ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.20 by pcg, Tue Oct 14 15:48:15 2003 UTC vs.
Revision 1.70 by pcg, Thu Aug 7 19:07:02 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
5 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
6 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
7 (at your option) any later version. 10 option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
12 GNU General Public License for more details. 15 Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
15 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
17*/ 30*/
18 31
19#include "config.h" 32#include "config.h"
20 33
21extern "C" {
22# include "lzf/lzf.h"
23}
24
25#include <list> 34#include <list>
35#include <queue>
36#include <utility>
26 37
27#include <openssl/rand.h> 38#include <openssl/rand.h>
28#include <openssl/evp.h> 39#include <openssl/evp.h>
29#include <openssl/rsa.h> 40#include <openssl/rsa.h>
30#include <openssl/err.h> 41#include <openssl/err.h>
31
32#include "gettext.h"
33 42
34#include "conf.h" 43#include "conf.h"
35#include "slog.h" 44#include "slog.h"
36#include "device.h" 45#include "device.h"
37#include "vpn.h" 46#include "vpn.h"
43# define RAND_pseudo_bytes RAND_bytes 52# define RAND_pseudo_bytes RAND_bytes
44#endif 53#endif
45 54
46#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 55#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
47 56
57#define ULTRA_FAST 1
58#define HLOG 15
59#include "lzf/lzf.h"
60#include "lzf/lzf_c.c"
61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
103
48struct crypto_ctx 104struct crypto_ctx
49{ 105{
50 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
51 HMAC_CTX hctx; 107 HMAC_CTX hctx;
52 108
55}; 111};
56 112
57crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 113crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
58{ 114{
59 EVP_CIPHER_CTX_init (&cctx); 115 EVP_CIPHER_CTX_init (&cctx);
60 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 116 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
61 HMAC_CTX_init (&hctx); 117 HMAC_CTX_init (&hctx);
62 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 118 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
63} 119}
64 120
65crypto_ctx::~crypto_ctx () 121crypto_ctx::~crypto_ctx ()
66{ 122{
67 EVP_CIPHER_CTX_cleanup (&cctx); 123 require (EVP_CIPHER_CTX_cleanup (&cctx));
68 HMAC_CTX_cleanup (&hctx); 124 HMAC_CTX_cleanup (&hctx);
69} 125}
70 126
71static void 127static void
72rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 128rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
73{ 129{
74 EVP_MD_CTX ctx; 130 EVP_MD_CTX ctx;
75 131
76 EVP_MD_CTX_init (&ctx); 132 EVP_MD_CTX_init (&ctx);
77 EVP_DigestInit (&ctx, RSA_HASH); 133 require (EVP_DigestInit (&ctx, RSA_HASH));
78 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 134 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
79 EVP_DigestUpdate(&ctx, &id, sizeof id); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
80 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
81 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
82} 138}
83 139
84struct rsa_entry { 140struct rsa_entry
141{
85 tstamp expire; 142 tstamp expire;
86 rsaid id; 143 rsaid id;
87 rsachallenge chg; 144 rsachallenge chg;
88}; 145};
89 146
90struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
91{ 148{
92 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
93 150
94 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
95 { 152 {
96 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
97 { 154 {
98 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
99 { 156 {
100 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
101 158
102 erase (i); 159 erase (i);
103 return true; 160 return true;
104 } 161 }
105 } 162 }
106 163
107 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
108 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
109 166
110 return false; 167 return false;
111 } 168 }
112 169
113 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
114 { 171 {
115 rsa_entry e; 172 rsa_entry e;
116 173
117 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
118 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
119 176
120 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
121 e.id = id; 178 e.id = id;
122 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
123 180
124 push_back (e); 181 push_back (e);
125 182
126 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
127 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
128 } 185 }
129 186
130 rsa_cache () 187 rsa_cache ()
131 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
132 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
133 192
134} rsa_cache; 193} rsa_cache;
135 194
136void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
137{ 196{
138 if (empty ()) 197 if (empty ())
139 w.at = TSTAMP_CANCEL; 198 w.stop ();
140 else 199 else
141 { 200 {
142 w.at = NOW + RSA_TTL;
143
144 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
145 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
146 i = erase (i); 203 i = erase (i);
147 else 204 else
148 ++i; 205 ++i;
149 } 206 }
150} 207}
151 208
152////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
153 210
154void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
155{ 213{
156 if (queue[i]) 214 queue = new pkt [max_queue];
157 {
158 delete queue[i];
159 j = (j + 1) % QUEUEDEPTH;
160 }
161 215
162 queue[i] = p;
163
164 i = (i + 1) % QUEUEDEPTH;
165}
166
167net_packet *pkt_queue::get ()
168{
169 net_packet *p = queue[j];
170
171 if (p)
172 {
173 queue[j] = 0;
174 j = (j + 1) % QUEUEDEPTH;
175 }
176
177 return p;
178}
179
180pkt_queue::pkt_queue ()
181{
182 memset (queue, 0, sizeof (queue));
183 i = 0; 216 i = 0;
184 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
185} 220}
186 221
187pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
188{ 223{
189 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
190 delete queue[i]; 227 delete [] queue;
191} 228}
192 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
193struct net_rateinfo { 283struct net_rateinfo
284{
194 u32 host; 285 u32 host;
195 double pcnt, diff; 286 double pcnt, diff;
196 tstamp last; 287 tstamp last;
197}; 288};
198 289
199// only do action once every x seconds per host whole allowing bursts. 290// only do action once every x seconds per host whole allowing bursts.
200// this implementation ("splay list" ;) is inefficient, 291// this implementation ("splay list" ;) is inefficient,
201// but low on resources. 292// but low on resources.
202struct net_rate_limiter : list<net_rateinfo> 293struct net_rate_limiter : list<net_rateinfo>
203{ 294{
204 static const double ALPHA = 1. - 1. / 600.; // allow bursts 295# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
205 static const double CUTOFF = 10.; // one event every CUTOFF seconds 296# define NRL_CUTOFF 10. // one event every CUTOFF seconds
206 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 297# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
207 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 298# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
208 299
209 bool can (const sockinfo &si) { return can((u32)si.host); } 300 bool can (const sockinfo &si) { return can((u32)si.host); }
210 bool can (u32 host); 301 bool can (u32 host);
211}; 302};
212 303
217 iterator i; 308 iterator i;
218 309
219 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
220 if (i->host == host) 311 if (i->host == host)
221 break; 312 break;
222 else if (i->last < NOW - EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
223 i = erase (i); 314 i = erase (i);
224 else 315 else
225 i++; 316 i++;
226 317
227 if (i == end ()) 318 if (i == end ())
228 { 319 {
229 net_rateinfo ri; 320 net_rateinfo ri;
230 321
231 ri.host = host; 322 ri.host = host;
232 ri.pcnt = 1.; 323 ri.pcnt = 1.;
233 ri.diff = MAXDIF; 324 ri.diff = NRL_MAXDIF;
234 ri.last = NOW; 325 ri.last = ev_now ();
235 326
236 push_front (ri); 327 push_front (ri);
237 328
238 return true; 329 return true;
239 } 330 }
240 else 331 else
241 { 332 {
242 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
243 erase (i); 334 erase (i);
244 335
245 ri.pcnt = ri.pcnt * ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
246 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
247 338
248 ri.last = NOW; 339 ri.last = ev_now ();
249 340
250 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
251 342
252 bool send = dif > CUTOFF; 343 bool send = dif > NRL_CUTOFF;
253 344
254 if (dif > MAXDIF) 345 if (dif > NRL_MAXDIF)
255 { 346 {
256 ri.pcnt = 1.; 347 ri.pcnt = 1.;
257 ri.diff = MAXDIF; 348 ri.diff = NRL_MAXDIF;
258 } 349 }
259 else if (send) 350 else if (send)
260 ri.pcnt++; 351 ri.pcnt++;
261 352
262 push_front (ri); 353 push_front (ri);
309} 400}
310 401
311#define MAXVPNDATA (MAX_MTU - 6 - 6) 402#define MAXVPNDATA (MAX_MTU - 6 - 6)
312#define DATAHDR (sizeof (u32) + RAND_SIZE) 403#define DATAHDR (sizeof (u32) + RAND_SIZE)
313 404
314struct vpndata_packet:vpn_packet 405struct vpndata_packet : vpn_packet
315 { 406 {
316 u8 data[MAXVPNDATA + DATAHDR]; // seqno 407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
317 408
318 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
319 tap_packet *unpack (connection *conn, u32 &seqno); 410 tap_packet *unpack (connection *conn, u32 &seqno);
332 int outl = 0, outl2; 423 int outl = 0, outl2;
333 ptype type = PT_DATA_UNCOMPRESSED; 424 ptype type = PT_DATA_UNCOMPRESSED;
334 425
335#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
336 u8 cdata[MAX_MTU]; 427 u8 cdata[MAX_MTU];
337 u32 cl;
338 428
429 if (conn->features & ENABLE_COMPRESSION)
430 {
339 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 431 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432
340 if (cl) 433 if (cl)
341 { 434 {
342 type = PT_DATA_COMPRESSED; 435 type = PT_DATA_COMPRESSED;
343 d = cdata; 436 d = cdata;
344 l = cl + 2; 437 l = cl + 2;
345 438
346 d[0] = cl >> 8; 439 d[0] = cl >> 8;
347 d[1] = cl; 440 d[1] = cl;
441 }
348 } 442 }
349#endif 443#endif
350 444
351 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 445 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
352 446
353 struct { 447 struct {
354#if RAND_SIZE 448#if RAND_SIZE
355 u8 rnd[RAND_SIZE]; 449 u8 rnd[RAND_SIZE];
356#endif 450#endif
360 datahdr.seqno = ntohl (seqno); 454 datahdr.seqno = ntohl (seqno);
361#if RAND_SIZE 455#if RAND_SIZE
362 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 456 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
363#endif 457#endif
364 458
365 EVP_EncryptUpdate (cctx, 459 require (EVP_EncryptUpdate (cctx,
366 (unsigned char *) data + outl, &outl2, 460 (unsigned char *) data + outl, &outl2,
367 (unsigned char *) &datahdr, DATAHDR); 461 (unsigned char *) &datahdr, DATAHDR));
368 outl += outl2; 462 outl += outl2;
369 463
370 EVP_EncryptUpdate (cctx, 464 require (EVP_EncryptUpdate (cctx,
371 (unsigned char *) data + outl, &outl2, 465 (unsigned char *) data + outl, &outl2,
372 (unsigned char *) d, l); 466 (unsigned char *) d, l));
373 outl += outl2; 467 outl += outl2;
374 468
375 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 469 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
376 outl += outl2; 470 outl += outl2;
377 471
378 len = outl + data_hdr_size (); 472 len = outl + data_hdr_size ();
379 473
380 set_hdr (type, dst); 474 set_hdr (type, dst);
389 int outl = 0, outl2; 483 int outl = 0, outl2;
390 tap_packet *p = new tap_packet; 484 tap_packet *p = new tap_packet;
391 u8 *d; 485 u8 *d;
392 u32 l = len - data_hdr_size (); 486 u32 l = len - data_hdr_size ();
393 487
394 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 488 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
395 489
396#if ENABLE_COMPRESSION 490#if ENABLE_COMPRESSION
397 u8 cdata[MAX_MTU]; 491 u8 cdata[MAX_MTU];
398 492
399 if (type == PT_DATA_COMPRESSED) 493 if (type == PT_DATA_COMPRESSED)
401 else 495 else
402#endif 496#endif
403 d = &(*p)[6 + 6 - DATAHDR]; 497 d = &(*p)[6 + 6 - DATAHDR];
404 498
405 /* this overwrites part of the src mac, but we fix that later */ 499 /* this overwrites part of the src mac, but we fix that later */
406 EVP_DecryptUpdate (cctx, 500 require (EVP_DecryptUpdate (cctx,
407 d, &outl2, 501 d, &outl2,
408 (unsigned char *)&data, len - data_hdr_size ()); 502 (unsigned char *)&data, len - data_hdr_size ()));
409 outl += outl2; 503 outl += outl2;
410 504
411 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 505 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
412 outl += outl2; 506 outl += outl2;
413 507
414 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 508 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
415 509
416 id2mac (dst () ? dst() : THISNODE->id, p->dst); 510 id2mac (dst () ? dst() : THISNODE->id, p->dst);
445{ 539{
446 // actually, hmaclen cannot be checked because the hmac 540 // actually, hmaclen cannot be checked because the hmac
447 // field comes before this data, so peers with other 541 // field comes before this data, so peers with other
448 // hmacs simply will not work. 542 // hmacs simply will not work.
449 u8 prot_major, prot_minor, randsize, hmaclen; 543 u8 prot_major, prot_minor, randsize, hmaclen;
450 u8 flags, challengelen, pad2, pad3; 544 u8 flags, challengelen, features, pad3;
451 u32 cipher_nid, digest_nid, hmac_nid; 545 u32 cipher_nid, digest_nid, hmac_nid;
452
453 const u8 curflags () const
454 {
455 return 0x80
456 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
457 }
458 546
459 void setup (ptype type, int dst); 547 void setup (ptype type, int dst);
460 bool chk_config () const; 548 bool chk_config () const;
549
550 static u8 get_features ()
551 {
552 u8 f = 0;
553#if ENABLE_COMPRESSION
554 f |= FEATURE_COMPRESSION;
555#endif
556#if ENABLE_ROHC
557 f |= FEATURE_ROHC;
558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
562 return f;
563 }
461}; 564};
462 565
463void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
464{ 567{
465 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
466 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
467 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
468 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
469 flags = curflags (); 572 flags = 0;
470 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
574 features = get_features ();
471 575
472 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
473 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
474 hmac_nid = htonl (EVP_MD_type (DIGEST)); 578 hmac_nid = htonl (EVP_MD_type (DIGEST));
475 579
478} 582}
479 583
480bool config_packet::chk_config () const 584bool config_packet::chk_config () const
481{ 585{
482 if (prot_major != PROTOCOL_MAJOR) 586 if (prot_major != PROTOCOL_MAJOR)
483 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
484 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
485 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
486 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
487 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
488 else if (flags != curflags ())
489 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
490 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
491 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
492 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
493 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
494 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
495 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH)); 597 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
496 else if (hmac_nid != htonl (EVP_MD_type (DIGEST))) 598 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
497 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST)); 599 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
498 else 600 else
499 return true; 601 return true;
500 602
501 return false; 603 return false;
502} 604}
503 605
504struct auth_req_packet : config_packet 606struct auth_req_packet : config_packet
505{ 607{
506 char magic[8]; 608 char magic[8];
507 u8 initiate; // false if this is just an automatic reply 609 u8 initiate; // false if this is just an automatic reply
508 u8 protocols; // supported protocols (will get patches on forward) 610 u8 protocols; // supported protocols (will be patched on forward)
509 u8 pad2, pad3; 611 u8 pad2, pad3;
510 rsaid id; 612 rsaid id;
511 rsaencrdata encr; 613 rsaencrdata encr;
512 614
513 auth_req_packet (int dst, bool initiate_, u8 protocols_) 615 auth_req_packet (int dst, bool initiate_, u8 protocols_)
570///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
571 673
572void 674void
573connection::connection_established () 675connection::connection_established ()
574{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
575 if (ictx && octx) 679 if (ictx && octx)
576 { 680 {
577 connectmode = conf->connectmode; 681 // make sure rekeying timeouts are slightly asymmetric
578 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
579 rekey.start (NOW + ::conf.rekey); 683 rekey.start (rekey_interval, rekey_interval);
580 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
581 685
582 // send queued packets 686 // send queued packets
583 if (ictx && octx) 687 if (ictx && octx)
584 { 688 {
585 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
586 { 690 {
587 send_data_packet (p); 691 if (p->len) send_data_packet (p);
588 delete p; 692 delete p;
589 } 693 }
590 694
591 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
592 { 696 {
593 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
594 delete p; 698 delete p;
595 } 699 }
596 } 700 }
597 } 701 }
598 else 702 else
599 { 703 {
600 retry_cnt = 0; 704 retry_cnt = 0;
601 establish_connection.start (NOW + 5); 705 establish_connection.start (5);
602 keepalive.reset (); 706 keepalive.stop ();
603 rekey.reset (); 707 rekey.stop ();
604 } 708 }
605} 709}
606 710
607void 711void
608connection::reset_si () 712connection::reset_si ()
610 protocol = best_protocol (THISNODE->protocols & conf->protocols); 714 protocol = best_protocol (THISNODE->protocols & conf->protocols);
611 715
612 // mask out protocols we cannot establish 716 // mask out protocols we cannot establish
613 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 717 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
614 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 718 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
719 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
720
721 if (protocol
722 && (!conf->can_direct (THISNODE)
723 || !THISNODE->can_direct (conf)))
724 {
725 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
726 protocol = 0;
727 }
615 728
616 si.set (conf, protocol); 729 si.set (conf, protocol);
617} 730}
618 731
619// ensure sockinfo is valid, forward if necessary 732// ensure sockinfo is valid, forward if necessary
624 { 737 {
625 connection *r = vpn->find_router (); 738 connection *r = vpn->find_router ();
626 739
627 if (r) 740 if (r)
628 { 741 {
629 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 742 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
630 conf->nodename, r->conf->nodename); 743 conf->nodename, r->conf->nodename, (const char *)r->si);
631 return r->si; 744 return r->si;
632 } 745 }
633 else 746 else
634 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 747 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
635 conf->nodename); 748 conf->nodename);
674connection::send_auth_request (const sockinfo &si, bool initiate) 787connection::send_auth_request (const sockinfo &si, bool initiate)
675{ 788{
676 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 789 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
677 790
678 rsachallenge chg; 791 rsachallenge chg;
679
680 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
681 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
682 if (0 > RSA_public_encrypt (sizeof chg,
683 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
684 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
685 fatal ("RSA_public_encrypt error");
686 794
687 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
688 796
689 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
690 798
710} 818}
711 819
712void 820void
713connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
714{ 822{
715 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
716 conf->id, rid, (const char *)rsi); 824 conf->id, rid, (const char *)rsi);
717 825
718 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
719 827
720 r->hmac_set (octx); 828 r->hmac_set (octx);
721 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
722 830
723 delete r; 831 delete r;
724} 832}
725 833
726void 834inline void
727connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
728{ 836{
729 if (ictx || conf == THISNODE 837 if (!ictx
838 && conf != THISNODE
730 || connectmode == conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
731 || connectmode == conf_node::C_DISABLED) 840 && connectmode != conf_node::C_DISABLED
732 w.at = TSTAMP_CANCEL; 841 && !w.is_active ())
733 else if (w.at <= NOW)
734 { 842 {
735 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
736 844 // and stop trying. should probably be handled by a per-connection expire handler.
737 if (retry_int < 3600 * 8) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
738 retry_cnt++; 848 return;
849 }
739 850
740 w.at = NOW + retry_int; 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
741 856
742 reset_si (); 857 reset_si ();
743 858
859 bool slow = si.prot & PROT_SLOW;
860
744 if (si.prot && !si.host) 861 if (si.prot && !si.host)
862 {
863 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
864 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1);
745 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (conf->id);
867 }
746 else 868 else
747 { 869 {
870 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
871
748 const sockinfo &dsi = forward_si (si); 872 const sockinfo &dsi = forward_si (si);
873
874 slow = slow || (dsi.prot & PROT_SLOW);
749 875
750 if (dsi.valid () && auth_rate_limiter.can (dsi)) 876 if (dsi.valid () && auth_rate_limiter.can (dsi))
751 { 877 {
752 if (retry_cnt < 4) 878 if (retry_cnt < 4)
753 send_auth_request (dsi, true); 879 send_auth_request (dsi, true);
754 else 880 else
755 send_ping (dsi, 0); 881 send_ping (dsi, 0);
756 } 882 }
757 } 883 }
884
885 retry_int *= slow ? 8. : 0.9;
886
887 if (retry_int < conf->max_retry)
888 retry_cnt++;
889 else
890 retry_int = conf->max_retry;
891
892 w.start (retry_int);
758 } 893 }
759} 894}
760 895
761void 896void
762connection::reset_connection () 897connection::reset_connection ()
765 { 900 {
766 slog (L_INFO, _("%s(%s): connection lost"), 901 slog (L_INFO, _("%s(%s): connection lost"),
767 conf->nodename, (const char *)si); 902 conf->nodename, (const char *)si);
768 903
769 if (::conf.script_node_down) 904 if (::conf.script_node_down)
770 run_script (run_script_cb (this, &connection::script_node_down), false); 905 {
906 run_script_cb *cb = new run_script_cb;
907 cb->set<connection, &connection::script_node_down> (this);
908 run_script_queued (cb, _("node-down command execution failed, continuing."));
909 }
771 } 910 }
772 911
773 delete ictx; ictx = 0; 912 delete ictx; ictx = 0;
774 delete octx; octx = 0; 913 delete octx; octx = 0;
914#if ENABLE_DNS
915 dnsv4_reset_connection ();
916#endif
775 917
776 si.host= 0; 918 si.host = 0;
777 919
778 last_activity = 0; 920 last_activity = 0;
779 retry_cnt = 0; 921 retry_cnt = 0;
780 922
781 rekey.reset (); 923 rekey.stop ();
782 keepalive.reset (); 924 keepalive.stop ();
783 establish_connection.reset (); 925 establish_connection.stop ();
784} 926}
785 927
786void 928void
787connection::shutdown () 929connection::shutdown ()
788{ 930{
790 send_reset (si); 932 send_reset (si);
791 933
792 reset_connection (); 934 reset_connection ();
793} 935}
794 936
795void 937inline void
796connection::rekey_cb (time_watcher &w) 938connection::rekey_cb (ev::timer &w, int revents)
797{ 939{
798 w.at = TSTAMP_CANCEL;
799
800 reset_connection (); 940 reset_connection ();
801 establish_connection (); 941 establish_connection ();
802} 942}
803 943
804void 944void
805connection::send_data_packet (tap_packet *pkt, bool broadcast) 945connection::send_data_packet (tap_packet *pkt)
806{ 946{
807 vpndata_packet *p = new vpndata_packet; 947 vpndata_packet *p = new vpndata_packet;
808 int tos = 0; 948 int tos = 0;
809 949
810 // I am not hilarious about peeking into packets, but so be it. 950 // I am not hilarious about peeking into packets, but so be it.
811 if (conf->inherit_tos 951 if (conf->inherit_tos && pkt->is_ipv4 ())
812 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
813 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
814 tos = (*pkt)[15] & IPTOS_TOS_MASK; 952 tos = (*pkt)[15] & IPTOS_TOS_MASK;
815 953
816 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 954 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
817 send_vpn_packet (p, si, tos); 955 send_vpn_packet (p, si, tos);
818 956
819 delete p; 957 delete p;
820 958
821 if (oseqno > MAX_SEQNO) 959 if (oseqno > MAX_SEQNO)
822 rekey (); 960 rekey ();
823} 961}
824 962
825void 963void
964connection::post_inject_queue ()
965{
966 // force a connection every now and when when packets are sent (max 1/s)
967 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
968 establish_connection.stop ();
969
970 establish_connection ();
971}
972
973void
826connection::inject_data_packet (tap_packet *pkt, bool broadcast) 974connection::inject_data_packet (tap_packet *pkt)
827{ 975{
828 if (ictx && octx) 976 if (ictx && octx)
829 send_data_packet (pkt, broadcast); 977 send_data_packet (pkt);
830 else 978 else
831 { 979 {
832 if (!broadcast)//DDDD
833 data_queue.put (new tap_packet (*pkt)); 980 data_queue.put (new tap_packet (*pkt));
834 981 post_inject_queue ();
835 establish_connection ();
836 } 982 }
837} 983}
838 984
839void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 985void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
840{ 986{
841 if (ictx && octx) 987 if (ictx && octx)
842 send_vpn_packet (pkt, si, tos); 988 send_vpn_packet (pkt, si, tos);
843 else 989 else
844 { 990 {
845 vpn_queue.put (new vpn_packet (*pkt)); 991 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
846 992 post_inject_queue ();
847 establish_connection ();
848 } 993 }
849} 994}
850 995
851void 996void
852connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 997connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
853{ 998{
854 last_activity = NOW; 999 last_activity = ev_now ();
855 1000
856 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1001 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
857 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1002 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1003
1004 if (connectmode == conf_node::C_DISABLED)
1005 return;
858 1006
859 switch (pkt->typ ()) 1007 switch (pkt->typ ())
860 { 1008 {
861 case vpn_packet::PT_PING: 1009 case vpn_packet::PT_PING:
862 // we send pings instead of auth packets after some retries, 1010 // we send pings instead of auth packets after some retries,
909 if (p->initiate) 1057 if (p->initiate)
910 send_auth_request (rsi, false); 1058 send_auth_request (rsi, false);
911 1059
912 rsachallenge k; 1060 rsachallenge k;
913 1061
914 if (0 > RSA_private_decrypt (sizeof (p->encr), 1062 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
915 (unsigned char *)&p->encr, (unsigned char *)&k, 1063 {
916 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
917 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1064 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
918 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1065 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1066 break;
1067 }
919 else 1068 else
920 { 1069 {
921 delete octx; 1070 delete octx;
922 1071
923 octx = new crypto_ctx (k, 1); 1072 octx = new crypto_ctx (k, 1);
924 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1073 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
925 1074
926 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
1076 features = p->features & config_packet::get_features ();
927 1077
928 send_auth_response (rsi, p->id, k); 1078 send_auth_response (rsi, p->id, k);
929 1079
930 connection_established (); 1080 connection_established ();
931 1081
967 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1117 crypto_ctx *cctx = new crypto_ctx (chg, 0);
968 1118
969 if (!p->hmac_chk (cctx)) 1119 if (!p->hmac_chk (cctx))
970 { 1120 {
971 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1121 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
972 "could be an attack, or just corruption or an synchronization error"), 1122 "could be an attack, or just corruption or a synchronization error"),
973 conf->nodename, (const char *)rsi); 1123 conf->nodename, (const char *)rsi);
974 break; 1124 break;
975 } 1125 }
976 else 1126 else
977 { 1127 {
995 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1145 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
996 conf->nodename, (const char *)rsi, 1146 conf->nodename, (const char *)rsi,
997 p->prot_major, p->prot_minor); 1147 p->prot_major, p->prot_minor);
998 1148
999 if (::conf.script_node_up) 1149 if (::conf.script_node_up)
1000 run_script (run_script_cb (this, &connection::script_node_up), false); 1150 {
1151 run_script_cb *cb = new run_script_cb;
1152 cb->set<connection, &connection::script_node_up> (this);
1153 run_script_queued (cb, _("node-up command execution failed, continuing."));
1154 }
1001 1155
1002 break; 1156 break;
1003 } 1157 }
1004 else 1158 else
1005 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1159 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1026 { 1180 {
1027 vpndata_packet *p = (vpndata_packet *)pkt; 1181 vpndata_packet *p = (vpndata_packet *)pkt;
1028 1182
1029 if (!p->hmac_chk (ictx)) 1183 if (!p->hmac_chk (ictx))
1030 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1184 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1031 "could be an attack, or just corruption or an synchronization error"), 1185 "could be an attack, or just corruption or a synchronization error"),
1032 conf->nodename, (const char *)rsi); 1186 conf->nodename, (const char *)rsi);
1033 else 1187 else
1034 { 1188 {
1035 u32 seqno; 1189 u32 seqno;
1036 tap_packet *d = p->unpack (this, seqno); 1190 tap_packet *d = p->unpack (this, seqno);
1037 1191
1038 if (iseqno.recv_ok (seqno)) 1192 if (iseqno.recv_ok (seqno))
1039 { 1193 {
1040 vpn->tap->send (d); 1194 vpn->tap->send (d);
1041 1195
1042 if (p->dst () == 0) // re-broadcast
1043 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1044 {
1045 connection *c = *i;
1046
1047 if (c->conf != THISNODE && c->conf != conf)
1048 c->inject_data_packet (d);
1049 }
1050
1051 if (si != rsi) 1196 if (si != rsi)
1052 { 1197 {
1053 // fast re-sync on connection changes, useful especially for tcp/ip 1198 // fast re-sync on source address changes, useful especially for tcp/ip
1054 si = rsi; 1199 si = rsi;
1055 1200
1056 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1201 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1057 conf->nodename, (const char *)si, (const char *)rsi); 1202 conf->nodename, (const char *)si, (const char *)rsi);
1058 } 1203 }
1059
1060 delete d;
1061
1062 break;
1063 } 1204 }
1205
1206 delete d;
1207 break;
1064 } 1208 }
1065 } 1209 }
1066 1210
1067 send_reset (rsi); 1211 send_reset (rsi);
1068 break; 1212 break;
1070 case vpn_packet::PT_CONNECT_REQ: 1214 case vpn_packet::PT_CONNECT_REQ:
1071 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1215 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1072 { 1216 {
1073 connect_req_packet *p = (connect_req_packet *) pkt; 1217 connect_req_packet *p = (connect_req_packet *) pkt;
1074 1218
1075 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1219 if (p->id > 0 && p->id <= vpn->conns.size ())
1076 connection *c = vpn->conns[p->id - 1];
1077 conf->protocols = p->protocols;
1078
1079 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1080 conf->id, p->id, c->ictx && c->octx);
1081
1082 if (c->ictx && c->octx)
1083 { 1220 {
1221 connection *c = vpn->conns[p->id - 1];
1222 conf->protocols = p->protocols;
1223
1224 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1225 conf->id, p->id, c->ictx && c->octx);
1226
1227 if (c->ictx && c->octx)
1228 {
1084 // send connect_info packets to both sides, in case one is 1229 // send connect_info packets to both sides, in case one is
1085 // behind a nat firewall (or both ;) 1230 // behind a nat firewall (or both ;)
1086 c->send_connect_info (conf->id, si, conf->protocols); 1231 c->send_connect_info (conf->id, si, conf->protocols);
1087 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1232 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1233 }
1234 else
1235 c->establish_connection ();
1088 } 1236 }
1089 else 1237 else
1090 c->establish_connection (); 1238 slog (L_WARN,
1239 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1240 p->id);
1091 } 1241 }
1092 1242
1093 break; 1243 break;
1094 1244
1095 case vpn_packet::PT_CONNECT_INFO: 1245 case vpn_packet::PT_CONNECT_INFO:
1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1246 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1097 { 1247 {
1098 connect_info_packet *p = (connect_info_packet *) pkt; 1248 connect_info_packet *p = (connect_info_packet *)pkt;
1099 1249
1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1250 if (p->id > 0 && p->id <= vpn->conns.size ())
1101 1251 {
1102 connection *c = vpn->conns[p->id - 1]; 1252 connection *c = vpn->conns[p->id - 1];
1103 1253
1104 c->conf->protocols = p->protocols; 1254 c->conf->protocols = p->protocols;
1105 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1255 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1106 p->si.upgrade_protocol (protocol, c->conf); 1256 p->si.upgrade_protocol (protocol, c->conf);
1107 1257
1108 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1258 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1109 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1259 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1110 1260
1111 const sockinfo &dsi = forward_si (p->si); 1261 const sockinfo &dsi = forward_si (p->si);
1112 1262
1113 if (dsi.valid ()) 1263 if (dsi.valid ())
1114 c->send_auth_request (dsi, true); 1264 c->send_auth_request (dsi, true);
1265 }
1266 else
1267 slog (L_WARN,
1268 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269 p->id);
1115 } 1270 }
1116 1271
1117 break; 1272 break;
1118 1273
1119 default: 1274 default:
1120 send_reset (rsi); 1275 send_reset (rsi);
1121 break; 1276 break;
1122 } 1277 }
1123} 1278}
1124 1279
1125void connection::keepalive_cb (time_watcher &w) 1280inline void
1281connection::keepalive_cb (ev::timer &w, int revents)
1126{ 1282{
1127 if (NOW >= last_activity + ::conf.keepalive + 30) 1283 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1128 { 1284 {
1129 reset_connection (); 1285 reset_connection ();
1130 establish_connection (); 1286 establish_connection ();
1131 } 1287 }
1132 else if (NOW < last_activity + ::conf.keepalive) 1288 else if (ev_now () < last_activity + ::conf.keepalive)
1133 w.at = last_activity + ::conf.keepalive; 1289 w.start (last_activity + ::conf.keepalive - ev::now ());
1134 else if (conf->connectmode != conf_node::C_ONDEMAND 1290 else if (conf->connectmode != conf_node::C_ONDEMAND
1135 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1291 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1136 { 1292 {
1137 send_ping (si); 1293 send_ping (si);
1138 w.at = NOW + 5; 1294 w.start (5);
1139 } 1295 }
1140 else if (NOW < last_activity + ::conf.keepalive + 10) 1296 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1141 // hold ondemand connections implicitly a few seconds longer 1297 // hold ondemand connections implicitly a few seconds longer
1142 // should delete octx, though, or something like that ;) 1298 // should delete octx, though, or something like that ;)
1143 w.at = last_activity + ::conf.keepalive + 10; 1299 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1144 else 1300 else
1145 reset_connection (); 1301 reset_connection ();
1146} 1302}
1147 1303
1148void connection::send_connect_request (int id) 1304void connection::send_connect_request (int id)
1154 send_vpn_packet (p, si); 1310 send_vpn_packet (p, si);
1155 1311
1156 delete p; 1312 delete p;
1157} 1313}
1158 1314
1315void connection::script_init_env (const char *ext)
1316{
1317 char *env;
1318 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1319 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1320 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1321 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1322 conf->id & 0xff); putenv (env);
1323}
1324
1159void connection::script_node () 1325void connection::script_init_connect_env ()
1160{ 1326{
1161 vpn->script_if_up (); 1327 vpn->script_init_env ();
1162 1328
1163 char *env; 1329 char *env;
1164 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1330 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1165 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1331 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1166 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1332 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1167 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1333 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1168} 1334}
1169 1335
1336inline const char *
1170const char *connection::script_node_up () 1337connection::script_node_up ()
1171{ 1338{
1172 script_node (); 1339 script_init_connect_env ();
1173 1340
1174 putenv ("STATE=up"); 1341 putenv ((char *)"STATE=up");
1175 1342
1343 char *filename;
1344 asprintf (&filename,
1345 "%s/%s",
1346 confbase,
1176 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1347 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1177}
1178 1348
1349 return filename;
1350}
1351
1352inline const char *
1179const char *connection::script_node_down () 1353connection::script_node_down ()
1180{ 1354{
1181 script_node (); 1355 script_init_connect_env ();
1182 1356
1183 putenv ("STATE=down"); 1357 putenv ((char *)"STATE=down");
1184 1358
1185 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1359 char *filename;
1186} 1360 asprintf (&filename,
1361 "%s/%s",
1362 confbase,
1363 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1187 1364
1365 return filename;
1366}
1367
1188connection::connection(struct vpn *vpn_) 1368connection::connection (struct vpn *vpn, conf_node *conf)
1189: vpn(vpn_) 1369: vpn(vpn), conf(conf),
1190, rekey (this, &connection::rekey_cb) 1370#if ENABLE_DNS
1191, keepalive (this, &connection::keepalive_cb) 1371 dns (0),
1372#endif
1373 data_queue(conf->max_ttl, conf->max_queue),
1374 vpn_queue(conf->max_ttl, conf->max_queue)
1375{
1376 rekey .set<connection, &connection::rekey_cb > (this);
1377 keepalive .set<connection, &connection::keepalive_cb > (this);
1192, establish_connection (this, &connection::establish_connection_cb) 1378 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1193{ 1379
1380 last_establish_attempt = 0.;
1194 octx = ictx = 0; 1381 octx = ictx = 0;
1195 retry_cnt = 0;
1196 1382
1197 connectmode = conf_node::C_ALWAYS; // initial setting 1383 if (!conf->protocols) // make sure some protocol is enabled
1384 conf->protocols = PROT_UDPv4;
1385
1386 connectmode = conf->connectmode;
1387
1388 // queue a dummy packet to force an initial connection attempt
1389 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1390 vpn_queue.put (new net_packet);
1391
1198 reset_connection (); 1392 reset_connection ();
1199} 1393}
1200 1394
1201connection::~connection () 1395connection::~connection ()
1202{ 1396{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines