ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.30 by pcg, Thu Jan 29 19:22:05 2004 UTC vs.
Revision 1.72 by pcg, Fri Aug 8 16:48:00 2008 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com> 3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE.
6
5 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
6 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
7 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
8 (at your option) any later version. 10 option) any later version.
9 11
10 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
11 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
13 GNU General Public License for more details. 15 Public License for more details.
14 16
15 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
16 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
17 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
18*/ 30*/
19 31
20#include "config.h" 32#include "config.h"
21 33
22#include <cassert>
23
24#include <list> 34#include <list>
35#include <queue>
36#include <utility>
25 37
26#include <openssl/rand.h> 38#include <openssl/rand.h>
27#include <openssl/evp.h> 39#include <openssl/evp.h>
28#include <openssl/rsa.h> 40#include <openssl/rsa.h>
29#include <openssl/err.h> 41#include <openssl/err.h>
30
31#include "gettext.h"
32 42
33#include "conf.h" 43#include "conf.h"
34#include "slog.h" 44#include "slog.h"
35#include "device.h" 45#include "device.h"
36#include "vpn.h" 46#include "vpn.h"
47#define ULTRA_FAST 1 57#define ULTRA_FAST 1
48#define HLOG 15 58#define HLOG 15
49#include "lzf/lzf.h" 59#include "lzf/lzf.h"
50#include "lzf/lzf_c.c" 60#include "lzf/lzf_c.c"
51#include "lzf/lzf_d.c" 61#include "lzf/lzf_d.c"
62
63//////////////////////////////////////////////////////////////////////////////
64
65static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
66static ev::child rs_child_ev;
67
68void // c++ requires external linkage here, apparently :(
69rs_child_cb (ev::child &w, int revents)
70{
71 w.stop ();
72
73 if (rs_queue.empty ())
74 return;
75
76 pid_t pid = run_script (*rs_queue.front ().first, false);
77 if (pid)
78 {
79 w.set (pid);
80 w.start ();
81 }
82 else
83 slog (L_WARN, rs_queue.front ().second);
84
85 delete rs_queue.front ().first;
86 rs_queue.pop ();
87}
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
52 103
53struct crypto_ctx 104struct crypto_ctx
54{ 105{
55 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
56 HMAC_CTX hctx; 107 HMAC_CTX hctx;
84 require (EVP_DigestUpdate(&ctx, &id, sizeof id)); 135 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
85 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); 136 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
86 EVP_MD_CTX_cleanup (&ctx); 137 EVP_MD_CTX_cleanup (&ctx);
87} 138}
88 139
89struct rsa_entry { 140struct rsa_entry
141{
90 tstamp expire; 142 tstamp expire;
91 rsaid id; 143 rsaid id;
92 rsachallenge chg; 144 rsachallenge chg;
93}; 145};
94 146
95struct rsa_cache : list<rsa_entry> 147struct rsa_cache : list<rsa_entry>
96{ 148{
97 void cleaner_cb (time_watcher &w); time_watcher cleaner; 149 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
98 150
99 bool find (const rsaid &id, rsachallenge &chg) 151 bool find (const rsaid &id, rsachallenge &chg)
100 { 152 {
101 for (iterator i = begin (); i != end (); ++i) 153 for (iterator i = begin (); i != end (); ++i)
102 { 154 {
103 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) 155 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ())
104 { 156 {
105 memcpy (&chg, &i->chg, sizeof chg); 157 memcpy (&chg, &i->chg, sizeof chg);
106 158
107 erase (i); 159 erase (i);
108 return true; 160 return true;
109 } 161 }
110 } 162 }
111 163
112 if (cleaner.at < NOW) 164 if (!cleaner.is_active ())
113 cleaner.start (NOW + RSA_TTL); 165 cleaner.again ();
114 166
115 return false; 167 return false;
116 } 168 }
117 169
118 void gen (rsaid &id, rsachallenge &chg) 170 void gen (rsaid &id, rsachallenge &chg)
119 { 171 {
120 rsa_entry e; 172 rsa_entry e;
121 173
122 RAND_bytes ((unsigned char *)&id, sizeof id); 174 RAND_bytes ((unsigned char *)&id, sizeof id);
123 RAND_bytes ((unsigned char *)&chg, sizeof chg); 175 RAND_bytes ((unsigned char *)&chg, sizeof chg);
124 176
125 e.expire = NOW + RSA_TTL; 177 e.expire = ev_now () + RSA_TTL;
126 e.id = id; 178 e.id = id;
127 memcpy (&e.chg, &chg, sizeof chg); 179 memcpy (&e.chg, &chg, sizeof chg);
128 180
129 push_back (e); 181 push_back (e);
130 182
131 if (cleaner.at < NOW) 183 if (!cleaner.is_active ())
132 cleaner.start (NOW + RSA_TTL); 184 cleaner.again ();
133 } 185 }
134 186
135 rsa_cache () 187 rsa_cache ()
136 : cleaner (this, &rsa_cache::cleaner_cb) 188 {
137 { } 189 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
190 cleaner.set (RSA_TTL, RSA_TTL);
191 }
138 192
139} rsa_cache; 193} rsa_cache;
140 194
141void rsa_cache::cleaner_cb (time_watcher &w) 195void rsa_cache::cleaner_cb (ev::timer &w, int revents)
142{ 196{
143 if (!empty ()) 197 if (empty ())
198 w.stop ();
199 else
144 { 200 {
145 w.start (NOW + RSA_TTL);
146
147 for (iterator i = begin (); i != end (); ) 201 for (iterator i = begin (); i != end (); )
148 if (i->expire <= NOW) 202 if (i->expire <= ev_now ())
149 i = erase (i); 203 i = erase (i);
150 else 204 else
151 ++i; 205 ++i;
152 } 206 }
153} 207}
154 208
155////////////////////////////////////////////////////////////////////////////// 209//////////////////////////////////////////////////////////////////////////////
156 210
157void pkt_queue::put (net_packet *p) 211pkt_queue::pkt_queue (double max_ttl, int max_queue)
212: max_ttl (max_ttl), max_queue (max_queue)
158{ 213{
159 if (queue[i]) 214 queue = new pkt [max_queue];
160 {
161 delete queue[i];
162 j = (j + 1) % QUEUEDEPTH;
163 }
164 215
165 queue[i] = p;
166
167 i = (i + 1) % QUEUEDEPTH;
168}
169
170net_packet *pkt_queue::get ()
171{
172 net_packet *p = queue[j];
173
174 if (p)
175 {
176 queue[j] = 0;
177 j = (j + 1) % QUEUEDEPTH;
178 }
179
180 return p;
181}
182
183pkt_queue::pkt_queue ()
184{
185 memset (queue, 0, sizeof (queue));
186 i = 0; 216 i = 0;
187 j = 0; 217 j = 0;
218
219 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
188} 220}
189 221
190pkt_queue::~pkt_queue () 222pkt_queue::~pkt_queue ()
191{ 223{
192 for (i = QUEUEDEPTH; --i > 0; ) 224 while (net_packet *p = get ())
225 delete p;
226
193 delete queue[i]; 227 delete [] queue;
194} 228}
195 229
230void pkt_queue::expire_cb (ev::timer &w, int revents)
231{
232 ev_tstamp expire = ev_now () - max_ttl;
233
234 for (;;)
235 {
236 if (empty ())
237 break;
238
239 double diff = queue[j].tstamp - expire;
240
241 if (diff >= 0.)
242 {
243 w.start (diff > 0.5 ? diff : 0.5);
244 break;
245 }
246
247 delete get ();
248 }
249}
250
251void pkt_queue::put (net_packet *p)
252{
253 ev_tstamp now = ev_now ();
254
255 // start expiry timer
256 if (empty ())
257 expire.start (max_ttl);
258
259 int ni = i + 1 == max_queue ? 0 : i + 1;
260
261 if (ni == j)
262 delete get ();
263
264 queue[i].pkt = p;
265 queue[i].tstamp = now;
266
267 i = ni;
268}
269
270net_packet *pkt_queue::get ()
271{
272 if (empty ())
273 return 0;
274
275 net_packet *p = queue[j].pkt;
276 queue[j].pkt = 0;
277
278 j = j + 1 == max_queue ? 0 : j + 1;
279
280 return p;
281}
282
196struct net_rateinfo { 283struct net_rateinfo
284{
197 u32 host; 285 u32 host;
198 double pcnt, diff; 286 double pcnt, diff;
199 tstamp last; 287 tstamp last;
200}; 288};
201 289
202// only do action once every x seconds per host whole allowing bursts. 290// only do action once every x seconds per host whole allowing bursts.
203// this implementation ("splay list" ;) is inefficient, 291// this implementation ("splay list" ;) is inefficient,
204// but low on resources. 292// but low on resources.
205struct net_rate_limiter : list<net_rateinfo> 293struct net_rate_limiter : list<net_rateinfo>
206{ 294{
207 static const double ALPHA = 1. - 1. / 600.; // allow bursts 295# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
208 static const double CUTOFF = 10.; // one event every CUTOFF seconds 296# define NRL_CUTOFF 10. // one event every CUTOFF seconds
209 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 297# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
210 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 298# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
211 299
212 bool can (const sockinfo &si) { return can((u32)si.host); } 300 bool can (const sockinfo &si) { return can((u32)si.host); }
213 bool can (u32 host); 301 bool can (u32 host);
214}; 302};
215 303
220 iterator i; 308 iterator i;
221 309
222 for (i = begin (); i != end (); ) 310 for (i = begin (); i != end (); )
223 if (i->host == host) 311 if (i->host == host)
224 break; 312 break;
225 else if (i->last < NOW - EXPIRE) 313 else if (i->last < ev_now () - NRL_EXPIRE)
226 i = erase (i); 314 i = erase (i);
227 else 315 else
228 i++; 316 i++;
229 317
230 if (i == end ()) 318 if (i == end ())
231 { 319 {
232 net_rateinfo ri; 320 net_rateinfo ri;
233 321
234 ri.host = host; 322 ri.host = host;
235 ri.pcnt = 1.; 323 ri.pcnt = 1.;
236 ri.diff = MAXDIF; 324 ri.diff = NRL_MAXDIF;
237 ri.last = NOW; 325 ri.last = ev_now ();
238 326
239 push_front (ri); 327 push_front (ri);
240 328
241 return true; 329 return true;
242 } 330 }
243 else 331 else
244 { 332 {
245 net_rateinfo ri (*i); 333 net_rateinfo ri (*i);
246 erase (i); 334 erase (i);
247 335
248 ri.pcnt = ri.pcnt * ALPHA; 336 ri.pcnt = ri.pcnt * NRL_ALPHA;
249 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 337 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
250 338
251 ri.last = NOW; 339 ri.last = ev_now ();
252 340
253 double dif = ri.diff / ri.pcnt; 341 double dif = ri.diff / ri.pcnt;
254 342
255 bool send = dif > CUTOFF; 343 bool send = dif > NRL_CUTOFF;
256 344
257 if (dif > MAXDIF) 345 if (dif > NRL_MAXDIF)
258 { 346 {
259 ri.pcnt = 1.; 347 ri.pcnt = 1.;
260 ri.diff = MAXDIF; 348 ri.diff = NRL_MAXDIF;
261 } 349 }
262 else if (send) 350 else if (send)
263 ri.pcnt++; 351 ri.pcnt++;
264 352
265 push_front (ri); 353 push_front (ri);
335 int outl = 0, outl2; 423 int outl = 0, outl2;
336 ptype type = PT_DATA_UNCOMPRESSED; 424 ptype type = PT_DATA_UNCOMPRESSED;
337 425
338#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
339 u8 cdata[MAX_MTU]; 427 u8 cdata[MAX_MTU];
340 u32 cl;
341 428
429 if (conn->features & ENABLE_COMPRESSION)
430 {
342 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 431 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
432
343 if (cl) 433 if (cl)
344 { 434 {
345 type = PT_DATA_COMPRESSED; 435 type = PT_DATA_COMPRESSED;
346 d = cdata; 436 d = cdata;
347 l = cl + 2; 437 l = cl + 2;
348 438
349 d[0] = cl >> 8; 439 d[0] = cl >> 8;
350 d[1] = cl; 440 d[1] = cl;
441 }
351 } 442 }
352#endif 443#endif
353 444
354 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0)); 445 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
355 446
448{ 539{
449 // actually, hmaclen cannot be checked because the hmac 540 // actually, hmaclen cannot be checked because the hmac
450 // field comes before this data, so peers with other 541 // field comes before this data, so peers with other
451 // hmacs simply will not work. 542 // hmacs simply will not work.
452 u8 prot_major, prot_minor, randsize, hmaclen; 543 u8 prot_major, prot_minor, randsize, hmaclen;
453 u8 flags, challengelen, pad2, pad3; 544 u8 flags, challengelen, features, pad3;
454 u32 cipher_nid, digest_nid, hmac_nid; 545 u32 cipher_nid, digest_nid, hmac_nid;
455
456 const u8 curflags () const
457 {
458 return 0x80
459 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
460 }
461 546
462 void setup (ptype type, int dst); 547 void setup (ptype type, int dst);
463 bool chk_config () const; 548 bool chk_config () const;
549
550 static u8 get_features ()
551 {
552 u8 f = 0;
553#if ENABLE_COMPRESSION
554 f |= FEATURE_COMPRESSION;
555#endif
556#if ENABLE_ROHC
557 f |= FEATURE_ROHC;
558#endif
559#if ENABLE_BRIDGING
560 f |= FEATURE_BRIDGING;
561#endif
562 return f;
563 }
464}; 564};
465 565
466void config_packet::setup (ptype type, int dst) 566void config_packet::setup (ptype type, int dst)
467{ 567{
468 prot_major = PROTOCOL_MAJOR; 568 prot_major = PROTOCOL_MAJOR;
469 prot_minor = PROTOCOL_MINOR; 569 prot_minor = PROTOCOL_MINOR;
470 randsize = RAND_SIZE; 570 randsize = RAND_SIZE;
471 hmaclen = HMACLENGTH; 571 hmaclen = HMACLENGTH;
472 flags = curflags (); 572 flags = 0;
473 challengelen = sizeof (rsachallenge); 573 challengelen = sizeof (rsachallenge);
574 features = get_features ();
474 575
475 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 576 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
476 digest_nid = htonl (EVP_MD_type (RSA_HASH)); 577 digest_nid = htonl (EVP_MD_type (RSA_HASH));
477 hmac_nid = htonl (EVP_MD_type (DIGEST)); 578 hmac_nid = htonl (EVP_MD_type (DIGEST));
478 579
486 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 587 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
487 else if (randsize != RAND_SIZE) 588 else if (randsize != RAND_SIZE)
488 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE); 589 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
489 else if (hmaclen != HMACLENGTH) 590 else if (hmaclen != HMACLENGTH)
490 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH); 591 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
491 else if (flags != curflags ())
492 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
493 else if (challengelen != sizeof (rsachallenge)) 592 else if (challengelen != sizeof (rsachallenge))
494 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge)); 593 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
495 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
496 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
497 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
573///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
574 673
575void 674void
576connection::connection_established () 675connection::connection_established ()
577{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678
578 if (ictx && octx) 679 if (ictx && octx)
579 { 680 {
580 connectmode = conf->connectmode; 681 // make sure rekeying timeouts are slightly asymmetric
581 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
582 rekey.start (NOW + ::conf.rekey); 683 rekey.start (rekey_interval, rekey_interval);
583 keepalive.start (NOW + ::conf.keepalive); 684 keepalive.start (::conf.keepalive);
584 685
585 // send queued packets 686 // send queued packets
586 if (ictx && octx) 687 if (ictx && octx)
587 { 688 {
588 while (tap_packet *p = (tap_packet *)data_queue.get ()) 689 while (tap_packet *p = (tap_packet *)data_queue.get ())
589 { 690 {
590 send_data_packet (p); 691 if (p->len) send_data_packet (p);
591 delete p; 692 delete p;
592 } 693 }
593 694
594 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 695 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
595 { 696 {
596 send_vpn_packet (p, si, IPTOS_RELIABILITY); 697 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
597 delete p; 698 delete p;
598 } 699 }
599 } 700 }
600 } 701 }
601 else 702 else
602 { 703 {
603 retry_cnt = 0; 704 retry_cnt = 0;
604 establish_connection.start (NOW + 5); 705 establish_connection.start (5);
605 keepalive.stop (); 706 keepalive.stop ();
606 rekey.stop (); 707 rekey.stop ();
607 } 708 }
608} 709}
609 710
610void 711void
611connection::reset_si () 712connection::reset_si ()
612{ 713{
613 protocol = best_protocol (THISNODE->protocols & conf->protocols); 714 protocol = best_protocol (THISNODE->protocols & conf->protocols);
614 715
615 // mask out protocols we cannot establish 716 // mask out endpoints we can't connect to
616 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 717 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
617 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 718 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
719 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
720
721 if (protocol
722 && (!conf->can_direct (THISNODE)
723 || !THISNODE->can_direct (conf)))
724 {
725 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
726 protocol = 0;
727 }
618 728
619 si.set (conf, protocol); 729 si.set (conf, protocol);
620} 730}
621 731
622// ensure sockinfo is valid, forward if necessary 732// ensure sockinfo is valid, forward if necessary
627 { 737 {
628 connection *r = vpn->find_router (); 738 connection *r = vpn->find_router ();
629 739
630 if (r) 740 if (r)
631 { 741 {
632 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 742 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
633 conf->nodename, r->conf->nodename); 743 conf->nodename, r->conf->nodename, (const char *)r->si);
634 return r->si; 744 return r->si;
635 } 745 }
636 else 746 else
637 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 747 slog (L_DEBUG, _("%s: node unreachable, no common protocol, no router"),
638 conf->nodename); 748 conf->nodename);
639 } 749 }
640 750
641 return si; 751 return si;
642} 752}
708} 818}
709 819
710void 820void
711connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
712{ 822{
713 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
714 conf->id, rid, (const char *)rsi); 824 conf->id, rid, (const char *)rsi);
715 825
716 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
717 827
718 r->hmac_set (octx); 828 r->hmac_set (octx);
719 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
720 830
721 delete r; 831 delete r;
722} 832}
723 833
724void 834inline void
725connection::establish_connection_cb (time_watcher &w) 835connection::establish_connection_cb (ev::timer &w, int revents)
726{ 836{
727 if (!ictx 837 if (!ictx
728 && conf != THISNODE 838 && conf != THISNODE
729 && connectmode != conf_node::C_NEVER 839 && connectmode != conf_node::C_NEVER
730 && connectmode != conf_node::C_DISABLED 840 && connectmode != conf_node::C_DISABLED
731 && NOW > w.at) 841 && !w.is_active ())
732 { 842 {
733 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 843 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
734 844 // and stop trying. should probably be handled by a per-connection expire handler.
735 if (retry_int < 3600 * 8) 845 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
846 {
847 reset_connection ();
736 retry_cnt++; 848 return;
849 }
737 850
738 w.start (NOW + retry_int); 851 last_establish_attempt = ev_now ();
852
853 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
854 ? (retry_cnt & 3) + 1
855 : 1 << (retry_cnt >> 2));
739 856
740 reset_si (); 857 reset_si ();
741 858
859 bool slow = si.prot & PROT_SLOW;
860
742 if (si.prot && !si.host) 861 if (si.prot && !si.host)
862 {
863 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
864 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1);
743 vpn->send_connect_request (conf->id); 866 vpn->send_connect_request (conf->id);
867 }
744 else 868 else
745 { 869 {
870 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
871
746 const sockinfo &dsi = forward_si (si); 872 const sockinfo &dsi = forward_si (si);
873
874 slow = slow || (dsi.prot & PROT_SLOW);
747 875
748 if (dsi.valid () && auth_rate_limiter.can (dsi)) 876 if (dsi.valid () && auth_rate_limiter.can (dsi))
749 { 877 {
750 if (retry_cnt < 4) 878 if (retry_cnt < 4)
751 send_auth_request (dsi, true); 879 send_auth_request (dsi, true);
752 else 880 else
753 send_ping (dsi, 0); 881 send_ping (dsi, 0);
754 } 882 }
755 } 883 }
884
885 retry_int *= slow ? 8. : 0.9;
886
887 if (retry_int < conf->max_retry)
888 retry_cnt++;
889 else
890 retry_int = conf->max_retry;
891
892 w.start (retry_int);
756 } 893 }
757} 894}
758 895
759void 896void
760connection::reset_connection () 897connection::reset_connection ()
763 { 900 {
764 slog (L_INFO, _("%s(%s): connection lost"), 901 slog (L_INFO, _("%s(%s): connection lost"),
765 conf->nodename, (const char *)si); 902 conf->nodename, (const char *)si);
766 903
767 if (::conf.script_node_down) 904 if (::conf.script_node_down)
768 run_script (run_script_cb (this, &connection::script_node_down), false); 905 {
906 run_script_cb *cb = new run_script_cb;
907 cb->set<connection, &connection::script_node_down> (this);
908 run_script_queued (cb, _("node-down command execution failed, continuing."));
909 }
769 } 910 }
770 911
771 delete ictx; ictx = 0; 912 delete ictx; ictx = 0;
772 delete octx; octx = 0; 913 delete octx; octx = 0;
914#if ENABLE_DNS
915 dnsv4_reset_connection ();
916#endif
773 917
774 si.host= 0; 918 si.host = 0;
775 919
776 last_activity = 0; 920 last_activity = 0;
777 retry_cnt = 0; 921 retry_cnt = 0;
778 922
779 rekey.stop (); 923 rekey.stop ();
788 send_reset (si); 932 send_reset (si);
789 933
790 reset_connection (); 934 reset_connection ();
791} 935}
792 936
793void 937inline void
794connection::rekey_cb (time_watcher &w) 938connection::rekey_cb (ev::timer &w, int revents)
795{ 939{
796 reset_connection (); 940 reset_connection ();
797 establish_connection (); 941 establish_connection ();
798} 942}
799 943
815 if (oseqno > MAX_SEQNO) 959 if (oseqno > MAX_SEQNO)
816 rekey (); 960 rekey ();
817} 961}
818 962
819void 963void
964connection::post_inject_queue ()
965{
966 // force a connection every now and when when packets are sent (max 1/s)
967 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
968 establish_connection.stop ();
969
970 establish_connection ();
971}
972
973void
820connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/) 974connection::inject_data_packet (tap_packet *pkt)
821{ 975{
822 if (ictx && octx) 976 if (ictx && octx)
823 send_data_packet (pkt); 977 send_data_packet (pkt);
824 else 978 else
825 { 979 {
826 if (!broadcast)//DDDD
827 data_queue.put (new tap_packet (*pkt)); 980 data_queue.put (new tap_packet (*pkt));
828 981 post_inject_queue ();
829 establish_connection ();
830 } 982 }
831} 983}
832 984
833void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 985void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
834{ 986{
835 if (ictx && octx) 987 if (ictx && octx)
836 send_vpn_packet (pkt, si, tos); 988 send_vpn_packet (pkt, si, tos);
837 else 989 else
838 { 990 {
839 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt)); 991 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
840 992 post_inject_queue ();
841 establish_connection ();
842 } 993 }
843} 994}
844 995
845void 996void
846connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 997connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
847{ 998{
848 last_activity = NOW; 999 last_activity = ev_now ();
849 1000
850 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1001 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
851 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1002 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
1003
1004 if (connectmode == conf_node::C_DISABLED)
1005 return;
852 1006
853 switch (pkt->typ ()) 1007 switch (pkt->typ ())
854 { 1008 {
855 case vpn_packet::PT_PING: 1009 case vpn_packet::PT_PING:
856 // we send pings instead of auth packets after some retries, 1010 // we send pings instead of auth packets after some retries,
917 1071
918 octx = new crypto_ctx (k, 1); 1072 octx = new crypto_ctx (k, 1);
919 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1073 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
920 1074
921 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
1076 features = p->features & config_packet::get_features ();
922 1077
923 send_auth_response (rsi, p->id, k); 1078 send_auth_response (rsi, p->id, k);
924 1079
925 connection_established (); 1080 connection_established ();
926 1081
990 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 1145 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
991 conf->nodename, (const char *)rsi, 1146 conf->nodename, (const char *)rsi,
992 p->prot_major, p->prot_minor); 1147 p->prot_major, p->prot_minor);
993 1148
994 if (::conf.script_node_up) 1149 if (::conf.script_node_up)
995 run_script (run_script_cb (this, &connection::script_node_up), false); 1150 {
1151 run_script_cb *cb = new run_script_cb;
1152 cb->set<connection, &connection::script_node_up> (this);
1153 run_script_queued (cb, _("node-up command execution failed, continuing."));
1154 }
996 1155
997 break; 1156 break;
998 } 1157 }
999 else 1158 else
1000 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1159 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1034 { 1193 {
1035 vpn->tap->send (d); 1194 vpn->tap->send (d);
1036 1195
1037 if (si != rsi) 1196 if (si != rsi)
1038 { 1197 {
1039 // fast re-sync on connection changes, useful especially for tcp/ip 1198 // fast re-sync on source address changes, useful especially for tcp/ip
1040 si = rsi; 1199 si = rsi;
1041 1200
1042 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1201 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1043 conf->nodename, (const char *)si, (const char *)rsi); 1202 conf->nodename, (const char *)si, (const char *)rsi);
1044 } 1203 }
1045
1046 delete d;
1047
1048 break;
1049 } 1204 }
1205
1206 delete d;
1207 break;
1050 } 1208 }
1051 } 1209 }
1052 1210
1053 send_reset (rsi); 1211 send_reset (rsi);
1054 break; 1212 break;
1056 case vpn_packet::PT_CONNECT_REQ: 1214 case vpn_packet::PT_CONNECT_REQ:
1057 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1215 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1058 { 1216 {
1059 connect_req_packet *p = (connect_req_packet *) pkt; 1217 connect_req_packet *p = (connect_req_packet *) pkt;
1060 1218
1061 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1219 if (p->id > 0 && p->id <= vpn->conns.size ())
1062 connection *c = vpn->conns[p->id - 1];
1063 conf->protocols = p->protocols;
1064
1065 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1066 conf->id, p->id, c->ictx && c->octx);
1067
1068 if (c->ictx && c->octx)
1069 { 1220 {
1221 connection *c = vpn->conns[p->id - 1];
1222 conf->protocols = p->protocols;
1223
1224 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1225 conf->id, p->id, c->ictx && c->octx);
1226
1227 if (c->ictx && c->octx)
1228 {
1070 // send connect_info packets to both sides, in case one is 1229 // send connect_info packets to both sides, in case one is
1071 // behind a nat firewall (or both ;) 1230 // behind a nat firewall (or both ;)
1072 c->send_connect_info (conf->id, si, conf->protocols); 1231 c->send_connect_info (conf->id, si, conf->protocols);
1073 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1232 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1233 }
1234 else
1235 c->establish_connection ();
1074 } 1236 }
1075 else 1237 else
1076 c->establish_connection (); 1238 slog (L_WARN,
1239 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1240 p->id);
1077 } 1241 }
1078 1242
1079 break; 1243 break;
1080 1244
1081 case vpn_packet::PT_CONNECT_INFO: 1245 case vpn_packet::PT_CONNECT_INFO:
1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1246 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1083 { 1247 {
1084 connect_info_packet *p = (connect_info_packet *) pkt; 1248 connect_info_packet *p = (connect_info_packet *)pkt;
1085 1249
1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1250 if (p->id > 0 && p->id <= vpn->conns.size ())
1087 1251 {
1088 connection *c = vpn->conns[p->id - 1]; 1252 connection *c = vpn->conns[p->id - 1];
1089 1253
1090 c->conf->protocols = p->protocols; 1254 c->conf->protocols = p->protocols;
1091 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1255 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1092 p->si.upgrade_protocol (protocol, c->conf); 1256 p->si.upgrade_protocol (protocol, c->conf);
1093 1257
1094 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1258 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1095 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1259 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1096 1260
1097 const sockinfo &dsi = forward_si (p->si); 1261 const sockinfo &dsi = forward_si (p->si);
1098 1262
1099 if (dsi.valid ()) 1263 if (dsi.valid ())
1100 c->send_auth_request (dsi, true); 1264 c->send_auth_request (dsi, true);
1265 }
1266 else
1267 slog (L_WARN,
1268 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1269 p->id);
1101 } 1270 }
1102 1271
1103 break; 1272 break;
1104 1273
1105 default: 1274 default:
1106 send_reset (rsi); 1275 send_reset (rsi);
1107 break; 1276 break;
1108 } 1277 }
1109} 1278}
1110 1279
1111void connection::keepalive_cb (time_watcher &w) 1280inline void
1281connection::keepalive_cb (ev::timer &w, int revents)
1112{ 1282{
1113 if (NOW >= last_activity + ::conf.keepalive + 30) 1283 if (ev_now () >= last_activity + ::conf.keepalive + 30)
1114 { 1284 {
1115 reset_connection (); 1285 reset_connection ();
1116 establish_connection (); 1286 establish_connection ();
1117 } 1287 }
1118 else if (NOW < last_activity + ::conf.keepalive) 1288 else if (ev_now () < last_activity + ::conf.keepalive)
1119 w.start (last_activity + ::conf.keepalive); 1289 w.start (last_activity + ::conf.keepalive - ev::now ());
1120 else if (conf->connectmode != conf_node::C_ONDEMAND 1290 else if (conf->connectmode != conf_node::C_ONDEMAND
1121 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1291 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1122 { 1292 {
1123 send_ping (si); 1293 send_ping (si);
1124 w.start (NOW + 5); 1294 w.start (5);
1125 } 1295 }
1126 else if (NOW < last_activity + ::conf.keepalive + 10) 1296 else if (ev_now () < last_activity + ::conf.keepalive + 10)
1127 // hold ondemand connections implicitly a few seconds longer 1297 // hold ondemand connections implicitly a few seconds longer
1128 // should delete octx, though, or something like that ;) 1298 // should delete octx, though, or something like that ;)
1129 w.start (last_activity + ::conf.keepalive + 10); 1299 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1130 else 1300 else
1131 reset_connection (); 1301 reset_connection ();
1132} 1302}
1133 1303
1134void connection::send_connect_request (int id) 1304void connection::send_connect_request (int id)
1140 send_vpn_packet (p, si); 1310 send_vpn_packet (p, si);
1141 1311
1142 delete p; 1312 delete p;
1143} 1313}
1144 1314
1315void connection::script_init_env (const char *ext)
1316{
1317 char *env;
1318 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1319 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1320 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1321 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1322 conf->id & 0xff); putenv (env);
1323}
1324
1145void connection::script_node () 1325void connection::script_init_connect_env ()
1146{ 1326{
1147 vpn->script_if_up (); 1327 vpn->script_init_env ();
1148 1328
1149 char *env; 1329 char *env;
1150 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1330 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1151 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1331 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1152 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1332 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1153 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1333 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1154} 1334}
1155 1335
1336inline const char *
1156const char *connection::script_node_up () 1337connection::script_node_up ()
1157{ 1338{
1158 script_node (); 1339 script_init_connect_env ();
1159 1340
1160 putenv ("STATE=up"); 1341 putenv ((char *)"STATE=up");
1161 1342
1343 char *filename;
1344 asprintf (&filename,
1345 "%s/%s",
1346 confbase,
1162 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1347 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1163}
1164 1348
1349 return filename;
1350}
1351
1352inline const char *
1165const char *connection::script_node_down () 1353connection::script_node_down ()
1166{ 1354{
1167 script_node (); 1355 script_init_connect_env ();
1168 1356
1169 putenv ("STATE=down"); 1357 putenv ((char *)"STATE=down");
1170 1358
1171 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1359 char *filename;
1172} 1360 asprintf (&filename,
1361 "%s/%s",
1362 confbase,
1363 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1173 1364
1365 return filename;
1366}
1367
1174connection::connection(struct vpn *vpn_) 1368connection::connection (struct vpn *vpn, conf_node *conf)
1175: vpn(vpn_) 1369: vpn(vpn), conf(conf),
1176, rekey (this, &connection::rekey_cb) 1370#if ENABLE_DNS
1177, keepalive (this, &connection::keepalive_cb) 1371 dns (0),
1372#endif
1373 data_queue(conf->max_ttl, conf->max_queue + 1),
1374 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1375{
1376 rekey .set<connection, &connection::rekey_cb > (this);
1377 keepalive .set<connection, &connection::keepalive_cb > (this);
1178, establish_connection (this, &connection::establish_connection_cb) 1378 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1179{ 1379
1380 last_establish_attempt = 0.;
1180 octx = ictx = 0; 1381 octx = ictx = 0;
1181 retry_cnt = 0;
1182 1382
1183 connectmode = conf_node::C_ALWAYS; // initial setting 1383 if (!conf->protocols) // make sure some protocol is enabled
1384 conf->protocols = PROT_UDPv4;
1385
1386 connectmode = conf->connectmode;
1387
1388 // queue a dummy packet to force an initial connection attempt
1389 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1390 vpn_queue.put (new net_packet);
1391
1184 reset_connection (); 1392 reset_connection ();
1185} 1393}
1186 1394
1187connection::~connection () 1395connection::~connection ()
1188{ 1396{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines