ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.17 by pcg, Mon Sep 1 21:23:35 2003 UTC vs.
Revision 1.98 by root, Tue Jul 16 16:44:36 2013 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
5 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
6 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
7 (at your option) any later version. 10 option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
12 GNU General Public License for more details. 15 Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
15 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
17*/ 30*/
18 31
19#include "config.h" 32#include "config.h"
20 33
21extern "C" {
22# include "lzf/lzf.h"
23}
24
25#include <list> 34#include <list>
35#include <queue>
36#include <utility>
26 37
27#include <openssl/rand.h> 38#include <openssl/rand.h>
28#include <openssl/evp.h> 39#include <openssl/evp.h>
29#include <openssl/rsa.h> 40#include <openssl/rsa.h>
30#include <openssl/err.h> 41#include <openssl/err.h>
31
32#include "gettext.h"
33 42
34#include "conf.h" 43#include "conf.h"
35#include "slog.h" 44#include "slog.h"
36#include "device.h" 45#include "device.h"
37#include "vpn.h" 46#include "vpn.h"
38#include "connection.h" 47#include "connection.h"
48#include "hkdf.h"
39 49
40#if !HAVE_RAND_PSEUDO_BYTES 50#include "netcompat.h"
41# define RAND_pseudo_bytes RAND_bytes
42#endif
43 51
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 52#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53
54#define ULTRA_FAST 1
55#define HLOG 15
56#include "lzf/lzf.h"
57#include "lzf/lzf_c.c"
58#include "lzf/lzf_d.c"
59
60//////////////////////////////////////////////////////////////////////////////
61
62static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
63static ev::child rs_child_ev;
64
65namespace
66{
67 void // c++ requires external linkage here, apparently :(
68 rs_child_cb (ev::child &w, int revents)
69 {
70 w.stop ();
71
72 if (rs_queue.empty ())
73 return;
74
75 pid_t pid = run_script (*rs_queue.front ().first, false);
76 if (pid)
77 {
78 w.set (pid);
79 w.start ();
80 }
81 else
82 slog (L_WARN, rs_queue.front ().second);
83
84 delete rs_queue.front ().first;
85 rs_queue.pop ();
86 }
87};
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
45 103
46struct crypto_ctx 104struct crypto_ctx
47{ 105{
48 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
49 HMAC_CTX hctx; 107 HMAC_CTX hctx;
50 108
51 crypto_ctx (const rsachallenge &challenge, int enc); 109 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
52 ~crypto_ctx (); 110 ~crypto_ctx ();
53}; 111};
54 112
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 113crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
56{ 114{
115 ecdh_key s;
116
117 curve25519_combine (a, b, s);
118
119 {
120 u8 mac_key[MAC_KEYSIZE];
121 static const unsigned char mac_info[] = "gvpe mac key";
122
123 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt));
124 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
125 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
126 kdf.extract (s, sizeof (s));
127 kdf.extract_done ();
128 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
129
130 HMAC_CTX_init (&hctx);
131 require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
132 }
133
134 {
135 u8 cipher_key[CIPHER_KEYSIZE];
136 static const unsigned char cipher_info[] = "gvpe cipher key";
137
138 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt));
139 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
140 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
141 kdf.extract (s, sizeof (s));
142 kdf.extract_done ();
143 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
144
57 EVP_CIPHER_CTX_init (&cctx); 145 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 146 require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
59 HMAC_CTX_init (&hctx); 147 }
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 148}
62 149
63crypto_ctx::~crypto_ctx () 150crypto_ctx::~crypto_ctx ()
64{ 151{
65 EVP_CIPHER_CTX_cleanup (&cctx); 152 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 153 HMAC_CTX_cleanup (&hctx);
67} 154}
68 155
156static inline void
157auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
158{
159 if (RSA_public_encrypt (sizeof (auth.rsa),
160 (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
161 key, RSA_PKCS1_OAEP_PADDING) < 0)
162 fatal ("RSA_public_encrypt error");
163}
164
165static inline bool
166auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
167{
168 u8 rsa_decrypt[RSA_KEYLEN];
169
170 if (RSA_private_decrypt (sizeof (encr.rsa),
171 (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
172 key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
173 return 0;
174
175 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
176
177 return 1;
178}
179
69static void 180static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 181auth_hash (const auth_data &auth, auth_mac &mac)
71{ 182{
72 EVP_MD_CTX ctx; 183 HMAC_CTX ctx;
73 184
74 EVP_MD_CTX_init (&ctx); 185 HMAC_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 186 require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 187 require (HMAC_Update (&ctx, (const unsigned char *)&auth, sizeof auth));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 188 require (HMAC_Final (&ctx, (unsigned char *)&mac, 0));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
79 EVP_MD_CTX_cleanup (&ctx); 189 HMAC_CTX_cleanup (&ctx);
80} 190}
81 191
82struct rsa_entry { 192void
83 tstamp expire; 193connection::generate_auth_data ()
84 rsaid id;
85 rsachallenge chg;
86};
87
88struct rsa_cache : list<rsa_entry>
89{ 194{
90 void cleaner_cb (time_watcher &w); time_watcher cleaner; 195 if (auth_expire < ev_now ())
91
92 bool find (const rsaid &id, rsachallenge &chg)
93 {
94 for (iterator i = begin (); i != end (); ++i)
95 {
96 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
97 {
98 memcpy (&chg, &i->chg, sizeof chg);
99
100 erase (i);
101 return true;
102 }
103 }
104
105 if (cleaner.at < NOW)
106 cleaner.start (NOW + RSA_TTL);
107
108 return false;
109 }
110
111 void gen (rsaid &id, rsachallenge &chg)
112 {
113 rsa_entry e;
114
115 RAND_bytes ((unsigned char *)&id, sizeof id);
116 RAND_bytes ((unsigned char *)&chg, sizeof chg);
117
118 e.expire = NOW + RSA_TTL;
119 e.id = id;
120 memcpy (&e.chg, &chg, sizeof chg);
121
122 push_back (e);
123
124 if (cleaner.at < NOW)
125 cleaner.start (NOW + RSA_TTL);
126 }
127
128 rsa_cache ()
129 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 196 {
197 // request data
198 RAND_pseudo_bytes ((unsigned char *)&snd_auth.rsa, sizeof snd_auth.rsa);
199 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
200 auth_hash (snd_auth, snd_auth_mac);
131 201
132} rsa_cache; 202 // eventual response data
133 203 curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
134void rsa_cache::cleaner_cb (time_watcher &w)
135{
136 if (empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 204 }
140 w.at = NOW + RSA_TTL;
141 205
142 for (iterator i = begin (); i != end (); ) 206 // every use prolongs the expiry
143 if (i->expire <= NOW) 207 auth_expire = ev_now () + AUTH_TTL;
144 i = erase (i);
145 else
146 ++i;
147 }
148} 208}
149 209
150////////////////////////////////////////////////////////////////////////////// 210//////////////////////////////////////////////////////////////////////////////
151 211
152void pkt_queue::put (net_packet *p) 212pkt_queue::pkt_queue (double max_ttl, int max_queue)
213: max_ttl (max_ttl), max_queue (max_queue)
153{ 214{
154 if (queue[i]) 215 queue = new pkt [max_queue];
155 {
156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH;
158 }
159 216
160 queue[i] = p;
161
162 i = (i + 1) % QUEUEDEPTH;
163}
164
165net_packet *pkt_queue::get ()
166{
167 net_packet *p = queue[j];
168
169 if (p)
170 {
171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH;
173 }
174
175 return p;
176}
177
178pkt_queue::pkt_queue ()
179{
180 memset (queue, 0, sizeof (queue));
181 i = 0; 217 i = 0;
182 j = 0; 218 j = 0;
219
220 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
183} 221}
184 222
185pkt_queue::~pkt_queue () 223pkt_queue::~pkt_queue ()
186{ 224{
187 for (i = QUEUEDEPTH; --i > 0; ) 225 while (net_packet *p = get ())
226 delete p;
227
188 delete queue[i]; 228 delete [] queue;
189} 229}
190 230
231void
232pkt_queue::expire_cb (ev::timer &w, int revents)
233{
234 ev_tstamp expire = ev_now () - max_ttl;
235
236 for (;;)
237 {
238 if (empty ())
239 break;
240
241 double diff = queue[j].tstamp - expire;
242
243 if (diff >= 0.)
244 {
245 w.start (diff > 0.5 ? diff : 0.5);
246 break;
247 }
248
249 delete get ();
250 }
251}
252
253void
254pkt_queue::put (net_packet *p)
255{
256 ev_tstamp now = ev_now ();
257
258 // start expiry timer
259 if (empty ())
260 expire.start (max_ttl);
261
262 int ni = i + 1 == max_queue ? 0 : i + 1;
263
264 if (ni == j)
265 delete get ();
266
267 queue[i].pkt = p;
268 queue[i].tstamp = now;
269
270 i = ni;
271}
272
273net_packet *
274pkt_queue::get ()
275{
276 if (empty ())
277 return 0;
278
279 net_packet *p = queue[j].pkt;
280 queue[j].pkt = 0;
281
282 j = j + 1 == max_queue ? 0 : j + 1;
283
284 return p;
285}
286
191struct net_rateinfo { 287struct net_rateinfo
288{
192 u32 host; 289 u32 host;
193 double pcnt, diff; 290 double pcnt, diff;
194 tstamp last; 291 tstamp last;
195}; 292};
196 293
197// only do action once every x seconds per host whole allowing bursts. 294// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 295// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 296// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 297struct net_rate_limiter : list<net_rateinfo>
201{ 298{
202 static const double ALPHA = 1. - 1. / 600.; // allow bursts 299# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 300# define NRL_CUTOFF 10. // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 301# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 302# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
206 303
207 bool can (const sockinfo &si) { return can((u32)si.host); } 304 bool can (const sockinfo &si) { return can((u32)si.host); }
208 bool can (u32 host); 305 bool can (u32 host);
209}; 306};
210 307
211net_rate_limiter auth_rate_limiter, reset_rate_limiter; 308static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
212 309
310bool
213bool net_rate_limiter::can (u32 host) 311net_rate_limiter::can (u32 host)
214{ 312{
215 iterator i; 313 iterator i;
216 314
217 for (i = begin (); i != end (); ) 315 for (i = begin (); i != end (); )
218 if (i->host == host) 316 if (i->host == host)
219 break; 317 break;
220 else if (i->last < NOW - EXPIRE) 318 else if (i->last < ev_now () - NRL_EXPIRE)
221 i = erase (i); 319 i = erase (i);
222 else 320 else
223 i++; 321 i++;
224 322
225 if (i == end ()) 323 if (i == end ())
226 { 324 {
227 net_rateinfo ri; 325 net_rateinfo ri;
228 326
229 ri.host = host; 327 ri.host = host;
230 ri.pcnt = 1.; 328 ri.pcnt = 1.;
231 ri.diff = MAXDIF; 329 ri.diff = NRL_MAXDIF;
232 ri.last = NOW; 330 ri.last = ev_now ();
233 331
234 push_front (ri); 332 push_front (ri);
235 333
236 return true; 334 return true;
237 } 335 }
238 else 336 else
239 { 337 {
240 net_rateinfo ri (*i); 338 net_rateinfo ri (*i);
241 erase (i); 339 erase (i);
242 340
243 ri.pcnt = ri.pcnt * ALPHA; 341 ri.pcnt = ri.pcnt * NRL_ALPHA;
244 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 342 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
245 343
246 ri.last = NOW; 344 ri.last = ev_now ();
247 345
248 double dif = ri.diff / ri.pcnt; 346 double dif = ri.diff / ri.pcnt;
249 347
250 bool send = dif > CUTOFF; 348 bool send = dif > NRL_CUTOFF;
251 349
252 if (dif > MAXDIF) 350 if (dif > NRL_MAXDIF)
253 { 351 {
254 ri.pcnt = 1.; 352 ri.pcnt = 1.;
255 ri.diff = MAXDIF; 353 ri.diff = NRL_MAXDIF;
256 } 354 }
257 else if (send) 355 else if (send)
258 ri.pcnt++; 356 ri.pcnt++;
259 357
260 push_front (ri); 358 push_front (ri);
265 363
266///////////////////////////////////////////////////////////////////////////// 364/////////////////////////////////////////////////////////////////////////////
267 365
268unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE]; 366unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
269 367
368void
270void hmac_packet::hmac_gen (crypto_ctx *ctx) 369hmac_packet::hmac_gen (crypto_ctx *ctx)
271{ 370{
272 unsigned int xlen; 371 unsigned int xlen;
273 372
274 HMAC_CTX *hctx = &ctx->hctx; 373 HMAC_CTX *hctx = &ctx->hctx;
275 374
276 HMAC_Init_ex (hctx, 0, 0, 0, 0); 375 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
277 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 376 require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
278 len - sizeof (hmac_packet)); 377 len - sizeof (hmac_packet)));
279 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 378 require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
280} 379}
281 380
282void 381void
283hmac_packet::hmac_set (crypto_ctx *ctx) 382hmac_packet::hmac_set (crypto_ctx *ctx)
284{ 383{
293 hmac_gen (ctx); 392 hmac_gen (ctx);
294 393
295 return !memcmp (hmac, hmac_digest, HMACLENGTH); 394 return !memcmp (hmac, hmac_digest, HMACLENGTH);
296} 395}
297 396
397void
298void vpn_packet::set_hdr (ptype type_, unsigned int dst) 398vpn_packet::set_hdr (ptype type_, unsigned int dst)
299{ 399{
300 type = type_; 400 type = type_;
301 401
302 int src = THISNODE->id; 402 int src = THISNODE->id;
303 403
307} 407}
308 408
309#define MAXVPNDATA (MAX_MTU - 6 - 6) 409#define MAXVPNDATA (MAX_MTU - 6 - 6)
310#define DATAHDR (sizeof (u32) + RAND_SIZE) 410#define DATAHDR (sizeof (u32) + RAND_SIZE)
311 411
312struct vpndata_packet:vpn_packet 412struct vpndata_packet : vpn_packet
413{
414 u8 data[MAXVPNDATA + DATAHDR]; // seqno
415
416 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
417 tap_packet *unpack (connection *conn, u32 &seqno);
418
419private:
420 const u32 data_hdr_size () const
313 { 421 {
314 u8 data[MAXVPNDATA + DATAHDR]; // seqno
315
316 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
317 tap_packet *unpack (connection *conn, u32 &seqno);
318private:
319
320 const u32 data_hdr_size () const
321 {
322 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR; 422 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
323 }
324 }; 423 }
424};
325 425
326void 426void
327vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 427vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
328{ 428{
329 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 429 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
330 int outl = 0, outl2; 430 int outl = 0, outl2;
331 ptype type = PT_DATA_UNCOMPRESSED; 431 ptype type = PT_DATA_UNCOMPRESSED;
332 432
333#if ENABLE_COMPRESSION 433#if ENABLE_COMPRESSION
334 u8 cdata[MAX_MTU]; 434 u8 cdata[MAX_MTU];
335 u32 cl;
336 435
436 if (conn->features & FEATURE_COMPRESSION)
437 {
337 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 438 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
439
338 if (cl) 440 if (cl)
339 { 441 {
340 type = PT_DATA_COMPRESSED; 442 type = PT_DATA_COMPRESSED;
341 d = cdata; 443 d = cdata;
342 l = cl + 2; 444 l = cl + 2;
343 445
344 d[0] = cl >> 8; 446 d[0] = cl >> 8;
345 d[1] = cl; 447 d[1] = cl;
448 }
346 } 449 }
347#endif 450#endif
348 451
349 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 452 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
350 453
351 struct { 454 struct {
352#if RAND_SIZE 455#if RAND_SIZE
353 u8 rnd[RAND_SIZE]; 456 u8 rnd[RAND_SIZE];
354#endif 457#endif
358 datahdr.seqno = ntohl (seqno); 461 datahdr.seqno = ntohl (seqno);
359#if RAND_SIZE 462#if RAND_SIZE
360 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 463 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
361#endif 464#endif
362 465
363 EVP_EncryptUpdate (cctx, 466 require (EVP_EncryptUpdate (cctx,
364 (unsigned char *) data + outl, &outl2, 467 (unsigned char *) data + outl, &outl2,
365 (unsigned char *) &datahdr, DATAHDR); 468 (unsigned char *) &datahdr, DATAHDR));
366 outl += outl2; 469 outl += outl2;
367 470
368 EVP_EncryptUpdate (cctx, 471 require (EVP_EncryptUpdate (cctx,
369 (unsigned char *) data + outl, &outl2, 472 (unsigned char *) data + outl, &outl2,
370 (unsigned char *) d, l); 473 (unsigned char *) d, l));
371 outl += outl2; 474 outl += outl2;
372 475
373 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 476 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
374 outl += outl2; 477 outl += outl2;
375 478
376 len = outl + data_hdr_size (); 479 len = outl + data_hdr_size ();
377 480
378 set_hdr (type, dst); 481 set_hdr (type, dst);
387 int outl = 0, outl2; 490 int outl = 0, outl2;
388 tap_packet *p = new tap_packet; 491 tap_packet *p = new tap_packet;
389 u8 *d; 492 u8 *d;
390 u32 l = len - data_hdr_size (); 493 u32 l = len - data_hdr_size ();
391 494
392 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 495 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
393 496
394#if ENABLE_COMPRESSION 497#if ENABLE_COMPRESSION
395 u8 cdata[MAX_MTU]; 498 u8 cdata[MAX_MTU];
396 499
397 if (type == PT_DATA_COMPRESSED) 500 if (type == PT_DATA_COMPRESSED)
399 else 502 else
400#endif 503#endif
401 d = &(*p)[6 + 6 - DATAHDR]; 504 d = &(*p)[6 + 6 - DATAHDR];
402 505
403 /* this overwrites part of the src mac, but we fix that later */ 506 /* this overwrites part of the src mac, but we fix that later */
404 EVP_DecryptUpdate (cctx, 507 require (EVP_DecryptUpdate (cctx,
405 d, &outl2, 508 d, &outl2,
406 (unsigned char *)&data, len - data_hdr_size ()); 509 (unsigned char *)&data, len - data_hdr_size ()));
407 outl += outl2; 510 outl += outl2;
408 511
409 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 512 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
410 outl += outl2; 513 outl += outl2;
411 514
412 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 515 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
413 516
414 id2mac (dst () ? dst() : THISNODE->id, p->dst); 517 id2mac (dst () ? dst() : THISNODE->id, p->dst);
439 } 542 }
440}; 543};
441 544
442struct config_packet : vpn_packet 545struct config_packet : vpn_packet
443{ 546{
444 // actually, hmaclen cannot be checked because the hmac
445 // field comes before this data, so peers with other
446 // hmacs simply will not work.
447 u8 prot_major, prot_minor, randsize, hmaclen; 547 u8 prot_major, prot_minor, randsize;
448 u8 flags, challengelen, pad2, pad3; 548 u8 flags, features, pad6, pad7, pad8;
449 u32 cipher_nid, digest_nid, hmac_nid; 549 u32 cipher_nid, mac_nid, auth_nid;
450
451 const u8 curflags () const
452 {
453 return 0x80
454 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
455 }
456 550
457 void setup (ptype type, int dst); 551 void setup (ptype type, int dst);
458 bool chk_config () const; 552 bool chk_config () const;
553
554 static u8 get_features ()
555 {
556 u8 f = 0;
557#if ENABLE_COMPRESSION
558 f |= FEATURE_COMPRESSION;
559#endif
560#if ENABLE_ROHC
561 f |= FEATURE_ROHC;
562#endif
563#if ENABLE_BRIDGING
564 f |= FEATURE_BRIDGING;
565#endif
566 return f;
567 }
459}; 568};
460 569
570void
461void config_packet::setup (ptype type, int dst) 571config_packet::setup (ptype type, int dst)
462{ 572{
463 prot_major = PROTOCOL_MAJOR; 573 prot_major = PROTOCOL_MAJOR;
464 prot_minor = PROTOCOL_MINOR; 574 prot_minor = PROTOCOL_MINOR;
465 randsize = RAND_SIZE; 575 randsize = RAND_SIZE;
466 hmaclen = HMACLENGTH; 576 flags = 0;
467 flags = curflags (); 577 features = get_features ();
468 challengelen = sizeof (rsachallenge);
469 578
470 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 579 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
471 digest_nid = htonl (EVP_MD_type (RSA_HASH));
472 hmac_nid = htonl (EVP_MD_type (DIGEST)); 580 mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
581 auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
473 582
474 len = sizeof (*this) - sizeof (net_packet); 583 len = sizeof (*this) - sizeof (net_packet);
475 set_hdr (type, dst); 584 set_hdr (type, dst);
476} 585}
477 586
587bool
478bool config_packet::chk_config () const 588config_packet::chk_config () const
479{ 589{
480 if (prot_major != PROTOCOL_MAJOR) 590 if (prot_major != PROTOCOL_MAJOR)
481 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR); 591 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
482 else if (randsize != RAND_SIZE) 592 else if (randsize != RAND_SIZE)
483 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE); 593 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
484 else if (hmaclen != HMACLENGTH)
485 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
486 else if (flags != curflags ())
487 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
488 else if (challengelen != sizeof (rsachallenge))
489 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
490 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
491 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("cipher algo mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
492 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
493 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
494 else if (hmac_nid != htonl (EVP_MD_type (DIGEST))) 596 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
495 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST)); 597 slog (L_WARN, _("mac algo mismatch (remote %x <=> local %x)"), ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
598 else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
599 slog (L_WARN, _("auth algo mismatch (remote %x <=> local %x)"), ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
496 else 600 else
497 return true; 601 return true;
498 602
499 return false; 603 return false;
500} 604}
501 605
502struct auth_req_packet : config_packet 606struct auth_req_packet : config_packet // UNPROTECTED
503{ 607{
504 char magic[8]; 608 char magic[8];
505 u8 initiate; // false if this is just an automatic reply 609 u8 initiate; // false if this is just an automatic reply
506 u8 protocols; // supported protocols (will get patches on forward) 610 u8 protocols; // supported protocols (will be patched on forward)
507 u8 pad2, pad3; 611 u8 pad2, pad3;
508 rsaid id; 612 auth_encr encr;
509 rsaencrdata encr;
510 613
511 auth_req_packet (int dst, bool initiate_, u8 protocols_) 614 auth_req_packet (int dst, bool initiate_, u8 protocols_)
512 { 615 {
513 config_packet::setup (PT_AUTH_REQ, dst); 616 config_packet::setup (PT_AUTH_REQ, dst);
514 strncpy (magic, MAGIC, 8); 617 memcpy (magic, MAGIC, 8);
515 initiate = !!initiate_; 618 initiate = !!initiate_;
516 protocols = protocols_; 619 protocols = protocols_;
517 620
518 len = sizeof (*this) - sizeof (net_packet); 621 len = sizeof (*this) - sizeof (net_packet);
519 } 622 }
520}; 623};
521 624
522struct auth_res_packet : config_packet 625struct auth_res_packet : config_packet // UNPROTECTED
523{ 626{
524 rsaid id;
525 u8 pad1, pad2, pad3;
526 u8 response_len; // encrypted length
527 rsaresponse response; 627 auth_response response;
528 628
529 auth_res_packet (int dst) 629 auth_res_packet (int dst)
530 { 630 {
531 config_packet::setup (PT_AUTH_RES, dst); 631 config_packet::setup (PT_AUTH_RES, dst);
532 632
566}; 666};
567 667
568///////////////////////////////////////////////////////////////////////////// 668/////////////////////////////////////////////////////////////////////////////
569 669
570void 670void
571connection::connection_established () 671connection::connection_established (const sockinfo &rsi)
572{ 672{
673 if (!have_snd_auth || !have_rcv_auth)
674 return;
675
676 si = rsi;
677 protocol = rsi.prot;
678
679 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
680 conf->nodename, (const char *)rsi,
681 is_direct ? "direct" : "forwarded",
682 PROTOCOL_MAJOR, prot_minor);
683
684 if (::conf.script_node_up)
685 {
686 run_script_cb *cb = new run_script_cb;
687 cb->set<connection, &connection::script_node_up> (this);
688 run_script_queued (cb, _("node-up command execution failed, continuing."));
689 }
690
691 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
692 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
693
694 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
695 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
696
573 if (ictx && octx) 697 if (ictx && octx)
574 { 698 {
575 connectmode = conf->connectmode; 699 // make sure rekeying timeouts are slightly asymmetric
700 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
701 rekey.start (rekey_interval, rekey_interval);
576 702
577 rekey.start (NOW + ::conf.rekey);
578 keepalive.start (NOW + ::conf.keepalive); 703 keepalive.start (::conf.keepalive);
579 704
580 // send queued packets 705 // send queued packets
581 if (ictx && octx) 706 if (ictx && octx)
582 { 707 {
583 while (tap_packet *p = (tap_packet *)data_queue.get ()) 708 while (tap_packet *p = (tap_packet *)data_queue.get ())
584 { 709 {
585 send_data_packet (p); 710 if (p->len) send_data_packet (p);
586 delete p; 711 delete p;
587 } 712 }
588 713
589 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 714 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
590 { 715 {
591 send_vpn_packet (p, si, IPTOS_RELIABILITY); 716 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
592 delete p; 717 delete p;
593 } 718 }
594 } 719 }
720
721 vpn->connection_established (this);
595 } 722 }
723#if 0
596 else 724 else
597 { 725 {
598 retry_cnt = 0; 726 retry_cnt = 0;
599 establish_connection.start (NOW + 5); 727 establish_connection.start (5);
600 keepalive.reset (); 728 keepalive.stop ();
601 rekey.reset (); 729 rekey.stop ();
602 } 730 }
731#endif
603} 732}
604 733
605void 734void
606connection::reset_si () 735connection::reset_si ()
607{ 736{
737 if (vpn->can_direct (THISNODE, conf))
608 protocol = best_protocol (THISNODE->protocols & conf->protocols); 738 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
609 739 else
610 // mask out protocols we cannot establish 740 {
611 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 741 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
612 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 742 protocol = 0;
743 }
613 744
614 si.set (conf, protocol); 745 si.set (conf, protocol);
746
747 is_direct = si.valid ();
615} 748}
616 749
617// ensure sockinfo is valid, forward if necessary 750// ensure sockinfo is valid, forward if necessary
618const sockinfo & 751const sockinfo &
619connection::forward_si (const sockinfo &si) const 752connection::forward_si (const sockinfo &si) const
620{ 753{
621 if (!si.valid ()) 754 if (!si.valid ())
622 { 755 {
623 connection *r = vpn->find_router (); 756 connection *r = vpn->find_router_for (this);
624 757
625 if (r) 758 if (r)
626 { 759 {
627 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 760 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
628 conf->nodename, r->conf->nodename); 761 conf->nodename, r->conf->nodename);
629 return r->si; 762 return r->si;
630 } 763 }
631 else 764 else
632 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 765 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
633 conf->nodename); 766 conf->nodename);
634 } 767 }
635 768
636 return si; 769 return si;
637} 770}
647connection::send_ping (const sockinfo &si, u8 pong) 780connection::send_ping (const sockinfo &si, u8 pong)
648{ 781{
649 ping_packet *pkt = new ping_packet; 782 ping_packet *pkt = new ping_packet;
650 783
651 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 784 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
785
786 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
652 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 787 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
653 788
654 delete pkt; 789 delete pkt;
655} 790}
656 791
671void 806void
672connection::send_auth_request (const sockinfo &si, bool initiate) 807connection::send_auth_request (const sockinfo &si, bool initiate)
673{ 808{
674 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 809 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
675 810
676 rsachallenge chg; 811 generate_auth_data ();
812 auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
677 813
678 rsa_cache.gen (pkt->id, chg);
679
680 if (0 > RSA_public_encrypt (sizeof chg,
681 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
682 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
683 fatal ("RSA_public_encrypt error");
684
685 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 814 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
686
687 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
688 816
689 delete pkt; 817 delete pkt;
690} 818}
691 819
692void 820void
693connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 821connection::send_auth_response (const sockinfo &si)
694{ 822{
695 auth_res_packet *pkt = new auth_res_packet (conf->id); 823 auth_res_packet *pkt = new auth_res_packet (conf->id);
696 824
697 pkt->id = id; 825 auth_hash (rcv_auth, pkt->response.mac);
826 memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
698 827
699 rsa_hash (id, chg, pkt->response);
700
701 pkt->hmac_set (octx);
702
703 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 828 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
704
705 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 829 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
706 830
707 delete pkt; 831 delete pkt;
708} 832}
709 833
710void 834void
711connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 835connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
712{ 836{
713 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 837 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
714 conf->id, rid, (const char *)rsi); 838 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
839 conf->protocols);
715 840
716 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 841 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
717 842
718 r->hmac_set (octx); 843 r->hmac_set (octx);
719 send_vpn_packet (r, si); 844 send_vpn_packet (r, si);
720 845
721 delete r; 846 delete r;
722} 847}
723 848
724void 849inline void
725connection::establish_connection_cb (time_watcher &w) 850connection::establish_connection_cb (ev::timer &w, int revents)
726{ 851{
727 if (ictx || conf == THISNODE 852 if (!(ictx && octx)
853 && conf != THISNODE
728 || connectmode == conf_node::C_NEVER 854 && connectmode != conf_node::C_NEVER
729 || connectmode == conf_node::C_DISABLED) 855 && connectmode != conf_node::C_DISABLED
730 w.at = TSTAMP_CANCEL; 856 && !w.is_active ())
731 else if (w.at <= NOW)
732 { 857 {
733 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 858 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
734 859 // and stop trying. should probably be handled by a per-connection expire handler.
735 if (retry_int < 3600 * 8) 860 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
861 {
862 reset_connection ();
736 retry_cnt++; 863 return;
864 }
737 865
738 w.at = NOW + retry_int; 866 last_establish_attempt = ev_now ();
867
868 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
869 ? (retry_cnt & 3) + 1
870 : 1 << (retry_cnt >> 2));
739 871
740 reset_si (); 872 reset_si ();
741 873
742 if (si.prot && !si.host) 874 bool slow = si.prot & PROT_SLOW;
875
876 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
877 {
878 /*TODO*/ /* start the timer so we don't recurse endlessly */
879 w.start (1);
743 vpn->send_connect_request (conf->id); 880 vpn->send_connect_request (this);
881 }
744 else 882 else
745 { 883 {
884 if (si.valid ())
885 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
886 conf->nodename, (const char *)si);
887
746 const sockinfo &dsi = forward_si (si); 888 const sockinfo &dsi = forward_si (si);
889
890 slow = slow || (dsi.prot & PROT_SLOW);
747 891
748 if (dsi.valid () && auth_rate_limiter.can (dsi)) 892 if (dsi.valid () && auth_rate_limiter.can (dsi))
749 { 893 {
750 if (retry_cnt < 4) 894 if (retry_cnt < 4)
751 send_auth_request (dsi, true); 895 send_auth_request (dsi, true);
752 else 896 else
753 send_ping (dsi, 0); 897 send_ping (dsi, 0);
754 } 898 }
755 } 899 }
900
901 retry_int *= slow ? 8. : 0.9;
902
903 if (retry_int < conf->max_retry)
904 retry_cnt++;
905 else
906 retry_int = conf->max_retry;
907
908 w.start (retry_int);
756 } 909 }
757} 910}
758 911
759void 912void
760connection::reset_connection () 913connection::reset_connection ()
763 { 916 {
764 slog (L_INFO, _("%s(%s): connection lost"), 917 slog (L_INFO, _("%s(%s): connection lost"),
765 conf->nodename, (const char *)si); 918 conf->nodename, (const char *)si);
766 919
767 if (::conf.script_node_down) 920 if (::conf.script_node_down)
768 run_script (run_script_cb (this, &connection::script_node_down), false); 921 {
922 run_script_cb *cb = new run_script_cb;
923 cb->set<connection, &connection::script_node_down> (this);
924 run_script_queued (cb, _("node-down command execution failed, continuing."));
925 }
769 } 926 }
770 927
771 delete ictx; ictx = 0; 928 delete ictx; ictx = 0;
772 delete octx; octx = 0; 929 delete octx; octx = 0;
773 930
774 si.host= 0; 931 si.host = 0;
775 932
933 have_snd_auth = false;
934 have_rcv_auth = false;
935 auth_expire = 0.;
936
776 last_activity = 0; 937 last_activity = 0.;
938 //last_si_change = 0.;
777 retry_cnt = 0; 939 retry_cnt = 0;
778 940
779 rekey.reset (); 941 rekey.stop ();
780 keepalive.reset (); 942 keepalive.stop ();
781 establish_connection.reset (); 943 establish_connection.stop ();
782} 944}
783 945
784void 946void
785connection::shutdown () 947connection::shutdown ()
786{ 948{
788 send_reset (si); 950 send_reset (si);
789 951
790 reset_connection (); 952 reset_connection ();
791} 953}
792 954
793void 955// poor-man's rekeying
794connection::rekey_cb (time_watcher &w) 956inline void
957connection::rekey_cb (ev::timer &w, int revents)
795{ 958{
796 w.at = TSTAMP_CANCEL;
797
798 reset_connection (); 959 reset_connection ();
799 establish_connection (); 960 establish_connection ();
800} 961}
801 962
802void 963void
803connection::send_data_packet (tap_packet *pkt, bool broadcast) 964connection::send_data_packet (tap_packet *pkt)
804{ 965{
805 vpndata_packet *p = new vpndata_packet; 966 vpndata_packet *p = new vpndata_packet;
806 int tos = 0; 967 int tos = 0;
807 968
808 // I am not hilarious about peeking into packets, but so be it. 969 // I am not hilarious about peeking into packets, but so be it.
809 if (conf->inherit_tos 970 if (conf->inherit_tos && pkt->is_ipv4 ())
810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
812 tos = (*pkt)[15] & IPTOS_TOS_MASK; 971 tos = (*pkt)[15] & IPTOS_TOS_MASK;
813 972
814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 973 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
815 send_vpn_packet (p, si, tos); 974 send_vpn_packet (p, si, tos);
816 975
817 delete p; 976 delete p;
818 977
819 if (oseqno > MAX_SEQNO) 978 if (oseqno > MAX_SEQNO)
820 rekey (); 979 rekey ();
821} 980}
822 981
823void 982void
983connection::post_inject_queue ()
984{
985 // force a connection every now and when when packets are sent (max 1/s)
986 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
987 establish_connection.stop ();
988
989 establish_connection ();
990}
991
992void
824connection::inject_data_packet (tap_packet *pkt, bool broadcast) 993connection::inject_data_packet (tap_packet *pkt)
825{ 994{
826 if (ictx && octx) 995 if (ictx && octx)
827 send_data_packet (pkt, broadcast); 996 send_data_packet (pkt);
828 else 997 else
829 { 998 {
830 if (!broadcast)//DDDD
831 data_queue.put (new tap_packet (*pkt)); 999 data_queue.put (new tap_packet (*pkt));
832 1000 post_inject_queue ();
833 establish_connection ();
834 } 1001 }
835} 1002}
836 1003
1004void
837void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 1005connection::inject_vpn_packet (vpn_packet *pkt, int tos)
838{ 1006{
839 if (ictx && octx) 1007 if (ictx && octx)
840 send_vpn_packet (pkt, si, tos); 1008 send_vpn_packet (pkt, si, tos);
841 else 1009 else
842 { 1010 {
843 vpn_queue.put (new vpn_packet (*pkt)); 1011 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
844 1012 post_inject_queue ();
845 establish_connection ();
846 } 1013 }
847} 1014}
848 1015
849void 1016void
850connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1017connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
851{ 1018{
852 last_activity = NOW; 1019 last_activity = ev_now ();
853 1020
854 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1021 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
855 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1022 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1023
1024 if (connectmode == conf_node::C_DISABLED)
1025 return;
856 1026
857 switch (pkt->typ ()) 1027 switch (pkt->typ ())
858 { 1028 {
859 case vpn_packet::PT_PING: 1029 case vpn_packet::PT_PING:
1030 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1031
860 // we send pings instead of auth packets after some retries, 1032 // we send pings instead of auth packets after some retries,
861 // so reset the retry counter and establish a connection 1033 // so reset the retry counter and establish a connection
862 // when we receive a ping. 1034 // when we receive a ping.
863 if (!ictx) 1035 if (!ictx)
864 { 1036 {
865 if (auth_rate_limiter.can (rsi)) 1037 if (auth_rate_limiter.can (rsi))
866 send_auth_request (rsi, true); 1038 send_auth_request (rsi, true);
867 } 1039 }
868 else 1040 else
1041 // we would love to change the socket address here, but ping's aren't
1042 // authenticated, so we best ignore it.
869 send_ping (rsi, 1); // pong 1043 send_ping (rsi, 1); // pong
870 1044
871 break; 1045 break;
872 1046
873 case vpn_packet::PT_PONG: 1047 case vpn_packet::PT_PONG:
1048 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1049
1050 // a PONG might mean that the other side doesn't really know
1051 // about our desire for communication.
1052 establish_connection ();
874 break; 1053 break;
875 1054
876 case vpn_packet::PT_RESET: 1055 case vpn_packet::PT_RESET:
877 { 1056 {
878 reset_connection (); 1057 reset_connection ();
879 1058
880 config_packet *p = (config_packet *) pkt; 1059 config_packet *p = (config_packet *) pkt;
881 1060
882 if (!p->chk_config ()) 1061 if (!p->chk_config ())
883 { 1062 {
884 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1063 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
885 conf->nodename, (const char *)rsi); 1064 conf->nodename, (const char *)rsi);
886 connectmode = conf_node::C_DISABLED; 1065 connectmode = conf_node::C_DISABLED;
887 } 1066 }
888 else if (connectmode == conf_node::C_ALWAYS) 1067 else if (connectmode == conf_node::C_ALWAYS)
889 establish_connection (); 1068 establish_connection ();
891 break; 1070 break;
892 1071
893 case vpn_packet::PT_AUTH_REQ: 1072 case vpn_packet::PT_AUTH_REQ:
894 if (auth_rate_limiter.can (rsi)) 1073 if (auth_rate_limiter.can (rsi))
895 { 1074 {
896 auth_req_packet *p = (auth_req_packet *) pkt; 1075 auth_req_packet *p = (auth_req_packet *)pkt;
897 1076
898 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1077 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1078 conf->nodename, p->initiate ? "initiate" : "reply",
1079 p->protocols, p->features);
899 1080
900 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1081 if (p->chk_config () && !memcmp (p->magic, MAGIC, 8))
901 { 1082 {
902 if (p->prot_minor != PROTOCOL_MINOR) 1083 if (p->prot_minor != PROTOCOL_MINOR)
903 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1084 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
904 conf->nodename, (const char *)rsi, 1085 conf->nodename, (const char *)rsi,
905 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1086 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
906 1087
907 if (p->initiate) 1088 if (p->initiate)
908 send_auth_request (rsi, false); 1089 send_auth_request (rsi, false);
909 1090
910 rsachallenge k; 1091 auth_data auth;
911 1092
912 if (0 > RSA_private_decrypt (sizeof (p->encr), 1093 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
913 (unsigned char *)&p->encr, (unsigned char *)&k, 1094 {
914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1095 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
916 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1096 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1097 }
917 else 1098 else
918 { 1099 {
919 delete octx; 1100 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
920 1101
921 octx = new crypto_ctx (k, 1); 1102 rcv_auth = auth;
922 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1103 have_rcv_auth = true;
923 1104
1105 send_auth_response (rsi);
1106
1107 if (chg)
1108 {
924 conf->protocols = p->protocols; 1109 conf->protocols = p->protocols;
1110 features = p->features & config_packet::get_features ();
925 1111
926 send_auth_response (rsi, p->id, k);
927
928 connection_established (); 1112 connection_established (rsi);
929
930 break; 1113 }
931 } 1114 }
1115
1116 break;
932 } 1117 }
933 else 1118 else
934 slog (L_WARN, _("%s(%s): protocol mismatch"), 1119 slog (L_WARN, _("%s(%s): protocol mismatch."),
935 conf->nodename, (const char *)rsi); 1120 conf->nodename, (const char *)rsi);
936 1121
937 send_reset (rsi); 1122 send_reset (rsi);
938 } 1123 }
939 1124
940 break; 1125 break;
941 1126
942 case vpn_packet::PT_AUTH_RES: 1127 case vpn_packet::PT_AUTH_RES:
943 { 1128 {
944 auth_res_packet *p = (auth_res_packet *) pkt; 1129 auth_res_packet *p = (auth_res_packet *)pkt;
945 1130
946 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1131 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
947 1132
948 if (p->chk_config ()) 1133 if (p->chk_config ())
949 { 1134 {
950 if (p->prot_minor != PROTOCOL_MINOR) 1135 if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
951 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
952 conf->nodename, (const char *)rsi,
953 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
954
955 rsachallenge chg;
956
957 if (!rsa_cache.find (p->id, chg))
958 { 1136 {
959 slog (L_ERR, _("%s(%s): unrequested auth response"), 1137 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
960 conf->nodename, (const char *)rsi); 1138 conf->nodename, (const char *)rsi);
961 break;
962 } 1139 }
963 else 1140 else if (!have_snd_auth)
964 { 1141 {
965 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1142 if (p->prot_minor != PROTOCOL_MINOR)
966 1143 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
967 if (!p->hmac_chk (cctx))
968 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
969 "could be an attack, or just corruption or an synchronization error"),
970 conf->nodename, (const char *)rsi); 1144 conf->nodename, (const char *)rsi,
971 else 1145 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
972 {
973 rsaresponse h;
974 1146
975 rsa_hash (p->id, chg, h);
976
977 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
978 {
979 prot_minor = p->prot_minor; 1147 prot_minor = p->prot_minor;
1148 memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
980 1149
981 delete ictx; ictx = cctx; 1150 have_snd_auth = true;
982
983 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
984
985 si = rsi;
986 protocol = rsi.prot;
987
988 connection_established (); 1151 connection_established (rsi);
989
990 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
991 conf->nodename, (const char *)rsi,
992 p->prot_major, p->prot_minor);
993
994 if (::conf.script_node_up)
995 run_script (run_script_cb (this, &connection::script_node_up), false);
996
997 break;
998 }
999 else
1000 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1001 conf->nodename, (const char *)rsi);
1002 }
1003
1004 delete cctx;
1005 } 1152 }
1153
1154 break;
1006 } 1155 }
1007 } 1156 }
1008 1157
1009 send_reset (rsi); 1158 send_reset (rsi);
1010 break; 1159 break;
1021 { 1170 {
1022 vpndata_packet *p = (vpndata_packet *)pkt; 1171 vpndata_packet *p = (vpndata_packet *)pkt;
1023 1172
1024 if (!p->hmac_chk (ictx)) 1173 if (!p->hmac_chk (ictx))
1025 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1174 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1026 "could be an attack, or just corruption or an synchronization error"), 1175 "could be an attack, or just corruption or a synchronization error."),
1027 conf->nodename, (const char *)rsi); 1176 conf->nodename, (const char *)rsi);
1028 else 1177 else
1029 { 1178 {
1030 u32 seqno; 1179 u32 seqno;
1031 tap_packet *d = p->unpack (this, seqno); 1180 tap_packet *d = p->unpack (this, seqno);
1181 int seqclass = iseqno.seqno_classify (seqno);
1032 1182
1033 if (iseqno.recv_ok (seqno)) 1183 if (seqclass == 0) // ok
1034 { 1184 {
1035 vpn->tap->send (d); 1185 vpn->tap->send (d);
1036 1186
1037 if (p->dst () == 0) // re-broadcast
1038 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1039 {
1040 connection *c = *i;
1041
1042 if (c->conf != THISNODE && c->conf != conf)
1043 c->inject_data_packet (d);
1044 }
1045
1046 if (si != rsi) 1187 if (si != rsi)
1047 { 1188 {
1048 // fast re-sync on connection changes, useful especially for tcp/ip 1189 // fast re-sync on source address changes, useful especially for tcp/ip
1190 //if (last_si_change < ev_now () + 5.)
1049 si = rsi; 1191 // {
1050
1051 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1192 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1052 conf->nodename, (const char *)si, (const char *)rsi); 1193 conf->nodename, (const char *)si, (const char *)rsi);
1194
1195 si = rsi;
1196
1197 if (::conf.script_node_change)
1198 {
1199 run_script_cb *cb = new run_script_cb;
1200 cb->set<connection, &connection::script_node_change> (this);
1201 run_script_queued (cb, _("node-change command execution failed, continuing."));
1202 }
1203
1204 // }
1205 //else
1206 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1207 // conf->nodename, (const char *)si, (const char *)rsi);
1053 } 1208 }
1054
1055 delete d;
1056
1057 break;
1058 } 1209 }
1210 else if (seqclass == 1) // far history
1211 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1212 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1213 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1214 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1215 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1216 else if (seqclass == 3) // reset
1217 {
1218 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1219 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1220 send_reset (rsi);
1221 }
1222
1223 delete d;
1224 break;
1059 } 1225 }
1060 } 1226 }
1061 1227
1062 send_reset (rsi); 1228 send_reset (rsi);
1063 break; 1229 break;
1064 1230
1065 case vpn_packet::PT_CONNECT_REQ: 1231 case vpn_packet::PT_CONNECT_REQ:
1066 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1232 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1067 { 1233 {
1068 connect_req_packet *p = (connect_req_packet *) pkt; 1234 connect_req_packet *p = (connect_req_packet *)pkt;
1069 1235
1070 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1236 if (p->id > 0 && p->id <= vpn->conns.size ())
1071 connection *c = vpn->conns[p->id - 1];
1072 conf->protocols = p->protocols;
1073
1074 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1075 conf->id, p->id, c->ictx && c->octx);
1076
1077 if (c->ictx && c->octx)
1078 { 1237 {
1238 connection *c = vpn->conns[p->id - 1];
1239 conf->protocols = p->protocols;
1240
1241 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1242 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1243 p->protocols,
1244 c->ictx && c->octx);
1245
1246 if (c->ictx && c->octx)
1247 {
1079 // send connect_info packets to both sides, in case one is 1248 // send connect_info packets to both sides, in case one is
1080 // behind a nat firewall (or both ;) 1249 // behind a nat firewall (or both ;)
1081 c->send_connect_info (conf->id, si, conf->protocols); 1250 c->send_connect_info (conf->id, si, conf->protocols);
1082 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1251 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1252 }
1253 else
1254 c->establish_connection ();
1083 } 1255 }
1084 else 1256 else
1085 c->establish_connection (); 1257 slog (L_WARN,
1258 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1259 p->id);
1086 } 1260 }
1087 1261
1088 break; 1262 break;
1089 1263
1090 case vpn_packet::PT_CONNECT_INFO: 1264 case vpn_packet::PT_CONNECT_INFO:
1091 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1265 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1092 { 1266 {
1093 connect_info_packet *p = (connect_info_packet *) pkt; 1267 connect_info_packet *p = (connect_info_packet *)pkt;
1094 1268
1095 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1269 if (p->id > 0 && p->id <= vpn->conns.size ())
1096 1270 {
1097 connection *c = vpn->conns[p->id - 1]; 1271 connection *c = vpn->conns[p->id - 1];
1098 1272
1099 c->conf->protocols = p->protocols; 1273 c->conf->protocols = p->protocols;
1100 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1274 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1101 p->si.upgrade_protocol (protocol, c->conf); 1275 p->si.upgrade_protocol (protocol, c->conf);
1102 1276
1103 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1277 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1104 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1278 conf->nodename,
1279 vpn->conns[p->id - 1]->conf->nodename,
1280 (const char *)p->si,
1281 p->protocols,
1282 protocol,
1283 p->si.supported_protocols (c->conf),
1284 !c->ictx && !c->octx);
1105 1285
1106 const sockinfo &dsi = forward_si (p->si); 1286 const sockinfo &dsi = forward_si (p->si);
1107 1287
1108 if (dsi.valid ()) 1288 if (dsi.valid ())
1109 c->send_auth_request (dsi, true); 1289 c->send_auth_request (dsi, true);
1290 else
1291 slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1292 vpn->conns[p->id - 1]->conf->nodename,
1293 (const char *)p->si);
1294 }
1295 else
1296 slog (L_WARN,
1297 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298 p->id);
1110 } 1299 }
1111 1300
1112 break; 1301 break;
1113 1302
1114 default: 1303 default:
1115 send_reset (rsi); 1304 send_reset (rsi);
1116 break; 1305 break;
1117 } 1306 }
1118} 1307}
1119 1308
1120void connection::keepalive_cb (time_watcher &w) 1309inline void
1310connection::keepalive_cb (ev::timer &w, int revents)
1121{ 1311{
1122 if (NOW >= last_activity + ::conf.keepalive + 30) 1312 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1313
1314 if (when >= 0)
1315 w.start (when);
1316 else if (when < -15)
1123 { 1317 {
1124 reset_connection (); 1318 reset_connection ();
1125 establish_connection (); 1319 establish_connection ();
1126 } 1320 }
1127 else if (NOW < last_activity + ::conf.keepalive)
1128 w.at = last_activity + ::conf.keepalive;
1129 else if (conf->connectmode != conf_node::C_ONDEMAND 1321 else if (conf->connectmode != conf_node::C_ONDEMAND
1130 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1322 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1131 { 1323 {
1324 w.start (3);
1132 send_ping (si); 1325 send_ping (si);
1133 w.at = NOW + 5;
1134 } 1326 }
1135 else if (NOW < last_activity + ::conf.keepalive + 10) 1327 else if (when >= -10)
1136 // hold ondemand connections implicitly a few seconds longer 1328 // hold ondemand connections implicitly a few seconds longer
1137 // should delete octx, though, or something like that ;) 1329 // should delete octx, though, or something like that ;)
1138 w.at = last_activity + ::conf.keepalive + 10; 1330 w.start (when + 10);
1139 else 1331 else
1140 reset_connection (); 1332 reset_connection ();
1141} 1333}
1142 1334
1335void
1143void connection::send_connect_request (int id) 1336connection::send_connect_request (int id)
1144{ 1337{
1145 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1338 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1146 1339
1147 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1340 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1341 conf->nodename, vpn->conns[id - 1]->conf->nodename,
1342 THISNODE->protocols);
1148 p->hmac_set (octx); 1343 p->hmac_set (octx);
1149 send_vpn_packet (p, si); 1344 send_vpn_packet (p, si);
1150 1345
1151 delete p; 1346 delete p;
1152} 1347}
1153 1348
1154void connection::script_node () 1349void
1350connection::script_init_env (const char *ext)
1155{ 1351{
1156 vpn->script_if_up ();
1157
1158 char *env; 1352 char *env;
1353 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1354 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1355 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1356 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1357 conf->id & 0xff); putenv (env);
1358}
1359
1360void
1361connection::script_init_connect_env ()
1362{
1363 vpn->script_init_env ();
1364
1365 char *env;
1159 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1366 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1367 asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1160 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1368 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1161 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1369 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1162 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1370 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1163} 1371}
1164 1372
1373inline const char *
1165const char *connection::script_node_up () 1374connection::script_node_up ()
1166{ 1375{
1167 script_node (); 1376 script_init_connect_env ();
1168 1377
1169 putenv ("STATE=up"); 1378 putenv ((char *)"STATE=up");
1170 1379
1380 char *filename;
1381 asprintf (&filename,
1382 "%s/%s",
1383 confbase,
1171 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1384 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1172}
1173 1385
1386 return filename;
1387}
1388
1389inline const char *
1390connection::script_node_change ()
1391{
1392 script_init_connect_env ();
1393
1394 putenv ((char *)"STATE=change");
1395
1396 char *filename;
1397 asprintf (&filename,
1398 "%s/%s",
1399 confbase,
1400 ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1401
1402 return filename;
1403}
1404
1405inline const char *
1174const char *connection::script_node_down () 1406connection::script_node_down ()
1175{ 1407{
1176 script_node (); 1408 script_init_connect_env ();
1177 1409
1178 putenv ("STATE=down"); 1410 putenv ((char *)"STATE=down");
1179 1411
1180 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1412 char *filename;
1181} 1413 asprintf (&filename,
1414 "%s/%s",
1415 confbase,
1416 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1182 1417
1418 return filename;
1419}
1420
1183connection::connection(struct vpn *vpn_) 1421connection::connection (struct vpn *vpn, conf_node *conf)
1184: vpn(vpn_) 1422: vpn(vpn), conf(conf),
1185, rekey (this, &connection::rekey_cb) 1423#if ENABLE_DNS
1186, keepalive (this, &connection::keepalive_cb) 1424 dns (0),
1425#endif
1426 data_queue(conf->max_ttl, conf->max_queue + 1),
1427 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1428{
1429 rekey .set<connection, &connection::rekey_cb > (this);
1430 keepalive .set<connection, &connection::keepalive_cb > (this);
1187, establish_connection (this, &connection::establish_connection_cb) 1431 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1188{ 1432
1433 last_establish_attempt = 0.;
1189 octx = ictx = 0; 1434 octx = ictx = 0;
1190 retry_cnt = 0;
1191 1435
1192 connectmode = conf_node::C_ALWAYS; // initial setting 1436 connectmode = conf->connectmode;
1437
1438 // queue a dummy packet to force an initial connection attempt
1439 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1440 vpn_queue.put (new net_packet);
1441
1193 reset_connection (); 1442 reset_connection ();
1194} 1443}
1195 1444
1196connection::~connection () 1445connection::~connection ()
1197{ 1446{
1198 shutdown (); 1447 shutdown ();
1199} 1448}
1200 1449
1450void
1201void connection_init () 1451connection_init ()
1202{ 1452{
1203 auth_rate_limiter.clear (); 1453 auth_rate_limiter.clear ();
1204 reset_rate_limiter.clear (); 1454 reset_rate_limiter.clear ();
1205} 1455}
1206 1456

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines