ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.67 by pcg, Thu Aug 7 16:34:21 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 8 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 9 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 10 (at your option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details. 15 GNU General Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17*/ 20*/
18 21
19#include "config.h" 22#include "config.h"
20
21extern "C" {
22# include "lzf/lzf.h"
23}
24 23
25#include <list> 24#include <list>
26 25
27#include <openssl/rand.h> 26#include <openssl/rand.h>
28#include <openssl/evp.h> 27#include <openssl/evp.h>
29#include <openssl/rsa.h> 28#include <openssl/rsa.h>
30#include <openssl/err.h> 29#include <openssl/err.h>
31
32#include "gettext.h"
33 30
34#include "conf.h" 31#include "conf.h"
35#include "slog.h" 32#include "slog.h"
36#include "device.h" 33#include "device.h"
37#include "vpn.h" 34#include "vpn.h"
38#include "connection.h" 35#include "connection.h"
39 36
37#include "netcompat.h"
38
40#if !HAVE_RAND_PSEUDO_BYTES 39#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 40# define RAND_pseudo_bytes RAND_bytes
42#endif 41#endif
43 42
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 43#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
45 44
45#define ULTRA_FAST 1
46#define HLOG 15
47#include "lzf/lzf.h"
48#include "lzf/lzf_c.c"
49#include "lzf/lzf_d.c"
50
46struct crypto_ctx 51struct crypto_ctx
47{ 52{
48 EVP_CIPHER_CTX cctx; 53 EVP_CIPHER_CTX cctx;
49 HMAC_CTX hctx; 54 HMAC_CTX hctx;
50 55
53}; 58};
54 59
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 60crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
56{ 61{
57 EVP_CIPHER_CTX_init (&cctx); 62 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 63 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
59 HMAC_CTX_init (&hctx); 64 HMAC_CTX_init (&hctx);
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 65 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 66}
62 67
63crypto_ctx::~crypto_ctx () 68crypto_ctx::~crypto_ctx ()
64{ 69{
65 EVP_CIPHER_CTX_cleanup (&cctx); 70 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 71 HMAC_CTX_cleanup (&hctx);
67} 72}
68 73
69static void 74static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 75rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
71{ 76{
72 EVP_MD_CTX ctx; 77 EVP_MD_CTX ctx;
73 78
74 EVP_MD_CTX_init (&ctx); 79 EVP_MD_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 80 require (EVP_DigestInit (&ctx, RSA_HASH));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 81 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
79 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
80} 85}
81 86
82struct rsa_entry { 87struct rsa_entry
88{
83 tstamp expire; 89 tstamp expire;
84 rsaid id; 90 rsaid id;
85 rsachallenge chg; 91 rsachallenge chg;
86}; 92};
87 93
88struct rsa_cache : list<rsa_entry> 94struct rsa_cache : list<rsa_entry>
89{ 95{
90 void cleaner_cb (time_watcher &w); time_watcher cleaner; 96 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
91 97
92 bool find (const rsaid &id, rsachallenge &chg) 98 bool find (const rsaid &id, rsachallenge &chg)
93 { 99 {
94 for (iterator i = begin (); i != end (); ++i) 100 for (iterator i = begin (); i != end (); ++i)
95 { 101 {
96 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 102 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
97 { 103 {
98 memcpy (&chg, &i->chg, sizeof chg); 104 memcpy (&chg, &i->chg, sizeof chg);
99 105
100 erase (i); 106 erase (i);
101 return true; 107 return true;
102 } 108 }
103 } 109 }
104 110
105 if (cleaner.at < NOW) 111 if (!cleaner.is_active ())
106 cleaner.start (NOW + RSA_TTL); 112 cleaner.again ();
107 113
108 return false; 114 return false;
109 } 115 }
110 116
111 void gen (rsaid &id, rsachallenge &chg) 117 void gen (rsaid &id, rsachallenge &chg)
112 { 118 {
113 rsa_entry e; 119 rsa_entry e;
114 120
115 RAND_bytes ((unsigned char *)&id, sizeof id); 121 RAND_bytes ((unsigned char *)&id, sizeof id);
116 RAND_bytes ((unsigned char *)&chg, sizeof chg); 122 RAND_bytes ((unsigned char *)&chg, sizeof chg);
117 123
118 e.expire = NOW + RSA_TTL; 124 e.expire = ev_now () + RSA_TTL;
119 e.id = id; 125 e.id = id;
120 memcpy (&e.chg, &chg, sizeof chg); 126 memcpy (&e.chg, &chg, sizeof chg);
121 127
122 push_back (e); 128 push_back (e);
123 129
124 if (cleaner.at < NOW) 130 if (!cleaner.is_active ())
125 cleaner.start (NOW + RSA_TTL); 131 cleaner.again ();
126 } 132 }
127 133
128 rsa_cache () 134 rsa_cache ()
129 : cleaner (this, &rsa_cache::cleaner_cb) 135 {
130 { } 136 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
137 cleaner.set (RSA_TTL, RSA_TTL);
138 }
131 139
132} rsa_cache; 140} rsa_cache;
133 141
134void rsa_cache::cleaner_cb (time_watcher &w) 142void rsa_cache::cleaner_cb (ev::timer &w, int revents)
135{ 143{
136 if (empty ()) 144 if (empty ())
137 w.at = TSTAMP_CANCEL; 145 w.stop ();
138 else 146 else
139 { 147 {
140 w.at = NOW + RSA_TTL;
141
142 for (iterator i = begin (); i != end (); ) 148 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 149 if (i->expire <= ev_now ())
144 i = erase (i); 150 i = erase (i);
145 else 151 else
146 ++i; 152 ++i;
147 } 153 }
148} 154}
149 155
150////////////////////////////////////////////////////////////////////////////// 156//////////////////////////////////////////////////////////////////////////////
151 157
152void pkt_queue::put (tap_packet *p) 158pkt_queue::pkt_queue (double max_ttl, int max_queue)
159: max_ttl (max_ttl), max_queue (max_queue)
153{ 160{
154 if (queue[i]) 161 queue = new pkt [max_queue];
155 {
156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH;
158 }
159 162
160 queue[i] = p;
161
162 i = (i + 1) % QUEUEDEPTH;
163}
164
165tap_packet *pkt_queue::get ()
166{
167 tap_packet *p = queue[j];
168
169 if (p)
170 {
171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH;
173 }
174
175 return p;
176}
177
178pkt_queue::pkt_queue ()
179{
180 memset (queue, 0, sizeof (queue));
181 i = 0; 163 i = 0;
182 j = 0; 164 j = 0;
165
166 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
183} 167}
184 168
185pkt_queue::~pkt_queue () 169pkt_queue::~pkt_queue ()
186{ 170{
187 for (i = QUEUEDEPTH; --i > 0; ) 171 while (net_packet *p = get ())
172 delete p;
173
188 delete queue[i]; 174 delete [] queue;
189} 175}
190 176
177void pkt_queue::expire_cb (ev::timer &w, int revents)
178{
179 ev_tstamp expire = ev_now () - max_ttl;
180
181 for (;;)
182 {
183 if (empty ())
184 break;
185
186 double diff = queue[j].tstamp - expire;
187
188 if (diff >= 0.)
189 {
190 w.start (diff > 0.5 ? diff : 0.5);
191 break;
192 }
193
194 delete get ();
195 }
196}
197
198void pkt_queue::put (net_packet *p)
199{
200 ev_tstamp now = ev_now ();
201
202 // start expiry timer
203 if (empty ())
204 expire.start (max_ttl);
205
206 int ni = i + 1 == max_queue ? 0 : i + 1;
207
208 if (ni == j)
209 delete get ();
210
211 queue[i].pkt = p;
212 queue[i].tstamp = now;
213
214 i = ni;
215}
216
217net_packet *pkt_queue::get ()
218{
219 if (empty ())
220 return 0;
221
222 net_packet *p = queue[j].pkt;
223 queue[j].pkt = 0;
224
225 j = j + 1 == max_queue ? 0 : j + 1;
226
227 return p;
228}
229
191struct net_rateinfo { 230struct net_rateinfo
231{
192 u32 host; 232 u32 host;
193 double pcnt, diff; 233 double pcnt, diff;
194 tstamp last; 234 tstamp last;
195}; 235};
196 236
197// only do action once every x seconds per host whole allowing bursts. 237// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 238// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 239// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 240struct net_rate_limiter : list<net_rateinfo>
201{ 241{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 242# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 243# define NRL_CUTOFF 10. // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 244# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
245# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
205 246
206 bool can (const sockinfo &si) { return can((u32)si.host); } 247 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 248 bool can (u32 host);
208}; 249};
209 250
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 251net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 252
214 iterator i; 255 iterator i;
215 256
216 for (i = begin (); i != end (); ) 257 for (i = begin (); i != end (); )
217 if (i->host == host) 258 if (i->host == host)
218 break; 259 break;
219 else if (i->last < NOW - EXPIRE) 260 else if (i->last < ev_now () - NRL_EXPIRE)
220 i = erase (i); 261 i = erase (i);
221 else 262 else
222 i++; 263 i++;
223 264
224 if (i == end ()) 265 if (i == end ())
225 { 266 {
226 net_rateinfo ri; 267 net_rateinfo ri;
227 268
228 ri.host = host; 269 ri.host = host;
229 ri.pcnt = 1.; 270 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 271 ri.diff = NRL_MAXDIF;
231 ri.last = NOW; 272 ri.last = ev_now ();
232 273
233 push_front (ri); 274 push_front (ri);
234 275
235 return true; 276 return true;
236 } 277 }
237 else 278 else
238 { 279 {
239 net_rateinfo ri (*i); 280 net_rateinfo ri (*i);
240 erase (i); 281 erase (i);
241 282
242 ri.pcnt = ri.pcnt * ALPHA; 283 ri.pcnt = ri.pcnt * NRL_ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 284 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
244 285
245 ri.last = NOW; 286 ri.last = ev_now ();
246 287
288 double dif = ri.diff / ri.pcnt;
289
247 bool send = ri.diff / ri.pcnt > CUTOFF; 290 bool send = dif > NRL_CUTOFF;
248 291
292 if (dif > NRL_MAXDIF)
293 {
294 ri.pcnt = 1.;
295 ri.diff = NRL_MAXDIF;
296 }
249 if (send) 297 else if (send)
250 ri.pcnt++; 298 ri.pcnt++;
251 299
252 push_front (ri); 300 push_front (ri);
253 301
254 return send; 302 return send;
299} 347}
300 348
301#define MAXVPNDATA (MAX_MTU - 6 - 6) 349#define MAXVPNDATA (MAX_MTU - 6 - 6)
302#define DATAHDR (sizeof (u32) + RAND_SIZE) 350#define DATAHDR (sizeof (u32) + RAND_SIZE)
303 351
304struct vpndata_packet:vpn_packet 352struct vpndata_packet : vpn_packet
305 { 353 {
306 u8 data[MAXVPNDATA + DATAHDR]; // seqno 354 u8 data[MAXVPNDATA + DATAHDR]; // seqno
307 355
308 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 356 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
309 tap_packet *unpack (connection *conn, u32 &seqno); 357 tap_packet *unpack (connection *conn, u32 &seqno);
322 int outl = 0, outl2; 370 int outl = 0, outl2;
323 ptype type = PT_DATA_UNCOMPRESSED; 371 ptype type = PT_DATA_UNCOMPRESSED;
324 372
325#if ENABLE_COMPRESSION 373#if ENABLE_COMPRESSION
326 u8 cdata[MAX_MTU]; 374 u8 cdata[MAX_MTU];
327 u32 cl;
328 375
376 if (conn->features & ENABLE_COMPRESSION)
377 {
329 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 378 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
379
330 if (cl) 380 if (cl)
331 { 381 {
332 type = PT_DATA_COMPRESSED; 382 type = PT_DATA_COMPRESSED;
333 d = cdata; 383 d = cdata;
334 l = cl + 2; 384 l = cl + 2;
335 385
336 d[0] = cl >> 8; 386 d[0] = cl >> 8;
337 d[1] = cl; 387 d[1] = cl;
388 }
338 } 389 }
339#endif 390#endif
340 391
341 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 392 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
342 393
343 struct { 394 struct {
344#if RAND_SIZE 395#if RAND_SIZE
345 u8 rnd[RAND_SIZE]; 396 u8 rnd[RAND_SIZE];
346#endif 397#endif
350 datahdr.seqno = ntohl (seqno); 401 datahdr.seqno = ntohl (seqno);
351#if RAND_SIZE 402#if RAND_SIZE
352 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 403 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
353#endif 404#endif
354 405
355 EVP_EncryptUpdate (cctx, 406 require (EVP_EncryptUpdate (cctx,
356 (unsigned char *) data + outl, &outl2, 407 (unsigned char *) data + outl, &outl2,
357 (unsigned char *) &datahdr, DATAHDR); 408 (unsigned char *) &datahdr, DATAHDR));
358 outl += outl2; 409 outl += outl2;
359 410
360 EVP_EncryptUpdate (cctx, 411 require (EVP_EncryptUpdate (cctx,
361 (unsigned char *) data + outl, &outl2, 412 (unsigned char *) data + outl, &outl2,
362 (unsigned char *) d, l); 413 (unsigned char *) d, l));
363 outl += outl2; 414 outl += outl2;
364 415
365 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 416 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
366 outl += outl2; 417 outl += outl2;
367 418
368 len = outl + data_hdr_size (); 419 len = outl + data_hdr_size ();
369 420
370 set_hdr (type, dst); 421 set_hdr (type, dst);
379 int outl = 0, outl2; 430 int outl = 0, outl2;
380 tap_packet *p = new tap_packet; 431 tap_packet *p = new tap_packet;
381 u8 *d; 432 u8 *d;
382 u32 l = len - data_hdr_size (); 433 u32 l = len - data_hdr_size ();
383 434
384 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 435 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
385 436
386#if ENABLE_COMPRESSION 437#if ENABLE_COMPRESSION
387 u8 cdata[MAX_MTU]; 438 u8 cdata[MAX_MTU];
388 439
389 if (type == PT_DATA_COMPRESSED) 440 if (type == PT_DATA_COMPRESSED)
391 else 442 else
392#endif 443#endif
393 d = &(*p)[6 + 6 - DATAHDR]; 444 d = &(*p)[6 + 6 - DATAHDR];
394 445
395 /* this overwrites part of the src mac, but we fix that later */ 446 /* this overwrites part of the src mac, but we fix that later */
396 EVP_DecryptUpdate (cctx, 447 require (EVP_DecryptUpdate (cctx,
397 d, &outl2, 448 d, &outl2,
398 (unsigned char *)&data, len - data_hdr_size ()); 449 (unsigned char *)&data, len - data_hdr_size ()));
399 outl += outl2; 450 outl += outl2;
400 451
401 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 452 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
402 outl += outl2; 453 outl += outl2;
403 454
404 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 455 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
405 456
406 id2mac (dst () ? dst() : THISNODE->id, p->dst); 457 id2mac (dst () ? dst() : THISNODE->id, p->dst);
435{ 486{
436 // actually, hmaclen cannot be checked because the hmac 487 // actually, hmaclen cannot be checked because the hmac
437 // field comes before this data, so peers with other 488 // field comes before this data, so peers with other
438 // hmacs simply will not work. 489 // hmacs simply will not work.
439 u8 prot_major, prot_minor, randsize, hmaclen; 490 u8 prot_major, prot_minor, randsize, hmaclen;
440 u8 flags, challengelen, pad2, pad3; 491 u8 flags, challengelen, features, pad3;
441 u32 cipher_nid, digest_nid, hmac_nid; 492 u32 cipher_nid, digest_nid, hmac_nid;
442
443 const u8 curflags () const
444 {
445 return 0x80
446 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
447 }
448 493
449 void setup (ptype type, int dst); 494 void setup (ptype type, int dst);
450 bool chk_config () const; 495 bool chk_config () const;
496
497 static u8 get_features ()
498 {
499 u8 f = 0;
500#if ENABLE_COMPRESSION
501 f |= FEATURE_COMPRESSION;
502#endif
503#if ENABLE_ROHC
504 f |= FEATURE_ROHC;
505#endif
506#if ENABLE_BRIDGING
507 f |= FEATURE_BRIDGING;
508#endif
509 return f;
510 }
451}; 511};
452 512
453void config_packet::setup (ptype type, int dst) 513void config_packet::setup (ptype type, int dst)
454{ 514{
455 prot_major = PROTOCOL_MAJOR; 515 prot_major = PROTOCOL_MAJOR;
456 prot_minor = PROTOCOL_MINOR; 516 prot_minor = PROTOCOL_MINOR;
457 randsize = RAND_SIZE; 517 randsize = RAND_SIZE;
458 hmaclen = HMACLENGTH; 518 hmaclen = HMACLENGTH;
459 flags = curflags (); 519 flags = 0;
460 challengelen = sizeof (rsachallenge); 520 challengelen = sizeof (rsachallenge);
521 features = get_features ();
461 522
462 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 523 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
463 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 524 digest_nid = htonl (EVP_MD_type (RSA_HASH));
464 hmac_nid = htonl (EVP_MD_type (DIGEST)); 525 hmac_nid = htonl (EVP_MD_type (DIGEST));
465 526
467 set_hdr (type, dst); 528 set_hdr (type, dst);
468} 529}
469 530
470bool config_packet::chk_config () const 531bool config_packet::chk_config () const
471{ 532{
472 return prot_major == PROTOCOL_MAJOR 533 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 534 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 535 else if (randsize != RAND_SIZE)
475 && flags == curflags () 536 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
537 else if (hmaclen != HMACLENGTH)
538 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
476 && challengelen == sizeof (rsachallenge) 539 else if (challengelen != sizeof (rsachallenge))
540 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 541 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
542 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 543 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
544 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 545 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
546 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
547 else
548 return true;
549
550 return false;
480} 551}
481 552
482struct auth_req_packet : config_packet 553struct auth_req_packet : config_packet
483{ 554{
484 char magic[8]; 555 char magic[8];
485 u8 initiate; // false if this is just an automatic reply 556 u8 initiate; // false if this is just an automatic reply
486 u8 protocols; // supported protocols (will get patches on forward) 557 u8 protocols; // supported protocols (will be patched on forward)
487 u8 pad2, pad3; 558 u8 pad2, pad3;
488 rsaid id; 559 rsaid id;
489 rsaencrdata encr; 560 rsaencrdata encr;
490 561
491 auth_req_packet (int dst, bool initiate_, u8 protocols_) 562 auth_req_packet (int dst, bool initiate_, u8 protocols_)
546}; 617};
547 618
548///////////////////////////////////////////////////////////////////////////// 619/////////////////////////////////////////////////////////////////////////////
549 620
550void 621void
622connection::connection_established ()
623{
624 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
625
626 if (ictx && octx)
627 {
628 // make sure rekeying timeouts are slightly asymmetric
629 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
630 rekey.start (rekey_interval, rekey_interval);
631 keepalive.start (::conf.keepalive);
632
633 // send queued packets
634 if (ictx && octx)
635 {
636 while (tap_packet *p = (tap_packet *)data_queue.get ())
637 {
638 if (p->len) send_data_packet (p);
639 delete p;
640 }
641
642 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
643 {
644 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
645 delete p;
646 }
647 }
648 }
649 else
650 {
651 retry_cnt = 0;
652 establish_connection.start (5);
653 keepalive.stop ();
654 rekey.stop ();
655 }
656}
657
658void
551connection::reset_dstaddr () 659connection::reset_si ()
552{ 660{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 661 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 662
555 // mask out protocols we cannot establish 663 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 664 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 665 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
666 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
667
668 if (protocol
669 && (!conf->can_direct (THISNODE)
670 || !THISNODE->can_direct (conf)))
671 {
672 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
673 protocol = 0;
674 }
558 675
559 si.set (conf, protocol); 676 si.set (conf, protocol);
560} 677}
561 678
562void 679// ensure sockinfo is valid, forward if necessary
563connection::send_ping (const sockinfo &si, u8 pong) 680const sockinfo &
564{
565 ping_packet *pkt = new ping_packet;
566
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569
570 delete pkt;
571}
572
573void
574connection::send_reset (const sockinfo &si) 681connection::forward_si (const sockinfo &si) const
575{ 682{
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 683 if (!si.valid ())
577 {
578 config_packet *pkt = new config_packet;
579
580 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
582
583 delete pkt;
584 } 684 {
585} 685 connection *r = vpn->find_router ();
586 686
587void 687 if (r)
588connection::send_auth_request (const sockinfo &si, bool initiate)
589{
590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
591
592 rsachallenge chg;
593
594 rsa_cache.gen (pkt->id, chg);
595
596 if (0 > RSA_public_encrypt (sizeof chg,
597 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error");
600
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
604
605 delete pkt;
606}
607
608void
609connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
610{
611 auth_res_packet *pkt = new auth_res_packet (conf->id);
612
613 pkt->id = id;
614
615 rsa_hash (id, chg, pkt->response);
616
617 pkt->hmac_set (octx);
618
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622
623 delete pkt;
624}
625
626void
627connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
628{
629 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
630 conf->id, rid, (const char *)rsi);
631
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633
634 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si);
636
637 delete r;
638}
639
640void
641connection::establish_connection_cb (time_watcher &w)
642{
643 if (ictx || conf == THISNODE
644 || connectmode == conf_node::C_NEVER
645 || connectmode == conf_node::C_DISABLED)
646 w.at = TSTAMP_CANCEL;
647 else if (w.at <= NOW)
648 {
649 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
650
651 if (retry_int < 3600 * 8)
652 retry_cnt++;
653
654 w.at = NOW + retry_int;
655
656 if (conf->hostname)
657 { 688 {
658 reset_dstaddr (); 689 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
659 690 conf->nodename, r->conf->nodename, (const char *)r->si);
660 if (si.valid () && auth_rate_limiter.can (si)) 691 return r->si;
661 {
662 if (retry_cnt < 4)
663 send_auth_request (si, true);
664 else
665 send_ping (si, 0);
666 }
667 } 692 }
668 else 693 else
694 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
695 conf->nodename);
696 }
697
698 return si;
699}
700
701void
702connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
703{
704 if (!vpn->send_vpn_packet (pkt, si, tos))
705 reset_connection ();
706}
707
708void
709connection::send_ping (const sockinfo &si, u8 pong)
710{
711 ping_packet *pkt = new ping_packet;
712
713 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
714 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
715
716 delete pkt;
717}
718
719void
720connection::send_reset (const sockinfo &si)
721{
722 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
723 {
724 config_packet *pkt = new config_packet;
725
726 pkt->setup (vpn_packet::PT_RESET, conf->id);
727 send_vpn_packet (pkt, si, IPTOS_MINCOST);
728
729 delete pkt;
730 }
731}
732
733void
734connection::send_auth_request (const sockinfo &si, bool initiate)
735{
736 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
737
738 rsachallenge chg;
739 rsa_cache.gen (pkt->id, chg);
740 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
741
742 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
743
744 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
745
746 delete pkt;
747}
748
749void
750connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
751{
752 auth_res_packet *pkt = new auth_res_packet (conf->id);
753
754 pkt->id = id;
755
756 rsa_hash (id, chg, pkt->response);
757
758 pkt->hmac_set (octx);
759
760 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
761
762 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
763
764 delete pkt;
765}
766
767void
768connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
769{
770 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
771 conf->id, rid, (const char *)rsi);
772
773 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
774
775 r->hmac_set (octx);
776 send_vpn_packet (r, si);
777
778 delete r;
779}
780
781inline void
782connection::establish_connection_cb (ev::timer &w, int revents)
783{
784 if (!ictx
785 && conf != THISNODE
786 && connectmode != conf_node::C_NEVER
787 && connectmode != conf_node::C_DISABLED
788 && !w.is_active ())
789 {
790 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
791 // and stop trying. should probably be handled by a per-connection expire handler.
792 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
793 {
794 reset_connection ();
795 return;
796 }
797
798 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
799 ? (retry_cnt & 3) + 1
800 : 1 << (retry_cnt >> 2));
801
802 reset_si ();
803
804 bool slow = si.prot & PROT_SLOW;
805
806 if (si.prot && !si.host)
807 {
808 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
809 /*TODO*/ /* start the timer so we don't recurse endlessly */
810 w.start (1);
669 vpn->connect_request (conf->id); 811 vpn->send_connect_request (conf->id);
812 }
813 else
814 {
815 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
816
817 const sockinfo &dsi = forward_si (si);
818
819 slow = slow || (dsi.prot & PROT_SLOW);
820
821 if (dsi.valid () && auth_rate_limiter.can (dsi))
822 {
823 if (retry_cnt < 4)
824 send_auth_request (dsi, true);
825 else
826 send_ping (dsi, 0);
827 }
828 }
829
830 retry_int *= slow ? 8. : 0.7;
831
832 if (retry_int < conf->max_retry)
833 retry_cnt++;
834 else
835 retry_int = conf->max_retry;
836
837 w.start (retry_int);
670 } 838 }
671} 839}
672 840
673void 841void
674connection::reset_connection () 842connection::reset_connection ()
677 { 845 {
678 slog (L_INFO, _("%s(%s): connection lost"), 846 slog (L_INFO, _("%s(%s): connection lost"),
679 conf->nodename, (const char *)si); 847 conf->nodename, (const char *)si);
680 848
681 if (::conf.script_node_down) 849 if (::conf.script_node_down)
682 run_script (run_script_cb (this, &connection::script_node_down), false); 850 {
851 run_script_cb cb;
852 cb.set<connection, &connection::script_node_down> (this);
853 if (!run_script (cb, false))
854 slog (L_WARN, _("node-down command execution failed, continuing."));
855 }
683 } 856 }
684 857
685 delete ictx; ictx = 0; 858 delete ictx; ictx = 0;
686 delete octx; octx = 0; 859 delete octx; octx = 0;
860#if ENABLE_DNS
861 dnsv4_reset_connection ();
862#endif
687 863
688 si.host= 0; 864 si.host = 0;
689 865
690 last_activity = 0; 866 last_activity = 0;
691 retry_cnt = 0; 867 retry_cnt = 0;
692 868
693 rekey.reset (); 869 rekey.stop ();
694 keepalive.reset (); 870 keepalive.stop ();
695 establish_connection.reset (); 871 establish_connection.stop ();
696} 872}
697 873
698void 874void
699connection::shutdown () 875connection::shutdown ()
700{ 876{
702 send_reset (si); 878 send_reset (si);
703 879
704 reset_connection (); 880 reset_connection ();
705} 881}
706 882
707void 883inline void
708connection::rekey_cb (time_watcher &w) 884connection::rekey_cb (ev::timer &w, int revents)
709{ 885{
710 w.at = TSTAMP_CANCEL;
711
712 reset_connection (); 886 reset_connection ();
713 establish_connection (); 887 establish_connection ();
714} 888}
715 889
716void 890void
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 891connection::send_data_packet (tap_packet *pkt)
718{ 892{
719 vpndata_packet *p = new vpndata_packet; 893 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 894 int tos = 0;
721 895
722 if (conf->inherit_tos 896 // I am not hilarious about peeking into packets, but so be it.
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 897 if (conf->inherit_tos && pkt->is_ipv4 ())
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 898 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 899
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 900 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 901 send_vpn_packet (p, si, tos);
729 902
730 delete p; 903 delete p;
731 904
732 if (oseqno > MAX_SEQNO) 905 if (oseqno > MAX_SEQNO)
733 rekey (); 906 rekey ();
734} 907}
735 908
736void 909void
737connection::inject_data_packet (tap_packet *pkt, bool broadcast) 910connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
738{ 911{
739 if (ictx && octx) 912 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 913 send_data_packet (pkt);
741 else 914 else
742 { 915 {
743 if (!broadcast)//DDDD 916 if (!broadcast)
744 queue.put (new tap_packet (*pkt)); 917 data_queue.put (new tap_packet (*pkt));
745 918
746 establish_connection (); 919 establish_connection ();
747 } 920 }
748} 921}
749 922
923void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
924{
925 if (ictx && octx)
926 send_vpn_packet (pkt, si, tos);
927 else
928 {
929 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
930
931 establish_connection ();
932 }
933}
934
750void 935void
751connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 936connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
752{ 937{
753 last_activity = NOW; 938 last_activity = ev_now ();
754 939
755 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 940 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
756 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 941 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
942
943 if (connectmode == conf_node::C_DISABLED)
944 return;
757 945
758 switch (pkt->typ ()) 946 switch (pkt->typ ())
759 { 947 {
760 case vpn_packet::PT_PING: 948 case vpn_packet::PT_PING:
761 // we send pings instead of auth packets after some retries, 949 // we send pings instead of auth packets after some retries,
808 if (p->initiate) 996 if (p->initiate)
809 send_auth_request (rsi, false); 997 send_auth_request (rsi, false);
810 998
811 rsachallenge k; 999 rsachallenge k;
812 1000
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 1001 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
814 (unsigned char *)&p->encr, (unsigned char *)&k, 1002 {
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 1003 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 1004 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1005 break;
1006 }
818 else 1007 else
819 { 1008 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 1009 delete octx;
829 1010
830 octx = new crypto_ctx (k, 1); 1011 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1012 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 1013
833 conf->protocols = p->protocols; 1014 conf->protocols = p->protocols;
1015 features = p->features & config_packet::get_features ();
1016
834 send_auth_response (rsi, p->id, k); 1017 send_auth_response (rsi, p->id, k);
1018
1019 connection_established ();
835 1020
836 break; 1021 break;
837 } 1022 }
838 } 1023 }
1024 else
1025 slog (L_WARN, _("%s(%s): protocol mismatch"),
1026 conf->nodename, (const char *)rsi);
839 1027
840 send_reset (rsi); 1028 send_reset (rsi);
841 } 1029 }
842 1030
843 break; 1031 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1044 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 1045
858 rsachallenge chg; 1046 rsachallenge chg;
859 1047
860 if (!rsa_cache.find (p->id, chg)) 1048 if (!rsa_cache.find (p->id, chg))
1049 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 1050 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 1051 conf->nodename, (const char *)rsi);
1052 break;
1053 }
863 else 1054 else
864 { 1055 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1056 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 1057
867 if (!p->hmac_chk (cctx)) 1058 if (!p->hmac_chk (cctx))
1059 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1060 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 1061 "could be an attack, or just corruption or a synchronization error"),
870 conf->nodename, (const char *)rsi); 1062 conf->nodename, (const char *)rsi);
1063 break;
1064 }
871 else 1065 else
872 { 1066 {
873 rsaresponse h; 1067 rsaresponse h;
874 1068
875 rsa_hash (p->id, chg, h); 1069 rsa_hash (p->id, chg, h);
881 delete ictx; ictx = cctx; 1075 delete ictx; ictx = cctx;
882 1076
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1077 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 1078
885 si = rsi; 1079 si = rsi;
1080 protocol = rsi.prot;
886 1081
887 rekey.start (NOW + ::conf.rekey); 1082 connection_established ();
888 keepalive.start (NOW + ::conf.keepalive);
889 1083
890 // send queued packets 1084 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
891 while (tap_packet *p = queue.get ()) 1085 conf->nodename, (const char *)rsi,
1086 p->prot_major, p->prot_minor);
1087
1088 if (::conf.script_node_up)
892 { 1089 {
893 send_data_packet (p); 1090 run_script_cb cb;
894 delete p; 1091 cb.set<connection, &connection::script_node_up> (this);
1092 if (!run_script (cb, false))
1093 slog (L_WARN, _("node-up command execution failed, continuing."));
895 } 1094 }
896
897 connectmode = conf->connectmode;
898
899 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
900 conf->nodename, (const char *)rsi,
901 strprotocol (protocol),
902 p->prot_major, p->prot_minor);
903
904 if (::conf.script_node_up)
905 run_script (run_script_cb (this, &connection::script_node_up), false);
906 1095
907 break; 1096 break;
908 } 1097 }
909 else 1098 else
910 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1099 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
929 1118
930 if (ictx && octx) 1119 if (ictx && octx)
931 { 1120 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1121 vpndata_packet *p = (vpndata_packet *)pkt;
933 1122
934 if (rsi == si) 1123 if (!p->hmac_chk (ictx))
1124 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1125 "could be an attack, or just corruption or a synchronization error"),
1126 conf->nodename, (const char *)rsi);
1127 else
935 { 1128 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1129 u32 seqno;
1130 tap_packet *d = p->unpack (this, seqno);
1131
1132 if (iseqno.recv_ok (seqno))
941 { 1133 {
942 u32 seqno; 1134 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1135
945 if (iseqno.recv_ok (seqno)) 1136 if (si != rsi)
946 { 1137 {
947 vpn->tap->send (d); 1138 // fast re-sync on source address changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1139 si = rsi;
1140
1141 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1142 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1143 }
962 } 1144 }
1145
1146 delete d;
1147 break;
963 } 1148 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1149 }
967 1150
968 send_reset (rsi); 1151 send_reset (rsi);
969 break; 1152 break;
970 1153
971 case vpn_packet::PT_CONNECT_REQ: 1154 case vpn_packet::PT_CONNECT_REQ:
972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1155 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973 { 1156 {
974 connect_req_packet *p = (connect_req_packet *) pkt; 1157 connect_req_packet *p = (connect_req_packet *) pkt;
975 1158
976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1159 if (p->id > 0 && p->id <= vpn->conns.size ())
977 conf->protocols = p->protocols;
978 connection *c = vpn->conns[p->id - 1];
979
980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981 conf->id, p->id, c->ictx && c->octx);
982
983 if (c->ictx && c->octx)
984 { 1160 {
1161 connection *c = vpn->conns[p->id - 1];
1162 conf->protocols = p->protocols;
1163
1164 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1165 conf->id, p->id, c->ictx && c->octx);
1166
1167 if (c->ictx && c->octx)
1168 {
985 // send connect_info packets to both sides, in case one is 1169 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1170 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1171 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1172 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1173 }
1174 else
1175 c->establish_connection ();
989 } 1176 }
1177 else
1178 slog (L_WARN,
1179 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1180 p->id);
990 } 1181 }
991 1182
992 break; 1183 break;
993 1184
994 case vpn_packet::PT_CONNECT_INFO: 1185 case vpn_packet::PT_CONNECT_INFO:
995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1186 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
996 { 1187 {
997 connect_info_packet *p = (connect_info_packet *) pkt; 1188 connect_info_packet *p = (connect_info_packet *)pkt;
998 1189
999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1190 if (p->id > 0 && p->id <= vpn->conns.size ())
1000 conf->protocols = p->protocols; 1191 {
1001 connection *c = vpn->conns[p->id - 1]; 1192 connection *c = vpn->conns[p->id - 1];
1002 1193
1194 c->conf->protocols = p->protocols;
1195 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1196 p->si.upgrade_protocol (protocol, c->conf);
1197
1003 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1198 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1004 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1199 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1005 1200
1201 const sockinfo &dsi = forward_si (p->si);
1202
1203 if (dsi.valid ())
1006 c->send_auth_request (p->si, true); 1204 c->send_auth_request (dsi, true);
1205 }
1206 else
1207 slog (L_WARN,
1208 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1209 p->id);
1007 } 1210 }
1008 1211
1009 break; 1212 break;
1010 1213
1011 default: 1214 default:
1012 send_reset (rsi); 1215 send_reset (rsi);
1013 break; 1216 break;
1014 } 1217 }
1015} 1218}
1016 1219
1017void connection::keepalive_cb (time_watcher &w) 1220inline void
1221connection::keepalive_cb (ev::timer &w, int revents)
1018{ 1222{
1019 if (NOW >= last_activity + ::conf.keepalive + 30) 1223 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1020 { 1224 {
1021 reset_connection (); 1225 reset_connection ();
1022 establish_connection (); 1226 establish_connection ();
1023 } 1227 }
1024 else if (NOW < last_activity + ::conf.keepalive) 1228 else if (ev_now () < last_activity + ::conf.keepalive)
1025 w.at = last_activity + ::conf.keepalive; 1229 w.start (last_activity + ::conf.keepalive - ev::now ());
1026 else if (conf->connectmode != conf_node::C_ONDEMAND 1230 else if (conf->connectmode != conf_node::C_ONDEMAND
1027 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1231 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1028 { 1232 {
1029 send_ping (si); 1233 send_ping (si);
1030 w.at = NOW + 5; 1234 w.start (5);
1031 } 1235 }
1236 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1237 // hold ondemand connections implicitly a few seconds longer
1238 // should delete octx, though, or something like that ;)
1239 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1032 else 1240 else
1033 reset_connection (); 1241 reset_connection ();
1034} 1242}
1035 1243
1036void connection::connect_request (int id) 1244void connection::send_connect_request (int id)
1037{ 1245{
1038 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1246 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1039 1247
1040 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1248 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1041 p->hmac_set (octx); 1249 p->hmac_set (octx);
1042 vpn->send_vpn_packet (p, si); 1250 send_vpn_packet (p, si);
1043 1251
1044 delete p; 1252 delete p;
1045} 1253}
1046 1254
1255void connection::script_init_env (const char *ext)
1256{
1257 char *env;
1258 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1259 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1260 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1261 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1262 conf->id & 0xff); putenv (env);
1263}
1264
1047void connection::script_node () 1265void connection::script_init_connect_env ()
1048{ 1266{
1049 vpn->script_if_up (); 1267 vpn->script_init_env ();
1050 1268
1051 char *env; 1269 char *env;
1052 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1270 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1053 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1271 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1054 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1272 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1055 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1273 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1056} 1274}
1057 1275
1276inline const char *
1058const char *connection::script_node_up () 1277connection::script_node_up ()
1059{ 1278{
1060 script_node (); 1279 script_init_connect_env ();
1061 1280
1062 putenv ("STATE=up"); 1281 putenv ((char *)"STATE=up");
1063 1282
1283 char *filename;
1284 asprintf (&filename,
1285 "%s/%s",
1286 confbase,
1064 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1287 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1065}
1066 1288
1289 return filename;
1290}
1291
1292inline const char *
1067const char *connection::script_node_down () 1293connection::script_node_down ()
1068{ 1294{
1069 script_node (); 1295 script_init_connect_env ();
1070 1296
1071 putenv ("STATE=down"); 1297 putenv ((char *)"STATE=down");
1072 1298
1073 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1299 char *filename;
1074} 1300 asprintf (&filename,
1301 "%s/%s",
1302 confbase,
1303 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1075 1304
1305 return filename;
1306}
1307
1076connection::connection(struct vpn *vpn_) 1308connection::connection (struct vpn *vpn, conf_node *conf)
1077: vpn(vpn_) 1309: vpn(vpn), conf(conf),
1078, rekey (this, &connection::rekey_cb) 1310#if ENABLE_DNS
1079, keepalive (this, &connection::keepalive_cb) 1311 dns (0),
1312#endif
1313 data_queue(conf->max_ttl, conf->max_queue),
1314 vpn_queue(conf->max_ttl, conf->max_queue)
1315{
1316 rekey .set<connection, &connection::rekey_cb > (this);
1317 keepalive .set<connection, &connection::keepalive_cb > (this);
1080, establish_connection (this, &connection::establish_connection_cb) 1318 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1081{ 1319
1082 octx = ictx = 0; 1320 octx = ictx = 0;
1083 retry_cnt = 0; 1321 retry_cnt = 0;
1084 1322
1085 connectmode = conf_node::C_ALWAYS; // initial setting 1323 if (!conf->protocols) // make sure some protocol is enabled
1324 conf->protocols = PROT_UDPv4;
1325
1326 connectmode = conf->connectmode;
1327
1328 // queue a dummy packet to force an initial connection attempt
1329 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1330 {
1331 net_packet *p = new net_packet;
1332 p->len = 0;
1333 vpn_queue.put (p);
1334 }
1335
1086 reset_connection (); 1336 reset_connection ();
1087} 1337}
1088 1338
1089connection::~connection () 1339connection::~connection ()
1090{ 1340{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines