ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.23 by pcg, Wed Oct 22 00:42:53 2003 UTC vs.
Revision 1.70 by pcg, Thu Aug 7 19:07:02 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003 Marc Lehmann <pcg@goof.com> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE.
6
5 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
6 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
7 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
8 (at your option) any later version. 10 option) any later version.
9 11
10 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
11 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
13 GNU General Public License for more details. 15 Public License for more details.
14 16
15 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
16 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
17 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
18*/ 30*/
19 31
20#include "config.h" 32#include "config.h"
21 33
22extern "C" {
23# include "lzf/lzf.h"
24}
25
26#include <list> 34#include <list>
35#include <queue>
36#include <utility>
27 37
28#include <openssl/rand.h> 38#include <openssl/rand.h>
29#include <openssl/evp.h> 39#include <openssl/evp.h>
30#include <openssl/rsa.h> 40#include <openssl/rsa.h>
31#include <openssl/err.h> 41#include <openssl/err.h>
32
33#include "gettext.h"
34 42
35#include "conf.h" 43#include "conf.h"
36#include "slog.h" 44#include "slog.h"
37#include "device.h" 45#include "device.h"
38#include "vpn.h" 46#include "vpn.h"
44# define RAND_pseudo_bytes RAND_bytes 52# define RAND_pseudo_bytes RAND_bytes
45#endif 53#endif
46 54
47#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 55#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
48 56
57#define ULTRA_FAST 1
58#define HLOG 15
59#include "lzf/lzf.h"
60#include "lzf/lzf_c.c"
61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
103
49struct crypto_ctx 104struct crypto_ctx
50{ 105{
51 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
52 HMAC_CTX hctx; 107 HMAC_CTX hctx;
53 108
56}; 111};
57 112
58crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 113crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
59{ 114{
60 EVP_CIPHER_CTX_init (&cctx); 115 EVP_CIPHER_CTX_init (&cctx);
61 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 116 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
62 HMAC_CTX_init (&hctx); 117 HMAC_CTX_init (&hctx);
63 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 118 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
64} 119}
65 120
66crypto_ctx::~crypto_ctx () 121crypto_ctx::~crypto_ctx ()
67{ 122{
68 EVP_CIPHER_CTX_cleanup (&cctx); 123 require (EVP_CIPHER_CTX_cleanup (&cctx));
69 HMAC_CTX_cleanup (&hctx); 124 HMAC_CTX_cleanup (&hctx);
70} 125}
71 126
72static void 127static void
73rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 128rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
74{ 129{
75 EVP_MD_CTX ctx; 130 EVP_MD_CTX ctx;
76 131
77 EVP_MD_CTX_init (&ctx); 132 EVP_MD_CTX_init (&ctx);
78 EVP_DigestInit (&ctx, RSA_HASH); 133 require (EVP_DigestInit (&ctx, RSA_HASH));
79 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 134 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
80 EVP_DigestUpdate(&ctx, &id, sizeof id); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
81 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
82 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
83} 138}
84 139
85struct rsa_entry { 140struct rsa_entry
141{
86 tstamp expire; 142 tstamp expire;
87 rsaid id; 143 rsaid id;
88 rsachallenge chg; 144 rsachallenge chg;
89}; 145};
90 146
91struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
92{ 148{
93 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
94 150
95 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
96 { 152 {
97 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
98 { 154 {
99 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
100 { 156 {
101 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
102 158
103 erase (i); 159 erase (i);
104 return true; 160 return true;
105 } 161 }
106 } 162 }
107 163
108 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
109 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
110 166
111 return false; 167 return false;
112 } 168 }
113 169
114 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
115 { 171 {
116 rsa_entry e; 172 rsa_entry e;
117 173
118 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
119 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
120 176
121 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
122 e.id = id; 178 e.id = id;
123 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
124 180
125 push_back (e); 181 push_back (e);
126 182
127 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
128 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
129 } 185 }
130 186
131 rsa_cache () 187 rsa_cache ()
132 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
133 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
134 192
135} rsa_cache; 193} rsa_cache;
136 194
137void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
138{ 196{
139 if (empty ()) 197 if (empty ())
140 w.at = TSTAMP_CANCEL; 198 w.stop ();
141 else 199 else
142 { 200 {
143 w.at = NOW + RSA_TTL;
144
145 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
146 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
147 i = erase (i); 203 i = erase (i);
148 else 204 else
149 ++i; 205 ++i;
150 } 206 }
151} 207}
152 208
153////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
154 210
155void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
156{ 213{
157 if (queue[i]) 214 queue = new pkt [max_queue];
158 {
159 delete queue[i];
160 j = (j + 1) % QUEUEDEPTH;
161 }
162 215
163 queue[i] = p;
164
165 i = (i + 1) % QUEUEDEPTH;
166}
167
168net_packet *pkt_queue::get ()
169{
170 net_packet *p = queue[j];
171
172 if (p)
173 {
174 queue[j] = 0;
175 j = (j + 1) % QUEUEDEPTH;
176 }
177
178 return p;
179}
180
181pkt_queue::pkt_queue ()
182{
183 memset (queue, 0, sizeof (queue));
184 i = 0; 216 i = 0;
185 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
186} 220}
187 221
188pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
189{ 223{
190 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
191 delete queue[i]; 227 delete [] queue;
192} 228}
193 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
194struct net_rateinfo { 283struct net_rateinfo
284{
195 u32 host; 285 u32 host;
196 double pcnt, diff; 286 double pcnt, diff;
197 tstamp last; 287 tstamp last;
198}; 288};
199 289
200// only do action once every x seconds per host whole allowing bursts. 290// only do action once every x seconds per host whole allowing bursts.
201// this implementation ("splay list" ;) is inefficient, 291// this implementation ("splay list" ;) is inefficient,
202// but low on resources. 292// but low on resources.
203struct net_rate_limiter : list<net_rateinfo> 293struct net_rate_limiter : list<net_rateinfo>
204{ 294{
205 static const double ALPHA = 1. - 1. / 600.; // allow bursts 295# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
206 static const double CUTOFF = 10.; // one event every CUTOFF seconds 296# define NRL_CUTOFF 10. // one event every CUTOFF seconds
207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 297# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 298# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
209 299
210 bool can (const sockinfo &si) { return can((u32)si.host); } 300 bool can (const sockinfo &si) { return can((u32)si.host); }
211 bool can (u32 host); 301 bool can (u32 host);
212}; 302};
213 303
218 iterator i; 308 iterator i;
219 309
220 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
221 if (i->host == host) 311 if (i->host == host)
222 break; 312 break;
223 else if (i->last < NOW - EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
224 i = erase (i); 314 i = erase (i);
225 else 315 else
226 i++; 316 i++;
227 317
228 if (i == end ()) 318 if (i == end ())
229 { 319 {
230 net_rateinfo ri; 320 net_rateinfo ri;
231 321
232 ri.host = host; 322 ri.host = host;
233 ri.pcnt = 1.; 323 ri.pcnt = 1.;
234 ri.diff = MAXDIF; 324 ri.diff = NRL_MAXDIF;
235 ri.last = NOW; 325 ri.last = ev_now ();
236 326
237 push_front (ri); 327 push_front (ri);
238 328
239 return true; 329 return true;
240 } 330 }
241 else 331 else
242 { 332 {
243 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
244 erase (i); 334 erase (i);
245 335
246 ri.pcnt = ri.pcnt * ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
247 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
248 338
249 ri.last = NOW; 339 ri.last = ev_now ();
250 340
251 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
252 342
253 bool send = dif > CUTOFF; 343 bool send = dif > NRL_CUTOFF;
254 344
255 if (dif > MAXDIF) 345 if (dif > NRL_MAXDIF)
256 { 346 {
257 ri.pcnt = 1.; 347 ri.pcnt = 1.;
258 ri.diff = MAXDIF; 348 ri.diff = NRL_MAXDIF;
259 } 349 }
260 else if (send) 350 else if (send)
261 ri.pcnt++; 351 ri.pcnt++;
262 352
263 push_front (ri); 353 push_front (ri);
310} 400}
311 401
312#define MAXVPNDATA (MAX_MTU - 6 - 6) 402#define MAXVPNDATA (MAX_MTU - 6 - 6)
313#define DATAHDR (sizeof (u32) + RAND_SIZE) 403#define DATAHDR (sizeof (u32) + RAND_SIZE)
314 404
315struct vpndata_packet:vpn_packet 405struct vpndata_packet : vpn_packet
316 { 406 {
317 u8 data[MAXVPNDATA + DATAHDR]; // seqno 407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
318 408
319 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
320 tap_packet *unpack (connection *conn, u32 &seqno); 410 tap_packet *unpack (connection *conn, u32 &seqno);
333 int outl = 0, outl2; 423 int outl = 0, outl2;
334 ptype type = PT_DATA_UNCOMPRESSED; 424 ptype type = PT_DATA_UNCOMPRESSED;
335 425
336#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
337 u8 cdata[MAX_MTU]; 427 u8 cdata[MAX_MTU];
338 u32 cl;
339 428
429 if (conn->features & ENABLE_COMPRESSION)
430 {
340 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 431 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432
341 if (cl) 433 if (cl)
342 { 434 {
343 type = PT_DATA_COMPRESSED; 435 type = PT_DATA_COMPRESSED;
344 d = cdata; 436 d = cdata;
345 l = cl + 2; 437 l = cl + 2;
346 438
347 d[0] = cl >> 8; 439 d[0] = cl >> 8;
348 d[1] = cl; 440 d[1] = cl;
441 }
349 } 442 }
350#endif 443#endif
351 444
352 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 445 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
353 446
354 struct { 447 struct {
355#if RAND_SIZE 448#if RAND_SIZE
356 u8 rnd[RAND_SIZE]; 449 u8 rnd[RAND_SIZE];
357#endif 450#endif
361 datahdr.seqno = ntohl (seqno); 454 datahdr.seqno = ntohl (seqno);
362#if RAND_SIZE 455#if RAND_SIZE
363 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 456 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
364#endif 457#endif
365 458
366 EVP_EncryptUpdate (cctx, 459 require (EVP_EncryptUpdate (cctx,
367 (unsigned char *) data + outl, &outl2, 460 (unsigned char *) data + outl, &outl2,
368 (unsigned char *) &datahdr, DATAHDR); 461 (unsigned char *) &datahdr, DATAHDR));
369 outl += outl2; 462 outl += outl2;
370 463
371 EVP_EncryptUpdate (cctx, 464 require (EVP_EncryptUpdate (cctx,
372 (unsigned char *) data + outl, &outl2, 465 (unsigned char *) data + outl, &outl2,
373 (unsigned char *) d, l); 466 (unsigned char *) d, l));
374 outl += outl2; 467 outl += outl2;
375 468
376 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 469 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
377 outl += outl2; 470 outl += outl2;
378 471
379 len = outl + data_hdr_size (); 472 len = outl + data_hdr_size ();
380 473
381 set_hdr (type, dst); 474 set_hdr (type, dst);
390 int outl = 0, outl2; 483 int outl = 0, outl2;
391 tap_packet *p = new tap_packet; 484 tap_packet *p = new tap_packet;
392 u8 *d; 485 u8 *d;
393 u32 l = len - data_hdr_size (); 486 u32 l = len - data_hdr_size ();
394 487
395 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 488 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
396 489
397#if ENABLE_COMPRESSION 490#if ENABLE_COMPRESSION
398 u8 cdata[MAX_MTU]; 491 u8 cdata[MAX_MTU];
399 492
400 if (type == PT_DATA_COMPRESSED) 493 if (type == PT_DATA_COMPRESSED)
402 else 495 else
403#endif 496#endif
404 d = &(*p)[6 + 6 - DATAHDR]; 497 d = &(*p)[6 + 6 - DATAHDR];
405 498
406 /* this overwrites part of the src mac, but we fix that later */ 499 /* this overwrites part of the src mac, but we fix that later */
407 EVP_DecryptUpdate (cctx, 500 require (EVP_DecryptUpdate (cctx,
408 d, &outl2, 501 d, &outl2,
409 (unsigned char *)&data, len - data_hdr_size ()); 502 (unsigned char *)&data, len - data_hdr_size ()));
410 outl += outl2; 503 outl += outl2;
411 504
412 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 505 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
413 outl += outl2; 506 outl += outl2;
414 507
415 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 508 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
416 509
417 id2mac (dst () ? dst() : THISNODE->id, p->dst); 510 id2mac (dst () ? dst() : THISNODE->id, p->dst);
446{ 539{
447 // actually, hmaclen cannot be checked because the hmac 540 // actually, hmaclen cannot be checked because the hmac
448 // field comes before this data, so peers with other 541 // field comes before this data, so peers with other
449 // hmacs simply will not work. 542 // hmacs simply will not work.
450 u8 prot_major, prot_minor, randsize, hmaclen; 543 u8 prot_major, prot_minor, randsize, hmaclen;
451 u8 flags, challengelen, pad2, pad3; 544 u8 flags, challengelen, features, pad3;
452 u32 cipher_nid, digest_nid, hmac_nid; 545 u32 cipher_nid, digest_nid, hmac_nid;
453
454 const u8 curflags () const
455 {
456 return 0x80
457 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
458 }
459 546
460 void setup (ptype type, int dst); 547 void setup (ptype type, int dst);
461 bool chk_config () const; 548 bool chk_config () const;
549
550 static u8 get_features ()
551 {
552 u8 f = 0;
553#if ENABLE_COMPRESSION
554 f |= FEATURE_COMPRESSION;
555#endif
556#if ENABLE_ROHC
557 f |= FEATURE_ROHC;
558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
562 return f;
563 }
462}; 564};
463 565
464void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
465{ 567{
466 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
467 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
468 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
469 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
470 flags = curflags (); 572 flags = 0;
471 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
574 features = get_features ();
472 575
473 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
474 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
475 hmac_nid = htonl (EVP_MD_type (DIGEST)); 578 hmac_nid = htonl (EVP_MD_type (DIGEST));
476 579
484 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
485 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
486 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
491 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
504 605
505struct auth_req_packet : config_packet 606struct auth_req_packet : config_packet
506{ 607{
507 char magic[8]; 608 char magic[8];
508 u8 initiate; // false if this is just an automatic reply 609 u8 initiate; // false if this is just an automatic reply
509 u8 protocols; // supported protocols (will get patches on forward) 610 u8 protocols; // supported protocols (will be patched on forward)
510 u8 pad2, pad3; 611 u8 pad2, pad3;
511 rsaid id; 612 rsaid id;
512 rsaencrdata encr; 613 rsaencrdata encr;
513 614
514 auth_req_packet (int dst, bool initiate_, u8 protocols_) 615 auth_req_packet (int dst, bool initiate_, u8 protocols_)
571///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
572 673
573void 674void
574connection::connection_established () 675connection::connection_established ()
575{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
576 if (ictx && octx) 679 if (ictx && octx)
577 { 680 {
578 connectmode = conf->connectmode; 681 // make sure rekeying timeouts are slightly asymmetric
579 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
580 rekey.start (NOW + ::conf.rekey); 683 rekey.start (rekey_interval, rekey_interval);
581 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
582 685
583 // send queued packets 686 // send queued packets
584 if (ictx && octx) 687 if (ictx && octx)
585 { 688 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 { 690 {
588 send_data_packet (p); 691 if (p->len) send_data_packet (p);
589 delete p; 692 delete p;
590 } 693 }
591 694
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 { 696 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p; 698 delete p;
596 } 699 }
597 } 700 }
598 } 701 }
599 else 702 else
600 { 703 {
601 retry_cnt = 0; 704 retry_cnt = 0;
602 establish_connection.start (NOW + 5); 705 establish_connection.start (5);
603 keepalive.reset (); 706 keepalive.stop ();
604 rekey.reset (); 707 rekey.stop ();
605 } 708 }
606} 709}
607 710
608void 711void
609connection::reset_si () 712connection::reset_si ()
611 protocol = best_protocol (THISNODE->protocols & conf->protocols); 714 protocol = best_protocol (THISNODE->protocols & conf->protocols);
612 715
613 // mask out protocols we cannot establish 716 // mask out protocols we cannot establish
614 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 717 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
615 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 718 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
719 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
720
721 if (protocol
722 && (!conf->can_direct (THISNODE)
723 || !THISNODE->can_direct (conf)))
724 {
725 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
726 protocol = 0;
727 }
616 728
617 si.set (conf, protocol); 729 si.set (conf, protocol);
618} 730}
619 731
620// ensure sockinfo is valid, forward if necessary 732// ensure sockinfo is valid, forward if necessary
625 { 737 {
626 connection *r = vpn->find_router (); 738 connection *r = vpn->find_router ();
627 739
628 if (r) 740 if (r)
629 { 741 {
630 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 742 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
631 conf->nodename, r->conf->nodename); 743 conf->nodename, r->conf->nodename, (const char *)r->si);
632 return r->si; 744 return r->si;
633 } 745 }
634 else 746 else
635 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 747 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
636 conf->nodename); 748 conf->nodename);
675connection::send_auth_request (const sockinfo &si, bool initiate) 787connection::send_auth_request (const sockinfo &si, bool initiate)
676{ 788{
677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 789 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
678 790
679 rsachallenge chg; 791 rsachallenge chg;
680
681 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
682 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
683 if (0 > RSA_public_encrypt (sizeof chg,
684 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
685 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
686 fatal ("RSA_public_encrypt error");
687 794
688 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
689 796
690 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
691 798
711} 818}
712 819
713void 820void
714connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
715{ 822{
716 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
717 conf->id, rid, (const char *)rsi); 824 conf->id, rid, (const char *)rsi);
718 825
719 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
720 827
721 r->hmac_set (octx); 828 r->hmac_set (octx);
722 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
723 830
724 delete r; 831 delete r;
725} 832}
726 833
727void 834inline void
728connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
729{ 836{
730 if (ictx || conf == THISNODE 837 if (!ictx
838 && conf != THISNODE
731 || connectmode == conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
732 || connectmode == conf_node::C_DISABLED) 840 && connectmode != conf_node::C_DISABLED
733 w.at = TSTAMP_CANCEL; 841 && !w.is_active ())
734 else if (w.at <= NOW)
735 { 842 {
736 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
737 844 // and stop trying. should probably be handled by a per-connection expire handler.
738 if (retry_int < 3600 * 8) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
739 retry_cnt++; 848 return;
849 }
740 850
741 w.at = NOW + retry_int; 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
742 856
743 reset_si (); 857 reset_si ();
744 858
859 bool slow = si.prot & PROT_SLOW;
860
745 if (si.prot && !si.host) 861 if (si.prot && !si.host)
862 {
863 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
864 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1);
746 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (conf->id);
867 }
747 else 868 else
748 { 869 {
870 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
871
749 const sockinfo &dsi = forward_si (si); 872 const sockinfo &dsi = forward_si (si);
873
874 slow = slow || (dsi.prot & PROT_SLOW);
750 875
751 if (dsi.valid () && auth_rate_limiter.can (dsi)) 876 if (dsi.valid () && auth_rate_limiter.can (dsi))
752 { 877 {
753 if (retry_cnt < 4) 878 if (retry_cnt < 4)
754 send_auth_request (dsi, true); 879 send_auth_request (dsi, true);
755 else 880 else
756 send_ping (dsi, 0); 881 send_ping (dsi, 0);
757 } 882 }
758 } 883 }
884
885 retry_int *= slow ? 8. : 0.9;
886
887 if (retry_int < conf->max_retry)
888 retry_cnt++;
889 else
890 retry_int = conf->max_retry;
891
892 w.start (retry_int);
759 } 893 }
760} 894}
761 895
762void 896void
763connection::reset_connection () 897connection::reset_connection ()
766 { 900 {
767 slog (L_INFO, _("%s(%s): connection lost"), 901 slog (L_INFO, _("%s(%s): connection lost"),
768 conf->nodename, (const char *)si); 902 conf->nodename, (const char *)si);
769 903
770 if (::conf.script_node_down) 904 if (::conf.script_node_down)
771 run_script (run_script_cb (this, &connection::script_node_down), false); 905 {
906 run_script_cb *cb = new run_script_cb;
907 cb->set<connection, &connection::script_node_down> (this);
908 run_script_queued (cb, _("node-down command execution failed, continuing."));
909 }
772 } 910 }
773 911
774 delete ictx; ictx = 0; 912 delete ictx; ictx = 0;
775 delete octx; octx = 0; 913 delete octx; octx = 0;
914#if ENABLE_DNS
915 dnsv4_reset_connection ();
916#endif
776 917
777 si.host= 0; 918 si.host = 0;
778 919
779 last_activity = 0; 920 last_activity = 0;
780 retry_cnt = 0; 921 retry_cnt = 0;
781 922
782 rekey.reset (); 923 rekey.stop ();
783 keepalive.reset (); 924 keepalive.stop ();
784 establish_connection.reset (); 925 establish_connection.stop ();
785} 926}
786 927
787void 928void
788connection::shutdown () 929connection::shutdown ()
789{ 930{
791 send_reset (si); 932 send_reset (si);
792 933
793 reset_connection (); 934 reset_connection ();
794} 935}
795 936
796void 937inline void
797connection::rekey_cb (time_watcher &w) 938connection::rekey_cb (ev::timer &w, int revents)
798{ 939{
799 w.at = TSTAMP_CANCEL;
800
801 reset_connection (); 940 reset_connection ();
802 establish_connection (); 941 establish_connection ();
803} 942}
804 943
805void 944void
820 if (oseqno > MAX_SEQNO) 959 if (oseqno > MAX_SEQNO)
821 rekey (); 960 rekey ();
822} 961}
823 962
824void 963void
964connection::post_inject_queue ()
965{
966 // force a connection every now and when when packets are sent (max 1/s)
967 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
968 establish_connection.stop ();
969
970 establish_connection ();
971}
972
973void
825connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 974connection::inject_data_packet (tap_packet *pkt)
826{ 975{
827 if (ictx && octx) 976 if (ictx && octx)
828 send_data_packet (pkt); 977 send_data_packet (pkt);
829 else 978 else
830 { 979 {
831 if (!broadcast)//DDDD
832 data_queue.put (new tap_packet (*pkt)); 980 data_queue.put (new tap_packet (*pkt));
833 981 post_inject_queue ();
834 establish_connection ();
835 } 982 }
836} 983}
837 984
838void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 985void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
839{ 986{
840 if (ictx && octx) 987 if (ictx && octx)
841 send_vpn_packet (pkt, si, tos); 988 send_vpn_packet (pkt, si, tos);
842 else 989 else
843 { 990 {
844 vpn_queue.put (new vpn_packet (*pkt)); 991 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
845 992 post_inject_queue ();
846 establish_connection ();
847 } 993 }
848} 994}
849 995
850void 996void
851connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 997connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
852{ 998{
853 last_activity = NOW; 999 last_activity = ev_now ();
854 1000
855 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1001 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
856 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1002 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1003
1004 if (connectmode == conf_node::C_DISABLED)
1005 return;
857 1006
858 switch (pkt->typ ()) 1007 switch (pkt->typ ())
859 { 1008 {
860 case vpn_packet::PT_PING: 1009 case vpn_packet::PT_PING:
861 // we send pings instead of auth packets after some retries, 1010 // we send pings instead of auth packets after some retries,
908 if (p->initiate) 1057 if (p->initiate)
909 send_auth_request (rsi, false); 1058 send_auth_request (rsi, false);
910 1059
911 rsachallenge k; 1060 rsachallenge k;
912 1061
913 if (0 > RSA_private_decrypt (sizeof (p->encr), 1062 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
914 (unsigned char *)&p->encr, (unsigned char *)&k,
915 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
916 { 1063 {
917 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1064 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
918 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1065 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
919 break; 1066 break;
920 } 1067 }
924 1071
925 octx = new crypto_ctx (k, 1); 1072 octx = new crypto_ctx (k, 1);
926 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1073 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
927 1074
928 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
1076 features = p->features & config_packet::get_features ();
929 1077
930 send_auth_response (rsi, p->id, k); 1078 send_auth_response (rsi, p->id, k);
931 1079
932 connection_established (); 1080 connection_established ();
933 1081
969 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1117 crypto_ctx *cctx = new crypto_ctx (chg, 0);
970 1118
971 if (!p->hmac_chk (cctx)) 1119 if (!p->hmac_chk (cctx))
972 { 1120 {
973 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 1121 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
974 "could be an attack, or just corruption or an synchronization error"), 1122 "could be an attack, or just corruption or a synchronization error"),
975 conf->nodename, (const char *)rsi); 1123 conf->nodename, (const char *)rsi);
976 break; 1124 break;
977 } 1125 }
978 else 1126 else
979 { 1127 {
997 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1145 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
998 conf->nodename, (const char *)rsi, 1146 conf->nodename, (const char *)rsi,
999 p->prot_major, p->prot_minor); 1147 p->prot_major, p->prot_minor);
1000 1148
1001 if (::conf.script_node_up) 1149 if (::conf.script_node_up)
1002 run_script (run_script_cb (this, &connection::script_node_up), false); 1150 {
1151 run_script_cb *cb = new run_script_cb;
1152 cb->set<connection, &connection::script_node_up> (this);
1153 run_script_queued (cb, _("node-up command execution failed, continuing."));
1154 }
1003 1155
1004 break; 1156 break;
1005 } 1157 }
1006 else 1158 else
1007 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1159 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1028 { 1180 {
1029 vpndata_packet *p = (vpndata_packet *)pkt; 1181 vpndata_packet *p = (vpndata_packet *)pkt;
1030 1182
1031 if (!p->hmac_chk (ictx)) 1183 if (!p->hmac_chk (ictx))
1032 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1184 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1033 "could be an attack, or just corruption or an synchronization error"), 1185 "could be an attack, or just corruption or a synchronization error"),
1034 conf->nodename, (const char *)rsi); 1186 conf->nodename, (const char *)rsi);
1035 else 1187 else
1036 { 1188 {
1037 u32 seqno; 1189 u32 seqno;
1038 tap_packet *d = p->unpack (this, seqno); 1190 tap_packet *d = p->unpack (this, seqno);
1041 { 1193 {
1042 vpn->tap->send (d); 1194 vpn->tap->send (d);
1043 1195
1044 if (si != rsi) 1196 if (si != rsi)
1045 { 1197 {
1046 // fast re-sync on connection changes, useful especially for tcp/ip 1198 // fast re-sync on source address changes, useful especially for tcp/ip
1047 si = rsi; 1199 si = rsi;
1048 1200
1049 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1201 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1050 conf->nodename, (const char *)si, (const char *)rsi); 1202 conf->nodename, (const char *)si, (const char *)rsi);
1051 } 1203 }
1052
1053 delete d;
1054
1055 break;
1056 } 1204 }
1205
1206 delete d;
1207 break;
1057 } 1208 }
1058 } 1209 }
1059 1210
1060 send_reset (rsi); 1211 send_reset (rsi);
1061 break; 1212 break;
1063 case vpn_packet::PT_CONNECT_REQ: 1214 case vpn_packet::PT_CONNECT_REQ:
1064 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1215 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1065 { 1216 {
1066 connect_req_packet *p = (connect_req_packet *) pkt; 1217 connect_req_packet *p = (connect_req_packet *) pkt;
1067 1218
1068 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1219 if (p->id > 0 && p->id <= vpn->conns.size ())
1069 connection *c = vpn->conns[p->id - 1];
1070 conf->protocols = p->protocols;
1071
1072 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1073 conf->id, p->id, c->ictx && c->octx);
1074
1075 if (c->ictx && c->octx)
1076 { 1220 {
1221 connection *c = vpn->conns[p->id - 1];
1222 conf->protocols = p->protocols;
1223
1224 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1225 conf->id, p->id, c->ictx && c->octx);
1226
1227 if (c->ictx && c->octx)
1228 {
1077 // send connect_info packets to both sides, in case one is 1229 // send connect_info packets to both sides, in case one is
1078 // behind a nat firewall (or both ;) 1230 // behind a nat firewall (or both ;)
1079 c->send_connect_info (conf->id, si, conf->protocols); 1231 c->send_connect_info (conf->id, si, conf->protocols);
1080 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1232 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1233 }
1234 else
1235 c->establish_connection ();
1081 } 1236 }
1082 else 1237 else
1083 c->establish_connection (); 1238 slog (L_WARN,
1239 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1240 p->id);
1084 } 1241 }
1085 1242
1086 break; 1243 break;
1087 1244
1088 case vpn_packet::PT_CONNECT_INFO: 1245 case vpn_packet::PT_CONNECT_INFO:
1089 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1246 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1090 { 1247 {
1091 connect_info_packet *p = (connect_info_packet *) pkt; 1248 connect_info_packet *p = (connect_info_packet *)pkt;
1092 1249
1093 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1250 if (p->id > 0 && p->id <= vpn->conns.size ())
1094 1251 {
1095 connection *c = vpn->conns[p->id - 1]; 1252 connection *c = vpn->conns[p->id - 1];
1096 1253
1097 c->conf->protocols = p->protocols; 1254 c->conf->protocols = p->protocols;
1098 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1255 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1099 p->si.upgrade_protocol (protocol, c->conf); 1256 p->si.upgrade_protocol (protocol, c->conf);
1100 1257
1101 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1258 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1102 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1259 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1103 1260
1104 const sockinfo &dsi = forward_si (p->si); 1261 const sockinfo &dsi = forward_si (p->si);
1105 1262
1106 if (dsi.valid ()) 1263 if (dsi.valid ())
1107 c->send_auth_request (dsi, true); 1264 c->send_auth_request (dsi, true);
1265 }
1266 else
1267 slog (L_WARN,
1268 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269 p->id);
1108 } 1270 }
1109 1271
1110 break; 1272 break;
1111 1273
1112 default: 1274 default:
1113 send_reset (rsi); 1275 send_reset (rsi);
1114 break; 1276 break;
1115 } 1277 }
1116} 1278}
1117 1279
1118void connection::keepalive_cb (time_watcher &w) 1280inline void
1281connection::keepalive_cb (ev::timer &w, int revents)
1119{ 1282{
1120 if (NOW >= last_activity + ::conf.keepalive + 30) 1283 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1121 { 1284 {
1122 reset_connection (); 1285 reset_connection ();
1123 establish_connection (); 1286 establish_connection ();
1124 } 1287 }
1125 else if (NOW < last_activity + ::conf.keepalive) 1288 else if (ev_now () < last_activity + ::conf.keepalive)
1126 w.at = last_activity + ::conf.keepalive; 1289 w.start (last_activity + ::conf.keepalive - ev::now ());
1127 else if (conf->connectmode != conf_node::C_ONDEMAND 1290 else if (conf->connectmode != conf_node::C_ONDEMAND
1128 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1291 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1129 { 1292 {
1130 send_ping (si); 1293 send_ping (si);
1131 w.at = NOW + 5; 1294 w.start (5);
1132 } 1295 }
1133 else if (NOW < last_activity + ::conf.keepalive + 10) 1296 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1134 // hold ondemand connections implicitly a few seconds longer 1297 // hold ondemand connections implicitly a few seconds longer
1135 // should delete octx, though, or something like that ;) 1298 // should delete octx, though, or something like that ;)
1136 w.at = last_activity + ::conf.keepalive + 10; 1299 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1137 else 1300 else
1138 reset_connection (); 1301 reset_connection ();
1139} 1302}
1140 1303
1141void connection::send_connect_request (int id) 1304void connection::send_connect_request (int id)
1147 send_vpn_packet (p, si); 1310 send_vpn_packet (p, si);
1148 1311
1149 delete p; 1312 delete p;
1150} 1313}
1151 1314
1315void connection::script_init_env (const char *ext)
1316{
1317 char *env;
1318 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1319 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1320 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1321 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1322 conf->id & 0xff); putenv (env);
1323}
1324
1152void connection::script_node () 1325void connection::script_init_connect_env ()
1153{ 1326{
1154 vpn->script_if_up (); 1327 vpn->script_init_env ();
1155 1328
1156 char *env; 1329 char *env;
1157 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1330 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1158 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1331 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1159 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1332 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1160 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1333 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1161} 1334}
1162 1335
1336inline const char *
1163const char *connection::script_node_up () 1337connection::script_node_up ()
1164{ 1338{
1165 script_node (); 1339 script_init_connect_env ();
1166 1340
1167 putenv ("STATE=up"); 1341 putenv ((char *)"STATE=up");
1168 1342
1343 char *filename;
1344 asprintf (&filename,
1345 "%s/%s",
1346 confbase,
1169 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1347 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1170}
1171 1348
1349 return filename;
1350}
1351
1352inline const char *
1172const char *connection::script_node_down () 1353connection::script_node_down ()
1173{ 1354{
1174 script_node (); 1355 script_init_connect_env ();
1175 1356
1176 putenv ("STATE=down"); 1357 putenv ((char *)"STATE=down");
1177 1358
1178 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1359 char *filename;
1179} 1360 asprintf (&filename,
1361 "%s/%s",
1362 confbase,
1363 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1180 1364
1365 return filename;
1366}
1367
1181connection::connection(struct vpn *vpn_) 1368connection::connection (struct vpn *vpn, conf_node *conf)
1182: vpn(vpn_) 1369: vpn(vpn), conf(conf),
1183, rekey (this, &connection::rekey_cb) 1370#if ENABLE_DNS
1184, keepalive (this, &connection::keepalive_cb) 1371 dns (0),
1372#endif
1373 data_queue(conf->max_ttl, conf->max_queue),
1374 vpn_queue(conf->max_ttl, conf->max_queue)
1375{
1376 rekey .set<connection, &connection::rekey_cb > (this);
1377 keepalive .set<connection, &connection::keepalive_cb > (this);
1185, establish_connection (this, &connection::establish_connection_cb) 1378 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1186{ 1379
1380 last_establish_attempt = 0.;
1187 octx = ictx = 0; 1381 octx = ictx = 0;
1188 retry_cnt = 0;
1189 1382
1190 connectmode = conf_node::C_ALWAYS; // initial setting 1383 if (!conf->protocols) // make sure some protocol is enabled
1384 conf->protocols = PROT_UDPv4;
1385
1386 connectmode = conf->connectmode;
1387
1388 // queue a dummy packet to force an initial connection attempt
1389 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1390 vpn_queue.put (new net_packet);
1391
1191 reset_connection (); 1392 reset_connection ();
1192} 1393}
1193 1394
1194connection::~connection () 1395connection::~connection ()
1195{ 1396{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines