, int revents)
178{
179 ev_tstamp expire = ev_now () - max_ttl;
180
181 for (;;)
182 {
183 if (empty ())
184 break;
185
186 double diff = queue[j].tstamp - expire;
187
188 if (diff >= 0.)
189 {
190 w.start (diff > 0.5 ? diff : 0.5);
191 break;
192 }
193
194 delete get ();
195 }
196}
197
198void pkt_queue::put (net_packet *p)
199{
200 ev_tstamp now = ev_now ();
201
202 // start expiry timer
203 if (empty ())
204 expire.start (max_ttl);
205
206 int ni = i + 1 == max_queue ? 0 : i + 1;
207
208 if (ni == j)
209 delete get ();
210
211 queue[i].pkt = p;
212 queue[i].tstamp = now;
213
214 i = ni;
215}
216
217net_packet *pkt_queue::get ()
218{
219 if (empty ())
220 return 0;
221
222 net_packet *p = queue[j].pkt;
223 queue[j].pkt = 0;
224
225 j = j + 1 == max_queue ? 0 : j + 1;
226
227 return p;
228}
229
198struct net_rateinfo { 230struct net_rateinfo
231{
199 u32 host; 232 u32 host;
200 double pcnt, diff; 233 double pcnt, diff;
201 tstamp last; 234 tstamp last;
202}; 235};
203 236
222 iterator i; 255 iterator i;
223 256
224 for (i = begin (); i != end (); ) 257 for (i = begin (); i != end (); )
225 if (i->host == host) 258 if (i->host == host)
226 break; 259 break;
227 else if (i->last < NOW - NRL_EXPIRE) 260 else if (i->last < ev_now () - NRL_EXPIRE)
228 i = erase (i); 261 i = erase (i);
229 else 262 else
230 i++; 263 i++;
231 264
232 if (i == end ()) 265 if (i == end ())
234 net_rateinfo ri; 267 net_rateinfo ri;
235 268
236 ri.host = host; 269 ri.host = host;
237 ri.pcnt = 1.; 270 ri.pcnt = 1.;
238 ri.diff = NRL_MAXDIF; 271 ri.diff = NRL_MAXDIF;
239 ri.last = NOW; 272 ri.last = ev_now ();
240 273
241 push_front (ri); 274 push_front (ri);
242 275
243 return true; 276 return true;
244 } 277 }
246 { 279 {
247 net_rateinfo ri (*i); 280 net_rateinfo ri (*i);
248 erase (i); 281 erase (i);
249 282
250 ri.pcnt = ri.pcnt * NRL_ALPHA; 283 ri.pcnt = ri.pcnt * NRL_ALPHA;
251 ri.diff = ri.diff * NRL_ALPHA + (NOW - ri.last); 284 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
252 285
253 ri.last = NOW; 286 ri.last = ev_now ();
254 287
255 double dif = ri.diff / ri.pcnt; 288 double dif = ri.diff / ri.pcnt;
256 289
257 bool send = dif > NRL_CUTOFF; 290 bool send = dif > NRL_CUTOFF;
258 291
468 f |= FEATURE_COMPRESSION; 501 f |= FEATURE_COMPRESSION;
469#endif 502#endif
470#if ENABLE_ROHC 503#if ENABLE_ROHC
471 f |= FEATURE_ROHC; 504 f |= FEATURE_ROHC;
472#endif 505#endif
506#if ENABLE_BRIDGING
507 f |= FEATURE_BRIDGING;
508#endif
473 return f; 509 return f;
474 } 510 }
475}; 511};
476 512
477void config_packet::setup (ptype type, int dst) 513void config_packet::setup (ptype type, int dst)
478{ 514{
479 prot_major = PROTOCOL_MAJOR; 515 prot_major = PROTOCOL_MAJOR;
480 prot_minor = PROTOCOL_MINOR; 516 prot_minor = PROTOCOL_MINOR;
481 randsize = RAND_SIZE; 517 randsize = RAND_SIZE;
482 hmaclen = HMACLENGTH; 518 hmaclen = HMACLENGTH;
483 flags = ENABLE_COMPRESSION ? 0x81 : 0x80; 519 flags = 0;
484 challengelen = sizeof (rsachallenge); 520 challengelen = sizeof (rsachallenge);
485 features = get_features (); 521 features = get_features ();
486 522
487 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 523 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
488 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 524 digest_nid = htonl (EVP_MD_type (RSA_HASH));
498 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 534 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
499 else if (randsize != RAND_SIZE) 535 else if (randsize != RAND_SIZE)
500 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 536 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH) 537 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 538 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
503#if 0 // this implementation should handle all flag settings
504 else if (flags != curflags ())
505 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
506#endif
507 else if (challengelen != sizeof (rsachallenge)) 539 else if (challengelen != sizeof (rsachallenge))
508 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 540 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
509 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 541 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
510 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 542 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
511 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 543 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
587///////////////////////////////////////////////////////////////////////////// 619/////////////////////////////////////////////////////////////////////////////
588 620
589void 621void
590connection::connection_established () 622connection::connection_established ()
591{ 623{
624 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
625
592 if (ictx && octx) 626 if (ictx && octx)
593 { 627 {
594 connectmode = conf->connectmode;
595
596 // make sure rekeying timeouts are slightly asymmetric 628 // make sure rekeying timeouts are slightly asymmetric
597 rekey.start (NOW + ::conf.rekey 629 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
598 + (conf->id > THISNODE->id ? 10 : 0)); 630 rekey.start (rekey_interval, rekey_interval);
599 keepalive.start (NOW + ::conf.keepalive); 631 keepalive.start (::conf.keepalive);
600 632
601 // send queued packets 633 // send queued packets
602 if (ictx && octx) 634 if (ictx && octx)
603 { 635 {
604 while (tap_packet *p = (tap_packet *)data_queue.get ()) 636 while (tap_packet *p = (tap_packet *)data_queue.get ())
605 { 637 {
606 send_data_packet (p); 638 if (p->len) send_data_packet (p);
607 delete p; 639 delete p;
608 } 640 }
609 641
610 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 642 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
611 { 643 {
612 send_vpn_packet (p, si, IPTOS_RELIABILITY); 644 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
613 delete p; 645 delete p;
614 } 646 }
615 } 647 }
616 } 648 }
617 else 649 else
618 { 650 {
619 retry_cnt = 0; 651 retry_cnt = 0;
620 establish_connection.start (NOW + 5); 652 establish_connection.start (5);
621 keepalive.stop (); 653 keepalive.stop ();
622 rekey.stop (); 654 rekey.stop ();
623 } 655 }
624} 656}
625 657
630 662
631 // mask out protocols we cannot establish 663 // mask out protocols we cannot establish
632 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 664 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
633 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 665 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
634 if (!conf->dns_port) protocol &= ~PROT_DNSv4; 666 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
667
668 if (protocol
669 && (!conf->can_direct (THISNODE)
670 || !THISNODE->can_direct (conf)))
671 {
672 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
673 protocol = 0;
674 }
635 675
636 si.set (conf, protocol); 676 si.set (conf, protocol);
637} 677}
638 678
639// ensure sockinfo is valid, forward if necessary 679// ensure sockinfo is valid, forward if necessary
725} 765}
726 766
727void 767void
728connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 768connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
729{ 769{
730 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 770 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
731 conf->id, rid, (const char *)rsi); 771 conf->id, rid, (const char *)rsi);
732 772
733 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 773 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
734 774
735 r->hmac_set (octx); 775 r->hmac_set (octx);
736 send_vpn_packet (r, si); 776 send_vpn_packet (r, si);
737 777
738 delete r; 778 delete r;
739} 779}
740 780
741void 781inline void
742connection::establish_connection_cb (time_watcher &w) 782connection::establish_connection_cb (ev::timer &w, int revents)
743{ 783{
744 if (!ictx 784 if (!ictx
745 && conf != THISNODE 785 && conf != THISNODE
746 && connectmode != conf_node::C_NEVER 786 && connectmode != conf_node::C_NEVER
747 && connectmode != conf_node::C_DISABLED 787 && connectmode != conf_node::C_DISABLED
748 && NOW > w.at) 788 && !w.is_active ())
749 { 789 {
750 w.at = TSTAMP_MAX; // first disable this watcher in case of recursion 790 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
791 // and stop trying. should probably be handled by a per-connection expire handler.
792 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
793 {
794 reset_connection ();
795 return;
796 }
751 797
752 double retry_int = double (retry_cnt & 3 798 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
753 ? (retry_cnt & 3) + 1 799 ? (retry_cnt & 3) + 1
754 : 1 << (retry_cnt >> 2)); 800 : 1 << (retry_cnt >> 2));
755 801
756 reset_si (); 802 reset_si ();
757 803
758 bool slow = si.prot & PROT_SLOW; 804 bool slow = si.prot & PROT_SLOW;
759 805
760 if (si.prot && !si.host) 806 if (si.prot && !si.host)
807 {
808 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
809 /*TODO*/ /* start the timer so we don't recurse endlessly */
810 w.start (1);
761 vpn->send_connect_request (conf->id); 811 vpn->send_connect_request (conf->id);
812 }
762 else 813 else
763 { 814 {
815 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
816
764 const sockinfo &dsi = forward_si (si); 817 const sockinfo &dsi = forward_si (si);
765 818
766 slow = slow || (dsi.prot & PROT_SLOW); 819 slow = slow || (dsi.prot & PROT_SLOW);
767 820
768 if (dsi.valid () && auth_rate_limiter.can (dsi)) 821 if (dsi.valid () && auth_rate_limiter.can (dsi))
772 else 825 else
773 send_ping (dsi, 0); 826 send_ping (dsi, 0);
774 } 827 }
775 } 828 }
776 829
777 retry_int *= slow ? 3. : 0.7; 830 retry_int *= slow ? 8. : 0.7;
778 831
779 if (retry_int < conf->max_retry) 832 if (retry_int < conf->max_retry)
780 retry_cnt++; 833 retry_cnt++;
781 else 834 else
782 retry_int = conf->max_retry; 835 retry_int = conf->max_retry;
783 836
784 w.start (NOW + retry_int); 837 w.start (retry_int);
785 } 838 }
786} 839}
787 840
788void 841void
789connection::reset_connection () 842connection::reset_connection ()
792 { 845 {
793 slog (L_INFO, _("%s(%s): connection lost"), 846 slog (L_INFO, _("%s(%s): connection lost"),
794 conf->nodename, (const char *)si); 847 conf->nodename, (const char *)si);
795 848
796 if (::conf.script_node_down) 849 if (::conf.script_node_down)
797 run_script (run_script_cb (this, &connection::script_node_down), false); 850 {
851 run_script_cb cb;
852 cb.set<connection, &connection::script_node_down> (this);
853 if (!run_script (cb, false))
854 slog (L_WARN, _("node-down command execution failed, continuing."));
855 }
798 } 856 }
799 857
800 delete ictx; ictx = 0; 858 delete ictx; ictx = 0;
801 delete octx; octx = 0; 859 delete octx; octx = 0;
802#if ENABLE_DNS 860#if ENABLE_DNS
820 send_reset (si); 878 send_reset (si);
821 879
822 reset_connection (); 880 reset_connection ();
823} 881}
824 882
825void 883inline void
826connection::rekey_cb (time_watcher &w) 884connection::rekey_cb (ev::timer &w, int revents)
827{ 885{
828 reset_connection (); 886 reset_connection ();
829 establish_connection (); 887 establish_connection ();
830} 888}
831 889
853{ 911{
854 if (ictx && octx) 912 if (ictx && octx)
855 send_data_packet (pkt); 913 send_data_packet (pkt);
856 else 914 else
857 { 915 {
858 if (!broadcast)//DDDD 916 if (!broadcast)
859 data_queue.put (new tap_packet (*pkt)); 917 data_queue.put (new tap_packet (*pkt));
860 918
861 establish_connection (); 919 establish_connection ();
862 } 920 }
863} 921}
875} 933}
876 934
877void 935void
878connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 936connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
879{ 937{
880 last_activity = NOW; 938 last_activity = ev_now ();
881 939
882 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 940 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
883 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 941 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
942
943 if (connectmode == conf_node::C_DISABLED)
944 return;
884 945
885 switch (pkt->typ ()) 946 switch (pkt->typ ())
886 { 947 {
887 case vpn_packet::PT_PING: 948 case vpn_packet::PT_PING:
888 // we send pings instead of auth packets after some retries, 949 // we send pings instead of auth packets after some retries,
948 delete octx; 1009 delete octx;
949 1010
950 octx = new crypto_ctx (k, 1); 1011 octx = new crypto_ctx (k, 1);
951 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1012 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
952 1013
953 // compatibility code, remove when no longer required
954 if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
955
956 conf->protocols = p->protocols; 1014 conf->protocols = p->protocols;
957 features = p->features & config_packet::get_features (); 1015 features = p->features & config_packet::get_features ();
958 1016
959 send_auth_response (rsi, p->id, k); 1017 send_auth_response (rsi, p->id, k);
960 1018
1026 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1084 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1027 conf->nodename, (const char *)rsi, 1085 conf->nodename, (const char *)rsi,
1028 p->prot_major, p->prot_minor); 1086 p->prot_major, p->prot_minor);
1029 1087
1030 if (::conf.script_node_up) 1088 if (::conf.script_node_up)
1031 run_script (run_script_cb (this, &connection::script_node_up), false); 1089 {
1090 run_script_cb cb;
1091 cb.set<connection, &connection::script_node_up> (this);
1092 if (!run_script (cb, false))
1093 slog (L_WARN, _("node-up command execution failed, continuing."));
1094 }
1032 1095
1033 break; 1096 break;
1034 } 1097 }
1035 else 1098 else
1036 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1099 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1070 { 1133 {
1071 vpn->tap->send (d); 1134 vpn->tap->send (d);
1072 1135
1073 if (si != rsi) 1136 if (si != rsi)
1074 { 1137 {
1075 // fast re-sync on connection changes, useful especially for tcp/ip 1138 // fast re-sync on source address changes, useful especially for tcp/ip
1076 si = rsi; 1139 si = rsi;
1077 1140
1078 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1141 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1079 conf->nodename, (const char *)si, (const char *)rsi); 1142 conf->nodename, (const char *)si, (const char *)rsi);
1080 } 1143 }
1091 case vpn_packet::PT_CONNECT_REQ: 1154 case vpn_packet::PT_CONNECT_REQ:
1092 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1155 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1093 { 1156 {
1094 connect_req_packet *p = (connect_req_packet *) pkt; 1157 connect_req_packet *p = (connect_req_packet *) pkt;
1095 1158
1096 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1159 if (p->id > 0 && p->id <= vpn->conns.size ())
1097 connection *c = vpn->conns[p->id - 1];
1098 conf->protocols = p->protocols;
1099
1100 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1101 conf->id, p->id, c->ictx && c->octx);
1102
1103 if (c->ictx && c->octx)
1104 { 1160 {
1161 connection *c = vpn->conns[p->id - 1];
1162 conf->protocols = p->protocols;
1163
1164 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1165 conf->id, p->id, c->ictx && c->octx);
1166
1167 if (c->ictx && c->octx)
1168 {
1105 // send connect_info packets to both sides, in case one is 1169 // send connect_info packets to both sides, in case one is
1106 // behind a nat firewall (or both ;) 1170 // behind a nat firewall (or both ;)
1107 c->send_connect_info (conf->id, si, conf->protocols); 1171 c->send_connect_info (conf->id, si, conf->protocols);
1108 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1172 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1173 }
1174 else
1175 c->establish_connection ();
1109 } 1176 }
1110 else 1177 else
1111 c->establish_connection (); 1178 slog (L_WARN,
1179 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1180 p->id);
1112 } 1181 }
1113 1182
1114 break; 1183 break;
1115 1184
1116 case vpn_packet::PT_CONNECT_INFO: 1185 case vpn_packet::PT_CONNECT_INFO:
1117 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1186 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1118 { 1187 {
1119 connect_info_packet *p = (connect_info_packet *)pkt; 1188 connect_info_packet *p = (connect_info_packet *)pkt;
1120 1189
1121 if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything 1190 if (p->id > 0 && p->id <= vpn->conns.size ())
1122 { 1191 {
1123 connection *c = vpn->conns[p->id - 1]; 1192 connection *c = vpn->conns[p->id - 1];
1124 1193
1125 c->conf->protocols = p->protocols; 1194 c->conf->protocols = p->protocols;
1126 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1195 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1132 const sockinfo &dsi = forward_si (p->si); 1201 const sockinfo &dsi = forward_si (p->si);
1133 1202
1134 if (dsi.valid ()) 1203 if (dsi.valid ())
1135 c->send_auth_request (dsi, true); 1204 c->send_auth_request (dsi, true);
1136 } 1205 }
1206 else
1207 slog (L_WARN,
1208 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1209 p->id);
1137 } 1210 }
1138 1211
1139 break; 1212 break;
1140 1213
1141 default: 1214 default:
1142 send_reset (rsi); 1215 send_reset (rsi);
1143 break; 1216 break;
1144 } 1217 }
1145} 1218}
1146 1219
1147void connection::keepalive_cb (time_watcher &w) 1220inline void
1221connection::keepalive_cb (ev::timer &w, int revents)
1148{ 1222{
1149 if (NOW >= last_activity + ::conf.keepalive + 30) 1223 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1150 { 1224 {
1151 reset_connection (); 1225 reset_connection ();
1152 establish_connection (); 1226 establish_connection ();
1153 } 1227 }
1154 else if (NOW < last_activity + ::conf.keepalive) 1228 else if (ev_now () < last_activity + ::conf.keepalive)
1155 w.start (last_activity + ::conf.keepalive); 1229 w.start (last_activity + ::conf.keepalive - ev::now ());
1156 else if (conf->connectmode != conf_node::C_ONDEMAND 1230 else if (conf->connectmode != conf_node::C_ONDEMAND
1157 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1231 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1158 { 1232 {
1159 send_ping (si); 1233 send_ping (si);
1160 w.start (NOW + 5); 1234 w.start (5);
1161 } 1235 }
1162 else if (NOW < last_activity + ::conf.keepalive + 10) 1236 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1163 // hold ondemand connections implicitly a few seconds longer 1237 // hold ondemand connections implicitly a few seconds longer
1164 // should delete octx, though, or something like that ;) 1238 // should delete octx, though, or something like that ;)
1165 w.start (last_activity + ::conf.keepalive + 10); 1239 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1166 else 1240 else
1167 reset_connection (); 1241 reset_connection ();
1168} 1242}
1169 1243
1170void connection::send_connect_request (int id) 1244void connection::send_connect_request (int id)
1176 send_vpn_packet (p, si); 1250 send_vpn_packet (p, si);
1177 1251
1178 delete p; 1252 delete p;
1179} 1253}
1180 1254
1255void connection::script_init_env (const char *ext)
1256{
1257 char *env;
1258 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1259 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1260 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1261 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1262 conf->id & 0xff); putenv (env);
1263}
1264
1181void connection::script_node () 1265void connection::script_init_connect_env ()
1182{ 1266{
1183 vpn->script_if_up (); 1267 vpn->script_init_env ();
1184 1268
1185 char *env; 1269 char *env;
1186 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1270 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1187 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1271 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1188 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1272 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1189 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1273 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1190} 1274}
1191 1275
1276inline const char *
1192const char *connection::script_node_up () 1277connection::script_node_up ()
1193{ 1278{
1194 script_node (); 1279 script_init_connect_env ();
1195 1280
1196 putenv ("STATE=up"); 1281 putenv ((char *)"STATE=up");
1197 1282
1283 char *filename;
1284 asprintf (&filename,
1285 "%s/%s",
1286 confbase,
1198 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1287 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1199}
1200 1288
1289 return filename;
1290}
1291
1292inline const char *
1201const char *connection::script_node_down () 1293connection::script_node_down ()
1202{ 1294{
1203 script_node (); 1295 script_init_connect_env ();
1204 1296
1205 putenv ("STATE=down"); 1297 putenv ((char *)"STATE=down");
1206 1298
1207 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1299 char *filename;
1300 asprintf (&filename,
1301 "%s/%s",
1302 confbase,
1303 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1304
1305 return filename;
1208} 1306}
1209 1307
1210connection::connection (struct vpn *vpn, conf_node *conf) 1308connection::connection (struct vpn *vpn, conf_node *conf)
1211: vpn(vpn), conf(conf) 1309: vpn(vpn), conf(conf),
1212, rekey (this, &connection::rekey_cb)
1213, keepalive (this, &connection::keepalive_cb)
1214, establish_connection (this, &connection::establish_connection_cb)
1215#if ENABLE_DNS 1310#if ENABLE_DNS
1216, dns (0) 1311 dns (0),
1217#endif 1312#endif
1313 data_queue(conf->max_ttl, conf->max_queue),
1314 vpn_queue(conf->max_ttl, conf->max_queue)
1218{ 1315{
1316 rekey .set<connection, &connection::rekey_cb > (this);
1317 keepalive .set<connection, &connection::keepalive_cb > (this);
1318 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1319
1219 octx = ictx = 0; 1320 octx = ictx = 0;
1220 retry_cnt = 0; 1321 retry_cnt = 0;
1221 1322
1222 if (!conf->protocols) // make sure some protocol is enabled 1323 if (!conf->protocols) // make sure some protocol is enabled
1223 conf->protocols = PROT_UDPv4; 1324 conf->protocols = PROT_UDPv4;
1224 1325
1225 connectmode = conf_node::C_ALWAYS; // initial setting 1326 connectmode = conf->connectmode;
1327
1328 // queue a dummy packet to force an initial connection attempt
1329 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1330 {
1331 net_packet *p = new net_packet;
1332 p->len = 0;
1333 vpn_queue.put (p);
1334 }
1335
1226 reset_connection (); 1336 reset_connection ();
1227} 1337}
1228 1338
1229connection::~connection () 1339connection::~connection ()
1230{ 1340{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines