ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.68 by pcg, Thu Aug 7 17:30:27 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 8 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 9 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 10 (at your option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details. 15 GNU General Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software 18 along with gvpe; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17*/ 20*/
18 21
19#include "config.h" 22#include "config.h"
20
21extern "C" {
22# include "lzf/lzf.h"
23}
24 23
25#include <list> 24#include <list>
26 25
27#include <openssl/rand.h> 26#include <openssl/rand.h>
28#include <openssl/evp.h> 27#include <openssl/evp.h>
29#include <openssl/rsa.h> 28#include <openssl/rsa.h>
30#include <openssl/err.h> 29#include <openssl/err.h>
31
32#include "gettext.h"
33 30
34#include "conf.h" 31#include "conf.h"
35#include "slog.h" 32#include "slog.h"
36#include "device.h" 33#include "device.h"
37#include "vpn.h" 34#include "vpn.h"
38#include "connection.h" 35#include "connection.h"
39 36
37#include "netcompat.h"
38
40#if !HAVE_RAND_PSEUDO_BYTES 39#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 40# define RAND_pseudo_bytes RAND_bytes
42#endif 41#endif
43 42
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 43#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
45 44
45#define ULTRA_FAST 1
46#define HLOG 15
47#include "lzf/lzf.h"
48#include "lzf/lzf_c.c"
49#include "lzf/lzf_d.c"
50
46struct crypto_ctx 51struct crypto_ctx
47{ 52{
48 EVP_CIPHER_CTX cctx; 53 EVP_CIPHER_CTX cctx;
49 HMAC_CTX hctx; 54 HMAC_CTX hctx;
50 55
53}; 58};
54 59
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 60crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
56{ 61{
57 EVP_CIPHER_CTX_init (&cctx); 62 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 63 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
59 HMAC_CTX_init (&hctx); 64 HMAC_CTX_init (&hctx);
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 65 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 66}
62 67
63crypto_ctx::~crypto_ctx () 68crypto_ctx::~crypto_ctx ()
64{ 69{
65 EVP_CIPHER_CTX_cleanup (&cctx); 70 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 71 HMAC_CTX_cleanup (&hctx);
67} 72}
68 73
69static void 74static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 75rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
71{ 76{
72 EVP_MD_CTX ctx; 77 EVP_MD_CTX ctx;
73 78
74 EVP_MD_CTX_init (&ctx); 79 EVP_MD_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 80 require (EVP_DigestInit (&ctx, RSA_HASH));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 81 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
79 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
80} 85}
81 86
82struct rsa_entry { 87struct rsa_entry
88{
83 tstamp expire; 89 tstamp expire;
84 rsaid id; 90 rsaid id;
85 rsachallenge chg; 91 rsachallenge chg;
86}; 92};
87 93
88struct rsa_cache : list<rsa_entry> 94struct rsa_cache : list<rsa_entry>
89{ 95{
90 void cleaner_cb (time_watcher &w); time_watcher cleaner; 96 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
91 97
92 bool find (const rsaid &id, rsachallenge &chg) 98 bool find (const rsaid &id, rsachallenge &chg)
93 { 99 {
94 for (iterator i = begin (); i != end (); ++i) 100 for (iterator i = begin (); i != end (); ++i)
95 { 101 {
96 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 102 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
97 { 103 {
98 memcpy (&chg, &i->chg, sizeof chg); 104 memcpy (&chg, &i->chg, sizeof chg);
99 105
100 erase (i); 106 erase (i);
101 return true; 107 return true;
102 } 108 }
103 } 109 }
104 110
105 if (cleaner.at < NOW) 111 if (!cleaner.is_active ())
106 cleaner.start (NOW + RSA_TTL); 112 cleaner.again ();
107 113
108 return false; 114 return false;
109 } 115 }
110 116
111 void gen (rsaid &id, rsachallenge &chg) 117 void gen (rsaid &id, rsachallenge &chg)
112 { 118 {
113 rsa_entry e; 119 rsa_entry e;
114 120
115 RAND_bytes ((unsigned char *)&id, sizeof id); 121 RAND_bytes ((unsigned char *)&id, sizeof id);
116 RAND_bytes ((unsigned char *)&chg, sizeof chg); 122 RAND_bytes ((unsigned char *)&chg, sizeof chg);
117 123
118 e.expire = NOW + RSA_TTL; 124 e.expire = ev_now () + RSA_TTL;
119 e.id = id; 125 e.id = id;
120 memcpy (&e.chg, &chg, sizeof chg); 126 memcpy (&e.chg, &chg, sizeof chg);
121 127
122 push_back (e); 128 push_back (e);
123 129
124 if (cleaner.at < NOW) 130 if (!cleaner.is_active ())
125 cleaner.start (NOW + RSA_TTL); 131 cleaner.again ();
126 } 132 }
127 133
128 rsa_cache () 134 rsa_cache ()
129 : cleaner (this, &rsa_cache::cleaner_cb) 135 {
130 { } 136 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
137 cleaner.set (RSA_TTL, RSA_TTL);
138 }
131 139
132} rsa_cache; 140} rsa_cache;
133 141
134void rsa_cache::cleaner_cb (time_watcher &w) 142void rsa_cache::cleaner_cb (ev::timer &w, int revents)
135{ 143{
136 if (empty ()) 144 if (empty ())
137 w.at = TSTAMP_CANCEL; 145 w.stop ();
138 else 146 else
139 { 147 {
140 w.at = NOW + RSA_TTL;
141
142 for (iterator i = begin (); i != end (); ) 148 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 149 if (i->expire <= ev_now ())
144 i = erase (i); 150 i = erase (i);
145 else 151 else
146 ++i; 152 ++i;
147 } 153 }
148} 154}
149 155
150////////////////////////////////////////////////////////////////////////////// 156//////////////////////////////////////////////////////////////////////////////
151 157
152void pkt_queue::put (tap_packet *p) 158pkt_queue::pkt_queue (double max_ttl, int max_queue)
159: max_ttl (max_ttl), max_queue (max_queue)
153{ 160{
154 if (queue[i]) 161 queue = new pkt [max_queue];
155 {
156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH;
158 }
159 162
160 queue[i] = p;
161
162 i = (i + 1) % QUEUEDEPTH;
163}
164
165tap_packet *pkt_queue::get ()
166{
167 tap_packet *p = queue[j];
168
169 if (p)
170 {
171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH;
173 }
174
175 return p;
176}
177
178pkt_queue::pkt_queue ()
179{
180 memset (queue, 0, sizeof (queue));
181 i = 0; 163 i = 0;
182 j = 0; 164 j = 0;
165
166 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
183} 167}
184 168
185pkt_queue::~pkt_queue () 169pkt_queue::~pkt_queue ()
186{ 170{
187 for (i = QUEUEDEPTH; --i > 0; ) 171 while (net_packet *p = get ())
172 delete p;
173
188 delete queue[i]; 174 delete [] queue;
189} 175}
190 176
177void pkt_queue::expire_cb (ev::timer &w, int revents)
178{
179 ev_tstamp expire = ev_now () - max_ttl;
180
181 for (;;)
182 {
183 if (empty ())
184 break;
185
186 double diff = queue[j].tstamp - expire;
187
188 if (diff >= 0.)
189 {
190 w.start (diff > 0.5 ? diff : 0.5);
191 break;
192 }
193
194 delete get ();
195 }
196}
197
198void pkt_queue::put (net_packet *p)
199{
200 ev_tstamp now = ev_now ();
201
202 // start expiry timer
203 if (empty ())
204 expire.start (max_ttl);
205
206 int ni = i + 1 == max_queue ? 0 : i + 1;
207
208 if (ni == j)
209 delete get ();
210
211 queue[i].pkt = p;
212 queue[i].tstamp = now;
213
214 i = ni;
215}
216
217net_packet *pkt_queue::get ()
218{
219 if (empty ())
220 return 0;
221
222 net_packet *p = queue[j].pkt;
223 queue[j].pkt = 0;
224
225 j = j + 1 == max_queue ? 0 : j + 1;
226
227 return p;
228}
229
191struct net_rateinfo { 230struct net_rateinfo
231{
192 u32 host; 232 u32 host;
193 double pcnt, diff; 233 double pcnt, diff;
194 tstamp last; 234 tstamp last;
195}; 235};
196 236
197// only do action once every x seconds per host whole allowing bursts. 237// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 238// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 239// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 240struct net_rate_limiter : list<net_rateinfo>
201{ 241{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 242# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 243# define NRL_CUTOFF 10. // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 244# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
245# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
205 246
206 bool can (const sockinfo &si) { return can((u32)si.host); } 247 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 248 bool can (u32 host);
208}; 249};
209 250
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 251net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 252
214 iterator i; 255 iterator i;
215 256
216 for (i = begin (); i != end (); ) 257 for (i = begin (); i != end (); )
217 if (i->host == host) 258 if (i->host == host)
218 break; 259 break;
219 else if (i->last < NOW - EXPIRE) 260 else if (i->last < ev_now () - NRL_EXPIRE)
220 i = erase (i); 261 i = erase (i);
221 else 262 else
222 i++; 263 i++;
223 264
224 if (i == end ()) 265 if (i == end ())
225 { 266 {
226 net_rateinfo ri; 267 net_rateinfo ri;
227 268
228 ri.host = host; 269 ri.host = host;
229 ri.pcnt = 1.; 270 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 271 ri.diff = NRL_MAXDIF;
231 ri.last = NOW; 272 ri.last = ev_now ();
232 273
233 push_front (ri); 274 push_front (ri);
234 275
235 return true; 276 return true;
236 } 277 }
237 else 278 else
238 { 279 {
239 net_rateinfo ri (*i); 280 net_rateinfo ri (*i);
240 erase (i); 281 erase (i);
241 282
242 ri.pcnt = ri.pcnt * ALPHA; 283 ri.pcnt = ri.pcnt * NRL_ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 284 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
244 285
245 ri.last = NOW; 286 ri.last = ev_now ();
246 287
288 double dif = ri.diff / ri.pcnt;
289
247 bool send = ri.diff / ri.pcnt > CUTOFF; 290 bool send = dif > NRL_CUTOFF;
248 291
292 if (dif > NRL_MAXDIF)
293 {
294 ri.pcnt = 1.;
295 ri.diff = NRL_MAXDIF;
296 }
249 if (send) 297 else if (send)
250 ri.pcnt++; 298 ri.pcnt++;
251 299
252 push_front (ri); 300 push_front (ri);
253 301
254 return send; 302 return send;
299} 347}
300 348
301#define MAXVPNDATA (MAX_MTU - 6 - 6) 349#define MAXVPNDATA (MAX_MTU - 6 - 6)
302#define DATAHDR (sizeof (u32) + RAND_SIZE) 350#define DATAHDR (sizeof (u32) + RAND_SIZE)
303 351
304struct vpndata_packet:vpn_packet 352struct vpndata_packet : vpn_packet
305 { 353 {
306 u8 data[MAXVPNDATA + DATAHDR]; // seqno 354 u8 data[MAXVPNDATA + DATAHDR]; // seqno
307 355
308 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 356 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
309 tap_packet *unpack (connection *conn, u32 &seqno); 357 tap_packet *unpack (connection *conn, u32 &seqno);
322 int outl = 0, outl2; 370 int outl = 0, outl2;
323 ptype type = PT_DATA_UNCOMPRESSED; 371 ptype type = PT_DATA_UNCOMPRESSED;
324 372
325#if ENABLE_COMPRESSION 373#if ENABLE_COMPRESSION
326 u8 cdata[MAX_MTU]; 374 u8 cdata[MAX_MTU];
327 u32 cl;
328 375
376 if (conn->features & ENABLE_COMPRESSION)
377 {
329 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 378 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
379
330 if (cl) 380 if (cl)
331 { 381 {
332 type = PT_DATA_COMPRESSED; 382 type = PT_DATA_COMPRESSED;
333 d = cdata; 383 d = cdata;
334 l = cl + 2; 384 l = cl + 2;
335 385
336 d[0] = cl >> 8; 386 d[0] = cl >> 8;
337 d[1] = cl; 387 d[1] = cl;
388 }
338 } 389 }
339#endif 390#endif
340 391
341 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 392 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
342 393
343 struct { 394 struct {
344#if RAND_SIZE 395#if RAND_SIZE
345 u8 rnd[RAND_SIZE]; 396 u8 rnd[RAND_SIZE];
346#endif 397#endif
350 datahdr.seqno = ntohl (seqno); 401 datahdr.seqno = ntohl (seqno);
351#if RAND_SIZE 402#if RAND_SIZE
352 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 403 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
353#endif 404#endif
354 405
355 EVP_EncryptUpdate (cctx, 406 require (EVP_EncryptUpdate (cctx,
356 (unsigned char *) data + outl, &outl2, 407 (unsigned char *) data + outl, &outl2,
357 (unsigned char *) &datahdr, DATAHDR); 408 (unsigned char *) &datahdr, DATAHDR));
358 outl += outl2; 409 outl += outl2;
359 410
360 EVP_EncryptUpdate (cctx, 411 require (EVP_EncryptUpdate (cctx,
361 (unsigned char *) data + outl, &outl2, 412 (unsigned char *) data + outl, &outl2,
362 (unsigned char *) d, l); 413 (unsigned char *) d, l));
363 outl += outl2; 414 outl += outl2;
364 415
365 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 416 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
366 outl += outl2; 417 outl += outl2;
367 418
368 len = outl + data_hdr_size (); 419 len = outl + data_hdr_size ();
369 420
370 set_hdr (type, dst); 421 set_hdr (type, dst);
379 int outl = 0, outl2; 430 int outl = 0, outl2;
380 tap_packet *p = new tap_packet; 431 tap_packet *p = new tap_packet;
381 u8 *d; 432 u8 *d;
382 u32 l = len - data_hdr_size (); 433 u32 l = len - data_hdr_size ();
383 434
384 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 435 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
385 436
386#if ENABLE_COMPRESSION 437#if ENABLE_COMPRESSION
387 u8 cdata[MAX_MTU]; 438 u8 cdata[MAX_MTU];
388 439
389 if (type == PT_DATA_COMPRESSED) 440 if (type == PT_DATA_COMPRESSED)
391 else 442 else
392#endif 443#endif
393 d = &(*p)[6 + 6 - DATAHDR]; 444 d = &(*p)[6 + 6 - DATAHDR];
394 445
395 /* this overwrites part of the src mac, but we fix that later */ 446 /* this overwrites part of the src mac, but we fix that later */
396 EVP_DecryptUpdate (cctx, 447 require (EVP_DecryptUpdate (cctx,
397 d, &outl2, 448 d, &outl2,
398 (unsigned char *)&data, len - data_hdr_size ()); 449 (unsigned char *)&data, len - data_hdr_size ()));
399 outl += outl2; 450 outl += outl2;
400 451
401 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 452 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
402 outl += outl2; 453 outl += outl2;
403 454
404 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 455 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
405 456
406 id2mac (dst () ? dst() : THISNODE->id, p->dst); 457 id2mac (dst () ? dst() : THISNODE->id, p->dst);
435{ 486{
436 // actually, hmaclen cannot be checked because the hmac 487 // actually, hmaclen cannot be checked because the hmac
437 // field comes before this data, so peers with other 488 // field comes before this data, so peers with other
438 // hmacs simply will not work. 489 // hmacs simply will not work.
439 u8 prot_major, prot_minor, randsize, hmaclen; 490 u8 prot_major, prot_minor, randsize, hmaclen;
440 u8 flags, challengelen, pad2, pad3; 491 u8 flags, challengelen, features, pad3;
441 u32 cipher_nid, digest_nid, hmac_nid; 492 u32 cipher_nid, digest_nid, hmac_nid;
442
443 const u8 curflags () const
444 {
445 return 0x80
446 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
447 }
448 493
449 void setup (ptype type, int dst); 494 void setup (ptype type, int dst);
450 bool chk_config () const; 495 bool chk_config () const;
496
497 static u8 get_features ()
498 {
499 u8 f = 0;
500#if ENABLE_COMPRESSION
501 f |= FEATURE_COMPRESSION;
502#endif
503#if ENABLE_ROHC
504 f |= FEATURE_ROHC;
505#endif
506#if ENABLE_BRIDGING
507 f |= FEATURE_BRIDGING;
508#endif
509 return f;
510 }
451}; 511};
452 512
453void config_packet::setup (ptype type, int dst) 513void config_packet::setup (ptype type, int dst)
454{ 514{
455 prot_major = PROTOCOL_MAJOR; 515 prot_major = PROTOCOL_MAJOR;
456 prot_minor = PROTOCOL_MINOR; 516 prot_minor = PROTOCOL_MINOR;
457 randsize = RAND_SIZE; 517 randsize = RAND_SIZE;
458 hmaclen = HMACLENGTH; 518 hmaclen = HMACLENGTH;
459 flags = curflags (); 519 flags = 0;
460 challengelen = sizeof (rsachallenge); 520 challengelen = sizeof (rsachallenge);
521 features = get_features ();
461 522
462 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 523 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
463 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 524 digest_nid = htonl (EVP_MD_type (RSA_HASH));
464 hmac_nid = htonl (EVP_MD_type (DIGEST)); 525 hmac_nid = htonl (EVP_MD_type (DIGEST));
465 526
467 set_hdr (type, dst); 528 set_hdr (type, dst);
468} 529}
469 530
470bool config_packet::chk_config () const 531bool config_packet::chk_config () const
471{ 532{
472 return prot_major == PROTOCOL_MAJOR 533 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 534 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 535 else if (randsize != RAND_SIZE)
475 && flags == curflags () 536 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
537 else if (hmaclen != HMACLENGTH)
538 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
476 && challengelen == sizeof (rsachallenge) 539 else if (challengelen != sizeof (rsachallenge))
540 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 541 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
542 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 543 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
544 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 545 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
546 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
547 else
548 return true;
549
550 return false;
480} 551}
481 552
482struct auth_req_packet : config_packet 553struct auth_req_packet : config_packet
483{ 554{
484 char magic[8]; 555 char magic[8];
485 u8 initiate; // false if this is just an automatic reply 556 u8 initiate; // false if this is just an automatic reply
486 u8 protocols; // supported protocols (will get patches on forward) 557 u8 protocols; // supported protocols (will be patched on forward)
487 u8 pad2, pad3; 558 u8 pad2, pad3;
488 rsaid id; 559 rsaid id;
489 rsaencrdata encr; 560 rsaencrdata encr;
490 561
491 auth_req_packet (int dst, bool initiate_, u8 protocols_) 562 auth_req_packet (int dst, bool initiate_, u8 protocols_)
546}; 617};
547 618
548///////////////////////////////////////////////////////////////////////////// 619/////////////////////////////////////////////////////////////////////////////
549 620
550void 621void
622connection::connection_established ()
623{
624 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
625
626 if (ictx && octx)
627 {
628 // make sure rekeying timeouts are slightly asymmetric
629 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
630 rekey.start (rekey_interval, rekey_interval);
631 keepalive.start (::conf.keepalive);
632
633 // send queued packets
634 if (ictx && octx)
635 {
636 while (tap_packet *p = (tap_packet *)data_queue.get ())
637 {
638 if (p->len) send_data_packet (p);
639 delete p;
640 }
641
642 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
643 {
644 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
645 delete p;
646 }
647 }
648 }
649 else
650 {
651 retry_cnt = 0;
652 establish_connection.start (5);
653 keepalive.stop ();
654 rekey.stop ();
655 }
656}
657
658void
551connection::reset_dstaddr () 659connection::reset_si ()
552{ 660{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 661 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 662
555 // mask out protocols we cannot establish 663 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 664 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 665 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
666 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
667
668 if (protocol
669 && (!conf->can_direct (THISNODE)
670 || !THISNODE->can_direct (conf)))
671 {
672 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
673 protocol = 0;
674 }
558 675
559 si.set (conf, protocol); 676 si.set (conf, protocol);
560} 677}
561 678
562void 679// ensure sockinfo is valid, forward if necessary
563connection::send_ping (const sockinfo &si, u8 pong) 680const sockinfo &
564{
565 ping_packet *pkt = new ping_packet;
566
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569
570 delete pkt;
571}
572
573void
574connection::send_reset (const sockinfo &si) 681connection::forward_si (const sockinfo &si) const
575{ 682{
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 683 if (!si.valid ())
577 {
578 config_packet *pkt = new config_packet;
579
580 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
582
583 delete pkt;
584 } 684 {
585} 685 connection *r = vpn->find_router ();
586 686
587void 687 if (r)
588connection::send_auth_request (const sockinfo &si, bool initiate)
589{
590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
591
592 rsachallenge chg;
593
594 rsa_cache.gen (pkt->id, chg);
595
596 if (0 > RSA_public_encrypt (sizeof chg,
597 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error");
600
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
604
605 delete pkt;
606}
607
608void
609connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
610{
611 auth_res_packet *pkt = new auth_res_packet (conf->id);
612
613 pkt->id = id;
614
615 rsa_hash (id, chg, pkt->response);
616
617 pkt->hmac_set (octx);
618
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622
623 delete pkt;
624}
625
626void
627connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
628{
629 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
630 conf->id, rid, (const char *)rsi);
631
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633
634 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si);
636
637 delete r;
638}
639
640void
641connection::establish_connection_cb (time_watcher &w)
642{
643 if (ictx || conf == THISNODE
644 || connectmode == conf_node::C_NEVER
645 || connectmode == conf_node::C_DISABLED)
646 w.at = TSTAMP_CANCEL;
647 else if (w.at <= NOW)
648 {
649 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
650
651 if (retry_int < 3600 * 8)
652 retry_cnt++;
653
654 w.at = NOW + retry_int;
655
656 if (conf->hostname)
657 { 688 {
658 reset_dstaddr (); 689 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
659 690 conf->nodename, r->conf->nodename, (const char *)r->si);
660 if (si.valid () && auth_rate_limiter.can (si)) 691 return r->si;
661 {
662 if (retry_cnt < 4)
663 send_auth_request (si, true);
664 else
665 send_ping (si, 0);
666 }
667 } 692 }
668 else 693 else
694 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
695 conf->nodename);
696 }
697
698 return si;
699}
700
701void
702connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
703{
704 if (!vpn->send_vpn_packet (pkt, si, tos))
705 reset_connection ();
706}
707
708void
709connection::send_ping (const sockinfo &si, u8 pong)
710{
711 ping_packet *pkt = new ping_packet;
712
713 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
714 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
715
716 delete pkt;
717}
718
719void
720connection::send_reset (const sockinfo &si)
721{
722 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
723 {
724 config_packet *pkt = new config_packet;
725
726 pkt->setup (vpn_packet::PT_RESET, conf->id);
727 send_vpn_packet (pkt, si, IPTOS_MINCOST);
728
729 delete pkt;
730 }
731}
732
733void
734connection::send_auth_request (const sockinfo &si, bool initiate)
735{
736 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
737
738 rsachallenge chg;
739 rsa_cache.gen (pkt->id, chg);
740 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
741
742 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
743
744 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
745
746 delete pkt;
747}
748
749void
750connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
751{
752 auth_res_packet *pkt = new auth_res_packet (conf->id);
753
754 pkt->id = id;
755
756 rsa_hash (id, chg, pkt->response);
757
758 pkt->hmac_set (octx);
759
760 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
761
762 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
763
764 delete pkt;
765}
766
767void
768connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
769{
770 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
771 conf->id, rid, (const char *)rsi);
772
773 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
774
775 r->hmac_set (octx);
776 send_vpn_packet (r, si);
777
778 delete r;
779}
780
781inline void
782connection::establish_connection_cb (ev::timer &w, int revents)
783{
784 if (!ictx
785 && conf != THISNODE
786 && connectmode != conf_node::C_NEVER
787 && connectmode != conf_node::C_DISABLED
788 && !w.is_active ())
789 {
790 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
791 // and stop trying. should probably be handled by a per-connection expire handler.
792 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
793 {
794 reset_connection ();
795 return;
796 }
797
798 last_establish_attempt = ev_now ();
799
800 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
801 ? (retry_cnt & 3) + 1
802 : 1 << (retry_cnt >> 2));
803
804 reset_si ();
805
806 bool slow = si.prot & PROT_SLOW;
807
808 if (si.prot && !si.host)
809 {
810 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
811 /*TODO*/ /* start the timer so we don't recurse endlessly */
812 w.start (1);
669 vpn->connect_request (conf->id); 813 vpn->send_connect_request (conf->id);
814 }
815 else
816 {
817 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
818
819 const sockinfo &dsi = forward_si (si);
820
821 slow = slow || (dsi.prot & PROT_SLOW);
822
823 if (dsi.valid () && auth_rate_limiter.can (dsi))
824 {
825 if (retry_cnt < 4)
826 send_auth_request (dsi, true);
827 else
828 send_ping (dsi, 0);
829 }
830 }
831
832 retry_int *= slow ? 8. : 0.9;
833
834 if (retry_int < conf->max_retry)
835 retry_cnt++;
836 else
837 retry_int = conf->max_retry;
838
839 w.start (retry_int);
670 } 840 }
671} 841}
672 842
673void 843void
674connection::reset_connection () 844connection::reset_connection ()
677 { 847 {
678 slog (L_INFO, _("%s(%s): connection lost"), 848 slog (L_INFO, _("%s(%s): connection lost"),
679 conf->nodename, (const char *)si); 849 conf->nodename, (const char *)si);
680 850
681 if (::conf.script_node_down) 851 if (::conf.script_node_down)
682 run_script (run_script_cb (this, &connection::script_node_down), false); 852 {
853 run_script_cb cb;
854 cb.set<connection, &connection::script_node_down> (this);
855 if (!run_script (cb, false))
856 slog (L_WARN, _("node-down command execution failed, continuing."));
857 }
683 } 858 }
684 859
685 delete ictx; ictx = 0; 860 delete ictx; ictx = 0;
686 delete octx; octx = 0; 861 delete octx; octx = 0;
862#if ENABLE_DNS
863 dnsv4_reset_connection ();
864#endif
687 865
688 si.host= 0; 866 si.host = 0;
689 867
690 last_activity = 0; 868 last_activity = 0;
691 retry_cnt = 0; 869 retry_cnt = 0;
692 870
693 rekey.reset (); 871 rekey.stop ();
694 keepalive.reset (); 872 keepalive.stop ();
695 establish_connection.reset (); 873 establish_connection.stop ();
696} 874}
697 875
698void 876void
699connection::shutdown () 877connection::shutdown ()
700{ 878{
702 send_reset (si); 880 send_reset (si);
703 881
704 reset_connection (); 882 reset_connection ();
705} 883}
706 884
707void 885inline void
708connection::rekey_cb (time_watcher &w) 886connection::rekey_cb (ev::timer &w, int revents)
709{ 887{
710 w.at = TSTAMP_CANCEL;
711
712 reset_connection (); 888 reset_connection ();
713 establish_connection (); 889 establish_connection ();
714} 890}
715 891
716void 892void
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 893connection::send_data_packet (tap_packet *pkt)
718{ 894{
719 vpndata_packet *p = new vpndata_packet; 895 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 896 int tos = 0;
721 897
722 if (conf->inherit_tos 898 // I am not hilarious about peeking into packets, but so be it.
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 899 if (conf->inherit_tos && pkt->is_ipv4 ())
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 900 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 901
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 902 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 903 send_vpn_packet (p, si, tos);
729 904
730 delete p; 905 delete p;
731 906
732 if (oseqno > MAX_SEQNO) 907 if (oseqno > MAX_SEQNO)
733 rekey (); 908 rekey ();
734} 909}
735 910
736void 911void
912connection::post_inject_queue ()
913{
914 // force a connection every now and when when packets are sent (max 1/s)
915 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
916 establish_connection.stop ();
917
918 establish_connection ();
919}
920
921void
737connection::inject_data_packet (tap_packet *pkt, bool broadcast) 922connection::inject_data_packet (tap_packet *pkt)
738{ 923{
739 if (ictx && octx) 924 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 925 send_data_packet (pkt);
741 else 926 else
742 { 927 {
743 if (!broadcast)//DDDD
744 queue.put (new tap_packet (*pkt)); 928 data_queue.put (new tap_packet (*pkt));
929 post_inject_queue ();
930 }
931}
745 932
746 establish_connection (); 933void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
934{
935 if (ictx && octx)
936 send_vpn_packet (pkt, si, tos);
937 else
938 {
939 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
940 post_inject_queue ();
747 } 941 }
748} 942}
749 943
750void 944void
751connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 945connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
752{ 946{
753 last_activity = NOW; 947 last_activity = ev_now ();
754 948
755 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 949 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
756 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 950 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
951
952 if (connectmode == conf_node::C_DISABLED)
953 return;
757 954
758 switch (pkt->typ ()) 955 switch (pkt->typ ())
759 { 956 {
760 case vpn_packet::PT_PING: 957 case vpn_packet::PT_PING:
761 // we send pings instead of auth packets after some retries, 958 // we send pings instead of auth packets after some retries,
808 if (p->initiate) 1005 if (p->initiate)
809 send_auth_request (rsi, false); 1006 send_auth_request (rsi, false);
810 1007
811 rsachallenge k; 1008 rsachallenge k;
812 1009
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 1010 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
814 (unsigned char *)&p->encr, (unsigned char *)&k, 1011 {
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 1012 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 1013 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1014 break;
1015 }
818 else 1016 else
819 { 1017 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 1018 delete octx;
829 1019
830 octx = new crypto_ctx (k, 1); 1020 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1021 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 1022
833 conf->protocols = p->protocols; 1023 conf->protocols = p->protocols;
1024 features = p->features & config_packet::get_features ();
1025
834 send_auth_response (rsi, p->id, k); 1026 send_auth_response (rsi, p->id, k);
1027
1028 connection_established ();
835 1029
836 break; 1030 break;
837 } 1031 }
838 } 1032 }
1033 else
1034 slog (L_WARN, _("%s(%s): protocol mismatch"),
1035 conf->nodename, (const char *)rsi);
839 1036
840 send_reset (rsi); 1037 send_reset (rsi);
841 } 1038 }
842 1039
843 break; 1040 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1053 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 1054
858 rsachallenge chg; 1055 rsachallenge chg;
859 1056
860 if (!rsa_cache.find (p->id, chg)) 1057 if (!rsa_cache.find (p->id, chg))
1058 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 1059 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 1060 conf->nodename, (const char *)rsi);
1061 break;
1062 }
863 else 1063 else
864 { 1064 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1065 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 1066
867 if (!p->hmac_chk (cctx)) 1067 if (!p->hmac_chk (cctx))
1068 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1069 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 1070 "could be an attack, or just corruption or a synchronization error"),
870 conf->nodename, (const char *)rsi); 1071 conf->nodename, (const char *)rsi);
1072 break;
1073 }
871 else 1074 else
872 { 1075 {
873 rsaresponse h; 1076 rsaresponse h;
874 1077
875 rsa_hash (p->id, chg, h); 1078 rsa_hash (p->id, chg, h);
881 delete ictx; ictx = cctx; 1084 delete ictx; ictx = cctx;
882 1085
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1086 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 1087
885 si = rsi; 1088 si = rsi;
1089 protocol = rsi.prot;
886 1090
887 rekey.start (NOW + ::conf.rekey); 1091 connection_established ();
888 keepalive.start (NOW + ::conf.keepalive);
889 1092
890 // send queued packets 1093 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
891 while (tap_packet *p = queue.get ()) 1094 conf->nodename, (const char *)rsi,
1095 p->prot_major, p->prot_minor);
1096
1097 if (::conf.script_node_up)
892 { 1098 {
893 send_data_packet (p); 1099 run_script_cb cb;
894 delete p; 1100 cb.set<connection, &connection::script_node_up> (this);
1101 if (!run_script (cb, false))
1102 slog (L_WARN, _("node-up command execution failed, continuing."));
895 } 1103 }
896
897 connectmode = conf->connectmode;
898
899 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
900 conf->nodename, (const char *)rsi,
901 strprotocol (protocol),
902 p->prot_major, p->prot_minor);
903
904 if (::conf.script_node_up)
905 run_script (run_script_cb (this, &connection::script_node_up), false);
906 1104
907 break; 1105 break;
908 } 1106 }
909 else 1107 else
910 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1108 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
929 1127
930 if (ictx && octx) 1128 if (ictx && octx)
931 { 1129 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1130 vpndata_packet *p = (vpndata_packet *)pkt;
933 1131
934 if (rsi == si) 1132 if (!p->hmac_chk (ictx))
1133 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1134 "could be an attack, or just corruption or a synchronization error"),
1135 conf->nodename, (const char *)rsi);
1136 else
935 { 1137 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1138 u32 seqno;
1139 tap_packet *d = p->unpack (this, seqno);
1140
1141 if (iseqno.recv_ok (seqno))
941 { 1142 {
942 u32 seqno; 1143 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1144
945 if (iseqno.recv_ok (seqno)) 1145 if (si != rsi)
946 { 1146 {
947 vpn->tap->send (d); 1147 // fast re-sync on source address changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1148 si = rsi;
1149
1150 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1151 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1152 }
962 } 1153 }
1154
1155 delete d;
1156 break;
963 } 1157 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1158 }
967 1159
968 send_reset (rsi); 1160 send_reset (rsi);
969 break; 1161 break;
970 1162
971 case vpn_packet::PT_CONNECT_REQ: 1163 case vpn_packet::PT_CONNECT_REQ:
972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1164 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973 { 1165 {
974 connect_req_packet *p = (connect_req_packet *) pkt; 1166 connect_req_packet *p = (connect_req_packet *) pkt;
975 1167
976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1168 if (p->id > 0 && p->id <= vpn->conns.size ())
977 conf->protocols = p->protocols;
978 connection *c = vpn->conns[p->id - 1];
979
980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981 conf->id, p->id, c->ictx && c->octx);
982
983 if (c->ictx && c->octx)
984 { 1169 {
1170 connection *c = vpn->conns[p->id - 1];
1171 conf->protocols = p->protocols;
1172
1173 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1174 conf->id, p->id, c->ictx && c->octx);
1175
1176 if (c->ictx && c->octx)
1177 {
985 // send connect_info packets to both sides, in case one is 1178 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1179 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1180 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1181 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1182 }
1183 else
1184 c->establish_connection ();
989 } 1185 }
1186 else
1187 slog (L_WARN,
1188 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1189 p->id);
990 } 1190 }
991 1191
992 break; 1192 break;
993 1193
994 case vpn_packet::PT_CONNECT_INFO: 1194 case vpn_packet::PT_CONNECT_INFO:
995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1195 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
996 { 1196 {
997 connect_info_packet *p = (connect_info_packet *) pkt; 1197 connect_info_packet *p = (connect_info_packet *)pkt;
998 1198
999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1199 if (p->id > 0 && p->id <= vpn->conns.size ())
1000 conf->protocols = p->protocols; 1200 {
1001 connection *c = vpn->conns[p->id - 1]; 1201 connection *c = vpn->conns[p->id - 1];
1002 1202
1203 c->conf->protocols = p->protocols;
1204 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1205 p->si.upgrade_protocol (protocol, c->conf);
1206
1003 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1207 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1004 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1208 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1005 1209
1210 const sockinfo &dsi = forward_si (p->si);
1211
1212 if (dsi.valid ())
1006 c->send_auth_request (p->si, true); 1213 c->send_auth_request (dsi, true);
1214 }
1215 else
1216 slog (L_WARN,
1217 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1218 p->id);
1007 } 1219 }
1008 1220
1009 break; 1221 break;
1010 1222
1011 default: 1223 default:
1012 send_reset (rsi); 1224 send_reset (rsi);
1013 break; 1225 break;
1014 } 1226 }
1015} 1227}
1016 1228
1017void connection::keepalive_cb (time_watcher &w) 1229inline void
1230connection::keepalive_cb (ev::timer &w, int revents)
1018{ 1231{
1019 if (NOW >= last_activity + ::conf.keepalive + 30) 1232 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1020 { 1233 {
1021 reset_connection (); 1234 reset_connection ();
1022 establish_connection (); 1235 establish_connection ();
1023 } 1236 }
1024 else if (NOW < last_activity + ::conf.keepalive) 1237 else if (ev_now () < last_activity + ::conf.keepalive)
1025 w.at = last_activity + ::conf.keepalive; 1238 w.start (last_activity + ::conf.keepalive - ev::now ());
1026 else if (conf->connectmode != conf_node::C_ONDEMAND 1239 else if (conf->connectmode != conf_node::C_ONDEMAND
1027 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1240 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1028 { 1241 {
1029 send_ping (si); 1242 send_ping (si);
1030 w.at = NOW + 5; 1243 w.start (5);
1031 } 1244 }
1245 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1246 // hold ondemand connections implicitly a few seconds longer
1247 // should delete octx, though, or something like that ;)
1248 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1032 else 1249 else
1033 reset_connection (); 1250 reset_connection ();
1034} 1251}
1035 1252
1036void connection::connect_request (int id) 1253void connection::send_connect_request (int id)
1037{ 1254{
1038 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1255 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1039 1256
1040 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1257 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1041 p->hmac_set (octx); 1258 p->hmac_set (octx);
1042 vpn->send_vpn_packet (p, si); 1259 send_vpn_packet (p, si);
1043 1260
1044 delete p; 1261 delete p;
1045} 1262}
1046 1263
1264void connection::script_init_env (const char *ext)
1265{
1266 char *env;
1267 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1268 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1269 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1270 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1271 conf->id & 0xff); putenv (env);
1272}
1273
1047void connection::script_node () 1274void connection::script_init_connect_env ()
1048{ 1275{
1049 vpn->script_if_up (); 1276 vpn->script_init_env ();
1050 1277
1051 char *env; 1278 char *env;
1052 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1279 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1053 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1280 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1054 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1281 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1055 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1282 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1056} 1283}
1057 1284
1285inline const char *
1058const char *connection::script_node_up () 1286connection::script_node_up ()
1059{ 1287{
1060 script_node (); 1288 script_init_connect_env ();
1061 1289
1062 putenv ("STATE=up"); 1290 putenv ((char *)"STATE=up");
1063 1291
1292 char *filename;
1293 asprintf (&filename,
1294 "%s/%s",
1295 confbase,
1064 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1296 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1065}
1066 1297
1298 return filename;
1299}
1300
1301inline const char *
1067const char *connection::script_node_down () 1302connection::script_node_down ()
1068{ 1303{
1069 script_node (); 1304 script_init_connect_env ();
1070 1305
1071 putenv ("STATE=down"); 1306 putenv ((char *)"STATE=down");
1072 1307
1073 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1308 char *filename;
1074} 1309 asprintf (&filename,
1310 "%s/%s",
1311 confbase,
1312 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1075 1313
1314 return filename;
1315}
1316
1076connection::connection(struct vpn *vpn_) 1317connection::connection (struct vpn *vpn, conf_node *conf)
1077: vpn(vpn_) 1318: vpn(vpn), conf(conf),
1078, rekey (this, &connection::rekey_cb) 1319#if ENABLE_DNS
1079, keepalive (this, &connection::keepalive_cb) 1320 dns (0),
1321#endif
1322 data_queue(conf->max_ttl, conf->max_queue),
1323 vpn_queue(conf->max_ttl, conf->max_queue)
1324{
1325 rekey .set<connection, &connection::rekey_cb > (this);
1326 keepalive .set<connection, &connection::keepalive_cb > (this);
1080, establish_connection (this, &connection::establish_connection_cb) 1327 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1081{ 1328
1329 last_establish_attempt = 0.;
1082 octx = ictx = 0; 1330 octx = ictx = 0;
1083 retry_cnt = 0;
1084 1331
1085 connectmode = conf_node::C_ALWAYS; // initial setting 1332 if (!conf->protocols) // make sure some protocol is enabled
1333 conf->protocols = PROT_UDPv4;
1334
1335 connectmode = conf->connectmode;
1336
1337 // queue a dummy packet to force an initial connection attempt
1338 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1339 vpn_queue.put (new net_packet);
1340
1086 reset_connection (); 1341 reset_connection ();
1087} 1342}
1088 1343
1089connection::~connection () 1344connection::~connection ()
1090{ 1345{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines