ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.67 by pcg, Thu Aug 7 16:34:21 2008 UTC vs.
Revision 1.89 by root, Thu Dec 2 08:15:09 2010 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008,2010 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
8 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
9 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
10 (at your option) any later version. 10 option) any later version.
11 11
12 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
13 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15 GNU General Public License for more details. 15 Public License for more details.
16 16
17 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
18 along with gvpe; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
20*/ 30*/
21 31
22#include "config.h" 32#include "config.h"
23 33
24#include <list> 34#include <list>
35#include <queue>
36#include <utility>
25 37
26#include <openssl/rand.h> 38#include <openssl/rand.h>
27#include <openssl/evp.h> 39#include <openssl/evp.h>
28#include <openssl/rsa.h> 40#include <openssl/rsa.h>
29#include <openssl/err.h> 41#include <openssl/err.h>
38 50
39#if !HAVE_RAND_PSEUDO_BYTES 51#if !HAVE_RAND_PSEUDO_BYTES
40# define RAND_pseudo_bytes RAND_bytes 52# define RAND_pseudo_bytes RAND_bytes
41#endif 53#endif
42 54
43#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 55#define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated)
44 57
45#define ULTRA_FAST 1 58#define ULTRA_FAST 1
46#define HLOG 15 59#define HLOG 15
47#include "lzf/lzf.h" 60#include "lzf/lzf.h"
48#include "lzf/lzf_c.c" 61#include "lzf/lzf_c.c"
49#include "lzf/lzf_d.c" 62#include "lzf/lzf_d.c"
63
64//////////////////////////////////////////////////////////////////////////////
65
66static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67static ev::child rs_child_ev;
68
69void // c++ requires external linkage here, apparently :(
70rs_child_cb (ev::child &w, int revents)
71{
72 w.stop ();
73
74 if (rs_queue.empty ())
75 return;
76
77 pid_t pid = run_script (*rs_queue.front ().first, false);
78 if (pid)
79 {
80 w.set (pid);
81 w.start ();
82 }
83 else
84 slog (L_WARN, rs_queue.front ().second);
85
86 delete rs_queue.front ().first;
87 rs_queue.pop ();
88}
89
90// despite the fancy name, this is quite a hack
91static void
92run_script_queued (run_script_cb *cb, const char *warnmsg)
93{
94 rs_queue.push (std::make_pair (cb, warnmsg));
95
96 if (!rs_child_ev.is_active ())
97 {
98 rs_child_ev.set<rs_child_cb> ();
99 rs_child_ev ();
100 }
101}
102
103//////////////////////////////////////////////////////////////////////////////
50 104
51struct crypto_ctx 105struct crypto_ctx
52{ 106{
53 EVP_CIPHER_CTX cctx; 107 EVP_CIPHER_CTX cctx;
54 HMAC_CTX hctx; 108 HMAC_CTX hctx;
371 ptype type = PT_DATA_UNCOMPRESSED; 425 ptype type = PT_DATA_UNCOMPRESSED;
372 426
373#if ENABLE_COMPRESSION 427#if ENABLE_COMPRESSION
374 u8 cdata[MAX_MTU]; 428 u8 cdata[MAX_MTU];
375 429
376 if (conn->features & ENABLE_COMPRESSION) 430 if (conn->features & FEATURE_COMPRESSION)
377 { 431 {
378 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 432 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
379 433
380 if (cl) 434 if (cl)
381 { 435 {
560 rsaencrdata encr; 614 rsaencrdata encr;
561 615
562 auth_req_packet (int dst, bool initiate_, u8 protocols_) 616 auth_req_packet (int dst, bool initiate_, u8 protocols_)
563 { 617 {
564 config_packet::setup (PT_AUTH_REQ, dst); 618 config_packet::setup (PT_AUTH_REQ, dst);
565 strncpy (magic, MAGIC, 8); 619 strncpy (magic, MAGIC_OLD, 8);
566 initiate = !!initiate_; 620 initiate = !!initiate_;
567 protocols = protocols_; 621 protocols = protocols_;
568 622
569 len = sizeof (*this) - sizeof (net_packet); 623 len = sizeof (*this) - sizeof (net_packet);
570 } 624 }
619///////////////////////////////////////////////////////////////////////////// 673/////////////////////////////////////////////////////////////////////////////
620 674
621void 675void
622connection::connection_established () 676connection::connection_established ()
623{ 677{
624 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx); 678 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
625 679
626 if (ictx && octx) 680 if (ictx && octx)
627 { 681 {
628 // make sure rekeying timeouts are slightly asymmetric 682 // make sure rekeying timeouts are slightly asymmetric
629 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 683 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
643 { 697 {
644 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY); 698 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
645 delete p; 699 delete p;
646 } 700 }
647 } 701 }
702
703 vpn->connection_established (this);
648 } 704 }
649 else 705 else
650 { 706 {
651 retry_cnt = 0; 707 retry_cnt = 0;
652 establish_connection.start (5); 708 establish_connection.start (5);
656} 712}
657 713
658void 714void
659connection::reset_si () 715connection::reset_si ()
660{ 716{
717 if (vpn->can_direct (THISNODE, conf))
661 protocol = best_protocol (THISNODE->protocols & conf->protocols); 718 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
662 719 else
663 // mask out protocols we cannot establish
664 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
665 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
666 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
667
668 if (protocol
669 && (!conf->can_direct (THISNODE)
670 || !THISNODE->can_direct (conf)))
671 { 720 {
672 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename); 721 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
673 protocol = 0; 722 protocol = 0;
674 } 723 }
675 724
676 si.set (conf, protocol); 725 si.set (conf, protocol);
726
727 is_direct = si.valid ();
677} 728}
678 729
679// ensure sockinfo is valid, forward if necessary 730// ensure sockinfo is valid, forward if necessary
680const sockinfo & 731const sockinfo &
681connection::forward_si (const sockinfo &si) const 732connection::forward_si (const sockinfo &si) const
682{ 733{
683 if (!si.valid ()) 734 if (!si.valid ())
684 { 735 {
685 connection *r = vpn->find_router (); 736 connection *r = vpn->find_router_for (this);
686 737
687 if (r) 738 if (r)
688 { 739 {
689 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"), 740 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
690 conf->nodename, r->conf->nodename, (const char *)r->si); 741 conf->nodename, r->conf->nodename);
691 return r->si; 742 return r->si;
692 } 743 }
693 else 744 else
694 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 745 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
695 conf->nodename); 746 conf->nodename);
696 } 747 }
697 748
698 return si; 749 return si;
699} 750}
709connection::send_ping (const sockinfo &si, u8 pong) 760connection::send_ping (const sockinfo &si, u8 pong)
710{ 761{
711 ping_packet *pkt = new ping_packet; 762 ping_packet *pkt = new ping_packet;
712 763
713 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 764 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
765
766 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
767
714 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 768 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
715 769
716 delete pkt; 770 delete pkt;
717} 771}
718 772
737 791
738 rsachallenge chg; 792 rsachallenge chg;
739 rsa_cache.gen (pkt->id, chg); 793 rsa_cache.gen (pkt->id, chg);
740 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 794 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
741 795
742 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 796 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
743 797
744 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 798 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
745 799
746 delete pkt; 800 delete pkt;
747} 801}
755 809
756 rsa_hash (id, chg, pkt->response); 810 rsa_hash (id, chg, pkt->response);
757 811
758 pkt->hmac_set (octx); 812 pkt->hmac_set (octx);
759 813
760 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 814 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
761 815
762 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 816 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
763 817
764 delete pkt; 818 delete pkt;
765} 819}
766 820
767void 821void
768connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 822connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
769{ 823{
770 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)", 824 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
771 conf->id, rid, (const char *)rsi); 825 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
772 826
773 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 827 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
774 828
775 r->hmac_set (octx); 829 r->hmac_set (octx);
776 send_vpn_packet (r, si); 830 send_vpn_packet (r, si);
793 { 847 {
794 reset_connection (); 848 reset_connection ();
795 return; 849 return;
796 } 850 }
797 851
852 last_establish_attempt = ev_now ();
853
798 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3 854 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
799 ? (retry_cnt & 3) + 1 855 ? (retry_cnt & 3) + 1
800 : 1 << (retry_cnt >> 2)); 856 : 1 << (retry_cnt >> 2));
801 857
802 reset_si (); 858 reset_si ();
803 859
804 bool slow = si.prot & PROT_SLOW; 860 bool slow = si.prot & PROT_SLOW;
805 861
806 if (si.prot && !si.host) 862 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
807 { 863 {
808 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
809 /*TODO*/ /* start the timer so we don't recurse endlessly */ 864 /*TODO*/ /* start the timer so we don't recurse endlessly */
810 w.start (1); 865 w.start (1);
811 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (this);
812 } 867 }
813 else 868 else
814 { 869 {
815 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx); 870 if (si.valid ())
871 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
872 conf->nodename, (const char *)si);
816 873
817 const sockinfo &dsi = forward_si (si); 874 const sockinfo &dsi = forward_si (si);
818 875
819 slow = slow || (dsi.prot & PROT_SLOW); 876 slow = slow || (dsi.prot & PROT_SLOW);
820 877
825 else 882 else
826 send_ping (dsi, 0); 883 send_ping (dsi, 0);
827 } 884 }
828 } 885 }
829 886
830 retry_int *= slow ? 8. : 0.7; 887 retry_int *= slow ? 8. : 0.9;
831 888
832 if (retry_int < conf->max_retry) 889 if (retry_int < conf->max_retry)
833 retry_cnt++; 890 retry_cnt++;
834 else 891 else
835 retry_int = conf->max_retry; 892 retry_int = conf->max_retry;
846 slog (L_INFO, _("%s(%s): connection lost"), 903 slog (L_INFO, _("%s(%s): connection lost"),
847 conf->nodename, (const char *)si); 904 conf->nodename, (const char *)si);
848 905
849 if (::conf.script_node_down) 906 if (::conf.script_node_down)
850 { 907 {
851 run_script_cb cb; 908 run_script_cb *cb = new run_script_cb;
852 cb.set<connection, &connection::script_node_down> (this); 909 cb->set<connection, &connection::script_node_down> (this);
853 if (!run_script (cb, false))
854 slog (L_WARN, _("node-down command execution failed, continuing.")); 910 run_script_queued (cb, _("node-down command execution failed, continuing."));
855 } 911 }
856 } 912 }
857 913
858 delete ictx; ictx = 0; 914 delete ictx; ictx = 0;
859 delete octx; octx = 0; 915 delete octx; octx = 0;
861 dnsv4_reset_connection (); 917 dnsv4_reset_connection ();
862#endif 918#endif
863 919
864 si.host = 0; 920 si.host = 0;
865 921
866 last_activity = 0; 922 last_activity = 0.;
923 //last_si_change = 0.;
867 retry_cnt = 0; 924 retry_cnt = 0;
868 925
869 rekey.stop (); 926 rekey.stop ();
870 keepalive.stop (); 927 keepalive.stop ();
871 establish_connection.stop (); 928 establish_connection.stop ();
878 send_reset (si); 935 send_reset (si);
879 936
880 reset_connection (); 937 reset_connection ();
881} 938}
882 939
940// poor-man's rekeying
883inline void 941inline void
884connection::rekey_cb (ev::timer &w, int revents) 942connection::rekey_cb (ev::timer &w, int revents)
885{ 943{
886 reset_connection (); 944 reset_connection ();
887 establish_connection (); 945 establish_connection ();
905 if (oseqno > MAX_SEQNO) 963 if (oseqno > MAX_SEQNO)
906 rekey (); 964 rekey ();
907} 965}
908 966
909void 967void
968connection::post_inject_queue ()
969{
970 // force a connection every now and when when packets are sent (max 1/s)
971 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
972 establish_connection.stop ();
973
974 establish_connection ();
975}
976
977void
910connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 978connection::inject_data_packet (tap_packet *pkt)
911{ 979{
912 if (ictx && octx) 980 if (ictx && octx)
913 send_data_packet (pkt); 981 send_data_packet (pkt);
914 else 982 else
915 { 983 {
916 if (!broadcast)
917 data_queue.put (new tap_packet (*pkt)); 984 data_queue.put (new tap_packet (*pkt));
918 985 post_inject_queue ();
919 establish_connection ();
920 } 986 }
921} 987}
922 988
923void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 989void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
924{ 990{
925 if (ictx && octx) 991 if (ictx && octx)
926 send_vpn_packet (pkt, si, tos); 992 send_vpn_packet (pkt, si, tos);
927 else 993 else
928 { 994 {
929 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt)); 995 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
930 996 post_inject_queue ();
931 establish_connection ();
932 } 997 }
933} 998}
934 999
935void 1000void
936connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1001connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
937{ 1002{
938 last_activity = ev_now (); 1003 last_activity = ev_now ();
939 1004
940 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1005 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
941 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1006 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
942 1007
943 if (connectmode == conf_node::C_DISABLED) 1008 if (connectmode == conf_node::C_DISABLED)
944 return; 1009 return;
945 1010
946 switch (pkt->typ ()) 1011 switch (pkt->typ ())
947 { 1012 {
948 case vpn_packet::PT_PING: 1013 case vpn_packet::PT_PING:
1014 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1015
949 // we send pings instead of auth packets after some retries, 1016 // we send pings instead of auth packets after some retries,
950 // so reset the retry counter and establish a connection 1017 // so reset the retry counter and establish a connection
951 // when we receive a ping. 1018 // when we receive a ping.
952 if (!ictx) 1019 if (!ictx)
953 { 1020 {
954 if (auth_rate_limiter.can (rsi)) 1021 if (auth_rate_limiter.can (rsi))
955 send_auth_request (rsi, true); 1022 send_auth_request (rsi, true);
956 } 1023 }
957 else 1024 else
1025 // we would love to change the socket address here, but ping's aren't
1026 // authenticated, so we best ignore it.
958 send_ping (rsi, 1); // pong 1027 send_ping (rsi, 1); // pong
959 1028
960 break; 1029 break;
961 1030
962 case vpn_packet::PT_PONG: 1031 case vpn_packet::PT_PONG:
1032 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1033
1034 // a PONG might mean that the other side doesn't really know
1035 // about our desire for communication.
1036 establish_connection ();
963 break; 1037 break;
964 1038
965 case vpn_packet::PT_RESET: 1039 case vpn_packet::PT_RESET:
966 { 1040 {
967 reset_connection (); 1041 reset_connection ();
968 1042
969 config_packet *p = (config_packet *) pkt; 1043 config_packet *p = (config_packet *) pkt;
970 1044
971 if (!p->chk_config ()) 1045 if (!p->chk_config ())
972 { 1046 {
973 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1047 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
974 conf->nodename, (const char *)rsi); 1048 conf->nodename, (const char *)rsi);
975 connectmode = conf_node::C_DISABLED; 1049 connectmode = conf_node::C_DISABLED;
976 } 1050 }
977 else if (connectmode == conf_node::C_ALWAYS) 1051 else if (connectmode == conf_node::C_ALWAYS)
978 establish_connection (); 1052 establish_connection ();
982 case vpn_packet::PT_AUTH_REQ: 1056 case vpn_packet::PT_AUTH_REQ:
983 if (auth_rate_limiter.can (rsi)) 1057 if (auth_rate_limiter.can (rsi))
984 { 1058 {
985 auth_req_packet *p = (auth_req_packet *) pkt; 1059 auth_req_packet *p = (auth_req_packet *) pkt;
986 1060
987 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1061 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
988 1062
989 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1063 if (p->chk_config ()
1064 && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
990 { 1065 {
991 if (p->prot_minor != PROTOCOL_MINOR) 1066 if (p->prot_minor != PROTOCOL_MINOR)
992 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1067 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
993 conf->nodename, (const char *)rsi, 1068 conf->nodename, (const char *)rsi,
994 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1069 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1020 1095
1021 break; 1096 break;
1022 } 1097 }
1023 } 1098 }
1024 else 1099 else
1025 slog (L_WARN, _("%s(%s): protocol mismatch"), 1100 slog (L_WARN, _("%s(%s): protocol mismatch."),
1026 conf->nodename, (const char *)rsi); 1101 conf->nodename, (const char *)rsi);
1027 1102
1028 send_reset (rsi); 1103 send_reset (rsi);
1029 } 1104 }
1030 1105
1031 break; 1106 break;
1032 1107
1033 case vpn_packet::PT_AUTH_RES: 1108 case vpn_packet::PT_AUTH_RES:
1034 { 1109 {
1035 auth_res_packet *p = (auth_res_packet *) pkt; 1110 auth_res_packet *p = (auth_res_packet *)pkt;
1036 1111
1037 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1112 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1038 1113
1039 if (p->chk_config ()) 1114 if (p->chk_config ())
1040 { 1115 {
1041 if (p->prot_minor != PROTOCOL_MINOR) 1116 if (p->prot_minor != PROTOCOL_MINOR)
1042 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1117 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1045 1120
1046 rsachallenge chg; 1121 rsachallenge chg;
1047 1122
1048 if (!rsa_cache.find (p->id, chg)) 1123 if (!rsa_cache.find (p->id, chg))
1049 { 1124 {
1050 slog (L_ERR, _("%s(%s): unrequested auth response ignored"), 1125 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."),
1051 conf->nodename, (const char *)rsi); 1126 conf->nodename, (const char *)rsi);
1052 break; 1127 break;
1053 } 1128 }
1054 else 1129 else
1055 { 1130 {
1056 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1131 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1057 1132
1058 if (!p->hmac_chk (cctx)) 1133 if (!p->hmac_chk (cctx))
1059 { 1134 {
1060 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1135 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1061 "could be an attack, or just corruption or a synchronization error"), 1136 "could be an attack, or just corruption or a synchronization error."),
1062 conf->nodename, (const char *)rsi); 1137 conf->nodename, (const char *)rsi);
1063 break; 1138 break;
1064 } 1139 }
1065 else 1140 else
1066 { 1141 {
1077 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1152 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1078 1153
1079 si = rsi; 1154 si = rsi;
1080 protocol = rsi.prot; 1155 protocol = rsi.prot;
1081 1156
1157 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1158 conf->nodename, (const char *)rsi,
1159 is_direct ? "direct" : "forwarded",
1160 p->prot_major, p->prot_minor);
1161
1082 connection_established (); 1162 connection_established ();
1083
1084 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1085 conf->nodename, (const char *)rsi,
1086 p->prot_major, p->prot_minor);
1087 1163
1088 if (::conf.script_node_up) 1164 if (::conf.script_node_up)
1089 { 1165 {
1090 run_script_cb cb; 1166 run_script_cb *cb = new run_script_cb;
1091 cb.set<connection, &connection::script_node_up> (this); 1167 cb->set<connection, &connection::script_node_up> (this);
1092 if (!run_script (cb, false))
1093 slog (L_WARN, _("node-up command execution failed, continuing.")); 1168 run_script_queued (cb, _("node-up command execution failed, continuing."));
1094 } 1169 }
1095 1170
1096 break; 1171 break;
1097 } 1172 }
1098 else 1173 else
1099 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1174 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1100 conf->nodename, (const char *)rsi); 1175 conf->nodename, (const char *)rsi);
1101 } 1176 }
1102 1177
1103 delete cctx; 1178 delete cctx;
1104 } 1179 }
1120 { 1195 {
1121 vpndata_packet *p = (vpndata_packet *)pkt; 1196 vpndata_packet *p = (vpndata_packet *)pkt;
1122 1197
1123 if (!p->hmac_chk (ictx)) 1198 if (!p->hmac_chk (ictx))
1124 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1199 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1125 "could be an attack, or just corruption or a synchronization error"), 1200 "could be an attack, or just corruption or a synchronization error."),
1126 conf->nodename, (const char *)rsi); 1201 conf->nodename, (const char *)rsi);
1127 else 1202 else
1128 { 1203 {
1129 u32 seqno; 1204 u32 seqno;
1130 tap_packet *d = p->unpack (this, seqno); 1205 tap_packet *d = p->unpack (this, seqno);
1206 int seqclass = iseqno.seqno_classify (seqno);
1131 1207
1132 if (iseqno.recv_ok (seqno)) 1208 if (seqclass == 0) // ok
1133 { 1209 {
1134 vpn->tap->send (d); 1210 vpn->tap->send (d);
1135 1211
1136 if (si != rsi) 1212 if (si != rsi)
1137 { 1213 {
1138 // fast re-sync on source address changes, useful especially for tcp/ip 1214 // fast re-sync on source address changes, useful especially for tcp/ip
1215 //if (last_si_change < ev_now () + 5.)
1139 si = rsi; 1216 // {
1140
1141 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1217 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1142 conf->nodename, (const char *)si, (const char *)rsi); 1218 conf->nodename, (const char *)si, (const char *)rsi);
1219
1220 si = rsi;
1221
1222 if (::conf.script_node_change)
1223 {
1224 run_script_cb *cb = new run_script_cb;
1225 cb->set<connection, &connection::script_node_change> (this);
1226 run_script_queued (cb, _("node-change command execution failed, continuing."));
1227 }
1228
1229 // }
1230 //else
1231 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1232 // conf->nodename, (const char *)si, (const char *)rsi);
1143 } 1233 }
1234 }
1235 else if (seqclass == 1) // far history
1236 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1237 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1238 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1239 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1240 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1241 else if (seqclass == 3) // reset
1242 {
1243 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1244 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1245 send_reset (rsi);
1144 } 1246 }
1145 1247
1146 delete d; 1248 delete d;
1147 break; 1249 break;
1148 } 1250 }
1152 break; 1254 break;
1153 1255
1154 case vpn_packet::PT_CONNECT_REQ: 1256 case vpn_packet::PT_CONNECT_REQ:
1155 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1257 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1156 { 1258 {
1157 connect_req_packet *p = (connect_req_packet *) pkt; 1259 connect_req_packet *p = (connect_req_packet *)pkt;
1158 1260
1159 if (p->id > 0 && p->id <= vpn->conns.size ()) 1261 if (p->id > 0 && p->id <= vpn->conns.size ())
1160 { 1262 {
1161 connection *c = vpn->conns[p->id - 1]; 1263 connection *c = vpn->conns[p->id - 1];
1162 conf->protocols = p->protocols; 1264 conf->protocols = p->protocols;
1163 1265
1164 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]", 1266 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1165 conf->id, p->id, c->ictx && c->octx); 1267 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1166 1268
1167 if (c->ictx && c->octx) 1269 if (c->ictx && c->octx)
1168 { 1270 {
1169 // send connect_info packets to both sides, in case one is 1271 // send connect_info packets to both sides, in case one is
1170 // behind a nat firewall (or both ;) 1272 // behind a nat firewall (or both ;)
1193 1295
1194 c->conf->protocols = p->protocols; 1296 c->conf->protocols = p->protocols;
1195 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1297 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1196 p->si.upgrade_protocol (protocol, c->conf); 1298 p->si.upgrade_protocol (protocol, c->conf);
1197 1299
1198 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1300 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1301 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1199 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1302 (const char *)p->si, !c->ictx && !c->octx);
1200 1303
1201 const sockinfo &dsi = forward_si (p->si); 1304 const sockinfo &dsi = forward_si (p->si);
1202 1305
1203 if (dsi.valid ()) 1306 if (dsi.valid ())
1204 c->send_auth_request (dsi, true); 1307 c->send_auth_request (dsi, true);
1218} 1321}
1219 1322
1220inline void 1323inline void
1221connection::keepalive_cb (ev::timer &w, int revents) 1324connection::keepalive_cb (ev::timer &w, int revents)
1222{ 1325{
1223 if (ev_now () >= last_activity + ::conf.keepalive + 30) 1326 if (ev_now () >= last_activity + ::conf.keepalive + 15)
1224 { 1327 {
1225 reset_connection (); 1328 reset_connection ();
1226 establish_connection (); 1329 establish_connection ();
1227 } 1330 }
1228 else if (ev_now () < last_activity + ::conf.keepalive) 1331 else if (ev_now () < last_activity + ::conf.keepalive)
1229 w.start (last_activity + ::conf.keepalive - ev::now ()); 1332 w.start (last_activity + ::conf.keepalive - ev::now ());
1230 else if (conf->connectmode != conf_node::C_ONDEMAND 1333 else if (conf->connectmode != conf_node::C_ONDEMAND
1231 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1334 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1232 { 1335 {
1233 send_ping (si); 1336 send_ping (si);
1234 w.start (5); 1337 w.start (3);
1235 } 1338 }
1236 else if (ev_now () < last_activity + ::conf.keepalive + 10) 1339 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1237 // hold ondemand connections implicitly a few seconds longer 1340 // hold ondemand connections implicitly a few seconds longer
1238 // should delete octx, though, or something like that ;) 1341 // should delete octx, though, or something like that ;)
1239 w.start (last_activity + ::conf.keepalive + 10 - ev::now ()); 1342 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1243 1346
1244void connection::send_connect_request (int id) 1347void connection::send_connect_request (int id)
1245{ 1348{
1246 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1349 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1247 1350
1248 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1351 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1352 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1249 p->hmac_set (octx); 1353 p->hmac_set (octx);
1250 send_vpn_packet (p, si); 1354 send_vpn_packet (p, si);
1251 1355
1252 delete p; 1356 delete p;
1253} 1357}
1254 1358
1255void connection::script_init_env (const char *ext) 1359void connection::script_init_env (const char *ext)
1256{ 1360{
1257 char *env; 1361 char *env;
1258 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env); 1362 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1259 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env); 1363 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1260 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext, 1364 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1261 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8, 1365 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1262 conf->id & 0xff); putenv (env); 1366 conf->id & 0xff); putenv (env);
1263} 1367}
1264 1368
1265void connection::script_init_connect_env () 1369void connection::script_init_connect_env ()
1266{ 1370{
1267 vpn->script_init_env (); 1371 vpn->script_init_env ();
1268 1372
1269 char *env; 1373 char *env;
1270 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1374 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1375 asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1271 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1376 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1272 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1377 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1273 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1378 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1274} 1379}
1275 1380
1276inline const char * 1381inline const char *
1277connection::script_node_up () 1382connection::script_node_up ()
1278{ 1383{
1288 1393
1289 return filename; 1394 return filename;
1290} 1395}
1291 1396
1292inline const char * 1397inline const char *
1398connection::script_node_change ()
1399{
1400 script_init_connect_env ();
1401
1402 putenv ((char *)"STATE=change");
1403
1404 char *filename;
1405 asprintf (&filename,
1406 "%s/%s",
1407 confbase,
1408 ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1409
1410 return filename;
1411}
1412
1413inline const char *
1293connection::script_node_down () 1414connection::script_node_down ()
1294{ 1415{
1295 script_init_connect_env (); 1416 script_init_connect_env ();
1296 1417
1297 putenv ((char *)"STATE=down"); 1418 putenv ((char *)"STATE=down");
1308connection::connection (struct vpn *vpn, conf_node *conf) 1429connection::connection (struct vpn *vpn, conf_node *conf)
1309: vpn(vpn), conf(conf), 1430: vpn(vpn), conf(conf),
1310#if ENABLE_DNS 1431#if ENABLE_DNS
1311 dns (0), 1432 dns (0),
1312#endif 1433#endif
1313 data_queue(conf->max_ttl, conf->max_queue), 1434 data_queue(conf->max_ttl, conf->max_queue + 1),
1314 vpn_queue(conf->max_ttl, conf->max_queue) 1435 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1315{ 1436{
1316 rekey .set<connection, &connection::rekey_cb > (this); 1437 rekey .set<connection, &connection::rekey_cb > (this);
1317 keepalive .set<connection, &connection::keepalive_cb > (this); 1438 keepalive .set<connection, &connection::keepalive_cb > (this);
1318 establish_connection.set<connection, &connection::establish_connection_cb> (this); 1439 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1319 1440
1441 last_establish_attempt = 0.;
1320 octx = ictx = 0; 1442 octx = ictx = 0;
1321 retry_cnt = 0;
1322 1443
1323 if (!conf->protocols) // make sure some protocol is enabled 1444 if (!conf->protocols) // make sure some protocol is enabled
1324 conf->protocols = PROT_UDPv4; 1445 conf->protocols = PROT_UDPv4;
1325 1446
1326 connectmode = conf->connectmode; 1447 connectmode = conf->connectmode;
1327 1448
1328 // queue a dummy packet to force an initial connection attempt 1449 // queue a dummy packet to force an initial connection attempt
1329 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED) 1450 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1330 { 1451 vpn_queue.put (new net_packet);
1331 net_packet *p = new net_packet;
1332 p->len = 0;
1333 vpn_queue.put (p);
1334 }
1335 1452
1336 reset_connection (); 1453 reset_connection ();
1337} 1454}
1338 1455
1339connection::~connection () 1456connection::~connection ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines