ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.11 by pcg, Sun Apr 13 00:35:46 2003 UTC vs.
Revision 1.99 by root, Wed Jul 17 04:36:03 2013 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
3 4
5 This file is part of GVPE.
6
4 This program is free software; you can redistribute it and/or modify 7 GVPE is free software; you can redistribute it and/or modify it
5 it under the terms of the GNU General Public License as published by 8 under the terms of the GNU General Public License as published by the
6 the Free Software Foundation; either version 2 of the License, or 9 Free Software Foundation; either version 3 of the License, or (at your
7 (at your option) any later version. 10 option) any later version.
8 11
9 This program is distributed in the hope that it will be useful, 12 This program is distributed in the hope that it will be useful, but
10 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
12 GNU General Public License for more details. 15 Public License for more details.
13 16
14 You should have received a copy of the GNU General Public License 17 You should have received a copy of the GNU General Public License along
15 along with this program; if not, write to the Free Software 18 with this program; if not, see <http://www.gnu.org/licenses/>.
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19
20 Additional permission under GNU GPL version 3 section 7
21
22 If you modify this Program, or any covered work, by linking or
23 combining it with the OpenSSL project's OpenSSL library (or a modified
24 version of that library), containing parts covered by the terms of the
25 OpenSSL or SSLeay licenses, the licensors of this Program grant you
26 additional permission to convey the resulting work. Corresponding
27 Source for a non-source form of such a combination shall include the
28 source code for the parts of OpenSSL used as well as that of the
29 covered work.
17*/ 30*/
18 31
19#include "config.h" 32#include "config.h"
20 33
21extern "C" {
22# include "lzf/lzf.h"
23}
24
25#include <list> 34#include <list>
35#include <queue>
36#include <utility>
26 37
27#include <openssl/rand.h> 38#include <openssl/rand.h>
28#include <openssl/evp.h> 39#include <openssl/evp.h>
29#include <openssl/rsa.h> 40#include <openssl/rsa.h>
30#include <openssl/err.h> 41#include <openssl/err.h>
31
32#include "gettext.h"
33 42
34#include "conf.h" 43#include "conf.h"
35#include "slog.h" 44#include "slog.h"
36#include "device.h" 45#include "device.h"
37#include "vpn.h" 46#include "vpn.h"
38#include "connection.h" 47#include "connection.h"
48#include "hkdf.h"
39 49
40#if !HAVE_RAND_PSEUDO_BYTES 50#include "netcompat.h"
41# define RAND_pseudo_bytes RAND_bytes
42#endif
43 51
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 52#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
53
54#define ULTRA_FAST 1
55#define HLOG 15
56#include "lzf/lzf.h"
57#include "lzf/lzf_c.c"
58#include "lzf/lzf_d.c"
59
60//////////////////////////////////////////////////////////////////////////////
61
62static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
63static ev::child rs_child_ev;
64
65namespace
66{
67 void // c++ requires external linkage here, apparently :(
68 rs_child_cb (ev::child &w, int revents)
69 {
70 w.stop ();
71
72 if (rs_queue.empty ())
73 return;
74
75 pid_t pid = run_script (*rs_queue.front ().first, false);
76 if (pid)
77 {
78 w.set (pid);
79 w.start ();
80 }
81 else
82 slog (L_WARN, rs_queue.front ().second);
83
84 delete rs_queue.front ().first;
85 rs_queue.pop ();
86 }
87};
88
89// despite the fancy name, this is quite a hack
90static void
91run_script_queued (run_script_cb *cb, const char *warnmsg)
92{
93 rs_queue.push (std::make_pair (cb, warnmsg));
94
95 if (!rs_child_ev.is_active ())
96 {
97 rs_child_ev.set<rs_child_cb> ();
98 rs_child_ev ();
99 }
100}
101
102//////////////////////////////////////////////////////////////////////////////
45 103
46struct crypto_ctx 104struct crypto_ctx
47{ 105{
48 EVP_CIPHER_CTX cctx; 106 EVP_CIPHER_CTX cctx;
49 HMAC_CTX hctx; 107 HMAC_CTX hctx;
50 108
51 crypto_ctx (const rsachallenge &challenge, int enc); 109 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
52 ~crypto_ctx (); 110 ~crypto_ctx ();
53}; 111};
54 112
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 113crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
56{ 114{
115 ecdh_key s;
116
117 curve25519_combine (a, b, s);
118
119 {
120 u8 mac_key[MAC_KEYSIZE];
121 static const unsigned char mac_info[] = "gvpe mac key";
122
123 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
124 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
125 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
126 kdf.extract (s, sizeof (s));
127 kdf.extract_done (HKDF_PRF_HASH ());
128 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
129
130 HMAC_CTX_init (&hctx);
131 require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
132 }
133
134 {
135 u8 cipher_key[CIPHER_KEYSIZE];
136 static const unsigned char cipher_info[] = "gvpe cipher key";
137
138 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
139 kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm));
140 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
141 kdf.extract (s, sizeof (s));
142 kdf.extract_done (HKDF_PRF_HASH ());
143 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
144
57 EVP_CIPHER_CTX_init (&cctx); 145 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 146 require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
59 HMAC_CTX_init (&hctx); 147 }
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 148}
62 149
63crypto_ctx::~crypto_ctx () 150crypto_ctx::~crypto_ctx ()
64{ 151{
65 EVP_CIPHER_CTX_cleanup (&cctx); 152 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 153 HMAC_CTX_cleanup (&hctx);
67} 154}
68 155
156static inline void
157auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
158{
159 if (RSA_public_encrypt (sizeof (auth.rsa),
160 (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
161 key, RSA_PKCS1_OAEP_PADDING) < 0)
162 fatal ("RSA_public_encrypt error");
163}
164
165static inline bool
166auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
167{
168 u8 rsa_decrypt[RSA_KEYLEN];
169
170 if (RSA_private_decrypt (sizeof (encr.rsa),
171 (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
172 key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
173 return 0;
174
175 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
176
177 return 1;
178}
179
69static void 180static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 181auth_hash (const auth_data &auth, auth_mac &mac)
71{ 182{
72 EVP_MD_CTX ctx; 183 HMAC_CTX ctx;
73 184
74 EVP_MD_CTX_init (&ctx); 185 HMAC_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 186 require (HMAC_Init_ex (&ctx, auth.rsa.auth_key, sizeof (auth.rsa.auth_key), AUTH_DIGEST (), 0));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 187 require (HMAC_Update (&ctx, (const unsigned char *)&auth, sizeof auth));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 188 require (HMAC_Final (&ctx, (unsigned char *)&mac, 0));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
79 EVP_MD_CTX_cleanup (&ctx); 189 HMAC_CTX_cleanup (&ctx);
80} 190}
81 191
82struct rsa_entry { 192void
83 tstamp expire; 193connection::generate_auth_data ()
84 rsaid id;
85 rsachallenge chg;
86};
87
88struct rsa_cache : list<rsa_entry>
89{ 194{
90 void cleaner_cb (time_watcher &w); time_watcher cleaner; 195 if (auth_expire < ev_now ())
91
92 bool find (const rsaid &id, rsachallenge &chg)
93 {
94 for (iterator i = begin (); i != end (); ++i)
95 {
96 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
97 {
98 memcpy (&chg, &i->chg, sizeof chg);
99
100 erase (i);
101 return true;
102 }
103 }
104
105 if (cleaner.at < NOW)
106 cleaner.start (NOW + RSA_TTL);
107
108 return false;
109 }
110
111 void gen (rsaid &id, rsachallenge &chg)
112 {
113 rsa_entry e;
114
115 RAND_bytes ((unsigned char *)&id, sizeof id);
116 RAND_bytes ((unsigned char *)&chg, sizeof chg);
117
118 e.expire = NOW + RSA_TTL;
119 e.id = id;
120 memcpy (&e.chg, &chg, sizeof chg);
121
122 push_back (e);
123
124 if (cleaner.at < NOW)
125 cleaner.start (NOW + RSA_TTL);
126 }
127
128 rsa_cache ()
129 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 196 {
197 // request data
198 RAND_bytes ((unsigned char *)&snd_auth.rsa, sizeof snd_auth.rsa);
199 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
200 auth_hash (snd_auth, snd_auth_mac);
131 201
132} rsa_cache; 202 // eventual response data
133 203 curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
134void rsa_cache::cleaner_cb (time_watcher &w)
135{
136 if (empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 204 }
140 w.at = NOW + RSA_TTL;
141 205
142 for (iterator i = begin (); i != end (); ) 206 // every use prolongs the expiry
143 if (i->expire <= NOW) 207 auth_expire = ev_now () + AUTH_TTL;
144 i = erase (i);
145 else
146 ++i;
147 }
148} 208}
149 209
150////////////////////////////////////////////////////////////////////////////// 210//////////////////////////////////////////////////////////////////////////////
151 211
152void pkt_queue::put (tap_packet *p) 212pkt_queue::pkt_queue (double max_ttl, int max_queue)
213: max_ttl (max_ttl), max_queue (max_queue)
153{ 214{
154 if (queue[i]) 215 queue = new pkt [max_queue];
155 {
156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH;
158 }
159 216
160 queue[i] = p;
161
162 i = (i + 1) % QUEUEDEPTH;
163}
164
165tap_packet *pkt_queue::get ()
166{
167 tap_packet *p = queue[j];
168
169 if (p)
170 {
171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH;
173 }
174
175 return p;
176}
177
178pkt_queue::pkt_queue ()
179{
180 memset (queue, 0, sizeof (queue));
181 i = 0; 217 i = 0;
182 j = 0; 218 j = 0;
219
220 expire.set<pkt_queue, &pkt_queue::expire_cb> (this);
183} 221}
184 222
185pkt_queue::~pkt_queue () 223pkt_queue::~pkt_queue ()
186{ 224{
187 for (i = QUEUEDEPTH; --i > 0; ) 225 while (net_packet *p = get ())
226 delete p;
227
188 delete queue[i]; 228 delete [] queue;
189} 229}
190 230
231void
232pkt_queue::expire_cb (ev::timer &w, int revents)
233{
234 ev_tstamp expire = ev_now () - max_ttl;
235
236 for (;;)
237 {
238 if (empty ())
239 break;
240
241 double diff = queue[j].tstamp - expire;
242
243 if (diff >= 0.)
244 {
245 w.start (diff > 0.5 ? diff : 0.5);
246 break;
247 }
248
249 delete get ();
250 }
251}
252
253void
254pkt_queue::put (net_packet *p)
255{
256 ev_tstamp now = ev_now ();
257
258 // start expiry timer
259 if (empty ())
260 expire.start (max_ttl);
261
262 int ni = i + 1 == max_queue ? 0 : i + 1;
263
264 if (ni == j)
265 delete get ();
266
267 queue[i].pkt = p;
268 queue[i].tstamp = now;
269
270 i = ni;
271}
272
273net_packet *
274pkt_queue::get ()
275{
276 if (empty ())
277 return 0;
278
279 net_packet *p = queue[j].pkt;
280 queue[j].pkt = 0;
281
282 j = j + 1 == max_queue ? 0 : j + 1;
283
284 return p;
285}
286
191struct net_rateinfo { 287struct net_rateinfo
288{
192 u32 host; 289 u32 host;
193 double pcnt, diff; 290 double pcnt, diff;
194 tstamp last; 291 tstamp last;
195}; 292};
196 293
197// only do action once every x seconds per host whole allowing bursts. 294// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 295// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 296// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 297struct net_rate_limiter : list<net_rateinfo>
201{ 298{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 299# define NRL_ALPHA (1. - 1. / 600.) // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 300# define NRL_CUTOFF 10. // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 301# define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 302# define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
206 303
207 bool can (const sockinfo &si) { return can((u32)si.host); } 304 bool can (const sockinfo &si) { return can((u32)si.host); }
208 bool can (u32 host); 305 bool can (u32 host);
209}; 306};
210 307
211net_rate_limiter auth_rate_limiter, reset_rate_limiter; 308static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
212 309
310bool
213bool net_rate_limiter::can (u32 host) 311net_rate_limiter::can (u32 host)
214{ 312{
215 iterator i; 313 iterator i;
216 314
217 for (i = begin (); i != end (); ) 315 for (i = begin (); i != end (); )
218 if (i->host == host) 316 if (i->host == host)
219 break; 317 break;
220 else if (i->last < NOW - EXPIRE) 318 else if (i->last < ev_now () - NRL_EXPIRE)
221 i = erase (i); 319 i = erase (i);
222 else 320 else
223 i++; 321 i++;
224 322
225 if (i == end ()) 323 if (i == end ())
226 { 324 {
227 net_rateinfo ri; 325 net_rateinfo ri;
228 326
229 ri.host = host; 327 ri.host = host;
230 ri.pcnt = 1.; 328 ri.pcnt = 1.;
231 ri.diff = MAXDIF; 329 ri.diff = NRL_MAXDIF;
232 ri.last = NOW; 330 ri.last = ev_now ();
233 331
234 push_front (ri); 332 push_front (ri);
235 333
236 return true; 334 return true;
237 } 335 }
238 else 336 else
239 { 337 {
240 net_rateinfo ri (*i); 338 net_rateinfo ri (*i);
241 erase (i); 339 erase (i);
242 340
243 ri.pcnt = ri.pcnt * ALPHA; 341 ri.pcnt = ri.pcnt * NRL_ALPHA;
244 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 342 ri.diff = ri.diff * NRL_ALPHA + (ev_now () - ri.last);
245 343
246 ri.last = NOW; 344 ri.last = ev_now ();
247 345
248 double dif = ri.diff / ri.pcnt; 346 double dif = ri.diff / ri.pcnt;
249 347
250 bool send = dif > CUTOFF; 348 bool send = dif > NRL_CUTOFF;
251 349
252 if (dif > MAXDIF) 350 if (dif > NRL_MAXDIF)
253 { 351 {
254 ri.pcnt = 1.; 352 ri.pcnt = 1.;
255 ri.diff = MAXDIF; 353 ri.diff = NRL_MAXDIF;
256 } 354 }
257 else if (send) 355 else if (send)
258 ri.pcnt++; 356 ri.pcnt++;
259 357
260 push_front (ri); 358 push_front (ri);
265 363
266///////////////////////////////////////////////////////////////////////////// 364/////////////////////////////////////////////////////////////////////////////
267 365
268unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE]; 366unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
269 367
368void
270void hmac_packet::hmac_gen (crypto_ctx *ctx) 369hmac_packet::hmac_gen (crypto_ctx *ctx)
271{ 370{
272 unsigned int xlen; 371 unsigned int xlen;
273 372
274 HMAC_CTX *hctx = &ctx->hctx; 373 HMAC_CTX *hctx = &ctx->hctx;
275 374
276 HMAC_Init_ex (hctx, 0, 0, 0, 0); 375 require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
277 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 376 require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
278 len - sizeof (hmac_packet)); 377 len - sizeof (hmac_packet)));
279 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 378 require (HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen));
280} 379}
281 380
282void 381void
283hmac_packet::hmac_set (crypto_ctx *ctx) 382hmac_packet::hmac_set (crypto_ctx *ctx)
284{ 383{
293 hmac_gen (ctx); 392 hmac_gen (ctx);
294 393
295 return !memcmp (hmac, hmac_digest, HMACLENGTH); 394 return !memcmp (hmac, hmac_digest, HMACLENGTH);
296} 395}
297 396
397void
298void vpn_packet::set_hdr (ptype type_, unsigned int dst) 398vpn_packet::set_hdr (ptype type_, unsigned int dst)
299{ 399{
300 type = type_; 400 type = type_;
301 401
302 int src = THISNODE->id; 402 int src = THISNODE->id;
303 403
307} 407}
308 408
309#define MAXVPNDATA (MAX_MTU - 6 - 6) 409#define MAXVPNDATA (MAX_MTU - 6 - 6)
310#define DATAHDR (sizeof (u32) + RAND_SIZE) 410#define DATAHDR (sizeof (u32) + RAND_SIZE)
311 411
312struct vpndata_packet:vpn_packet 412struct vpndata_packet : vpn_packet
413{
414 u8 data[MAXVPNDATA + DATAHDR]; // seqno
415
416 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
417 tap_packet *unpack (connection *conn, u32 &seqno);
418
419private:
420 const u32 data_hdr_size () const
313 { 421 {
314 u8 data[MAXVPNDATA + DATAHDR]; // seqno
315
316 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
317 tap_packet *unpack (connection *conn, u32 &seqno);
318private:
319
320 const u32 data_hdr_size () const
321 {
322 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR; 422 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
323 }
324 }; 423 }
424};
325 425
326void 426void
327vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 427vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
328{ 428{
329 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 429 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
330 int outl = 0, outl2; 430 int outl = 0, outl2;
331 ptype type = PT_DATA_UNCOMPRESSED; 431 ptype type = PT_DATA_UNCOMPRESSED;
332 432
333#if ENABLE_COMPRESSION 433#if ENABLE_COMPRESSION
334 u8 cdata[MAX_MTU]; 434 u8 cdata[MAX_MTU];
335 u32 cl;
336 435
436 if (conn->features & FEATURE_COMPRESSION)
437 {
337 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 438 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
439
338 if (cl) 440 if (cl)
339 { 441 {
340 type = PT_DATA_COMPRESSED; 442 type = PT_DATA_COMPRESSED;
341 d = cdata; 443 d = cdata;
342 l = cl + 2; 444 l = cl + 2;
343 445
344 d[0] = cl >> 8; 446 d[0] = cl >> 8;
345 d[1] = cl; 447 d[1] = cl;
448 }
346 } 449 }
347#endif 450#endif
348 451
349 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 452 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
350 453
351 struct { 454 struct {
352#if RAND_SIZE 455#if RAND_SIZE
353 u8 rnd[RAND_SIZE]; 456 u8 rnd[RAND_SIZE];
354#endif 457#endif
355 u32 seqno; 458 u32 seqno;
356 } datahdr; 459 } datahdr;
357 460
358 datahdr.seqno = ntohl (seqno); 461 datahdr.seqno = ntohl (seqno);
359#if RAND_SIZE 462#if RAND_SIZE
360 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 463 RAND_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
361#endif 464#endif
362 465
363 EVP_EncryptUpdate (cctx, 466 require (EVP_EncryptUpdate (cctx,
364 (unsigned char *) data + outl, &outl2, 467 (unsigned char *) data + outl, &outl2,
365 (unsigned char *) &datahdr, DATAHDR); 468 (unsigned char *) &datahdr, DATAHDR));
366 outl += outl2; 469 outl += outl2;
367 470
368 EVP_EncryptUpdate (cctx, 471 require (EVP_EncryptUpdate (cctx,
369 (unsigned char *) data + outl, &outl2, 472 (unsigned char *) data + outl, &outl2,
370 (unsigned char *) d, l); 473 (unsigned char *) d, l));
371 outl += outl2; 474 outl += outl2;
372 475
373 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 476 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
374 outl += outl2; 477 outl += outl2;
375 478
376 len = outl + data_hdr_size (); 479 len = outl + data_hdr_size ();
377 480
378 set_hdr (type, dst); 481 set_hdr (type, dst);
387 int outl = 0, outl2; 490 int outl = 0, outl2;
388 tap_packet *p = new tap_packet; 491 tap_packet *p = new tap_packet;
389 u8 *d; 492 u8 *d;
390 u32 l = len - data_hdr_size (); 493 u32 l = len - data_hdr_size ();
391 494
392 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 495 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
393 496
394#if ENABLE_COMPRESSION 497#if ENABLE_COMPRESSION
395 u8 cdata[MAX_MTU]; 498 u8 cdata[MAX_MTU];
396 499
397 if (type == PT_DATA_COMPRESSED) 500 if (type == PT_DATA_COMPRESSED)
399 else 502 else
400#endif 503#endif
401 d = &(*p)[6 + 6 - DATAHDR]; 504 d = &(*p)[6 + 6 - DATAHDR];
402 505
403 /* this overwrites part of the src mac, but we fix that later */ 506 /* this overwrites part of the src mac, but we fix that later */
404 EVP_DecryptUpdate (cctx, 507 require (EVP_DecryptUpdate (cctx,
405 d, &outl2, 508 d, &outl2,
406 (unsigned char *)&data, len - data_hdr_size ()); 509 (unsigned char *)&data, len - data_hdr_size ()));
407 outl += outl2; 510 outl += outl2;
408 511
409 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 512 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
410 outl += outl2; 513 outl += outl2;
411 514
412 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 515 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
413 516
414 id2mac (dst () ? dst() : THISNODE->id, p->dst); 517 id2mac (dst () ? dst() : THISNODE->id, p->dst);
439 } 542 }
440}; 543};
441 544
442struct config_packet : vpn_packet 545struct config_packet : vpn_packet
443{ 546{
444 // actually, hmaclen cannot be checked because the hmac
445 // field comes before this data, so peers with other
446 // hmacs simply will not work.
447 u8 prot_major, prot_minor, randsize, hmaclen; 547 u8 prot_major, prot_minor, randsize;
448 u8 flags, challengelen, pad2, pad3; 548 u8 flags, features, pad6, pad7, pad8;
449 u32 cipher_nid, digest_nid, hmac_nid; 549 u32 cipher_nid, mac_nid, auth_nid;
450
451 const u8 curflags () const
452 {
453 return 0x80
454 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
455 }
456 550
457 void setup (ptype type, int dst); 551 void setup (ptype type, int dst);
458 bool chk_config () const; 552 bool chk_config () const;
553
554 static u8 get_features ()
555 {
556 u8 f = 0;
557#if ENABLE_COMPRESSION
558 f |= FEATURE_COMPRESSION;
559#endif
560#if ENABLE_ROHC
561 f |= FEATURE_ROHC;
562#endif
563#if ENABLE_BRIDGING
564 f |= FEATURE_BRIDGING;
565#endif
566 return f;
567 }
459}; 568};
460 569
570void
461void config_packet::setup (ptype type, int dst) 571config_packet::setup (ptype type, int dst)
462{ 572{
463 prot_major = PROTOCOL_MAJOR; 573 prot_major = PROTOCOL_MAJOR;
464 prot_minor = PROTOCOL_MINOR; 574 prot_minor = PROTOCOL_MINOR;
465 randsize = RAND_SIZE; 575 randsize = RAND_SIZE;
466 hmaclen = HMACLENGTH; 576 flags = 0;
467 flags = curflags (); 577 features = get_features ();
468 challengelen = sizeof (rsachallenge);
469 578
470 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 579 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
471 digest_nid = htonl (EVP_MD_type (RSA_HASH));
472 hmac_nid = htonl (EVP_MD_type (DIGEST)); 580 mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
581 auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
473 582
474 len = sizeof (*this) - sizeof (net_packet); 583 len = sizeof (*this) - sizeof (net_packet);
475 set_hdr (type, dst); 584 set_hdr (type, dst);
476} 585}
477 586
587bool
478bool config_packet::chk_config () const 588config_packet::chk_config () const
479{ 589{
480 return prot_major == PROTOCOL_MAJOR 590 if (prot_major != PROTOCOL_MAJOR)
481 && randsize == RAND_SIZE 591 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
482 && hmaclen == HMACLENGTH 592 else if (randsize != RAND_SIZE)
483 && flags == curflags () 593 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
484 && challengelen == sizeof (rsachallenge)
485 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
486 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 595 slog (L_WARN, _("cipher algo mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
487 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 596 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
488} 597 slog (L_WARN, _("mac algo mismatch (remote %x <=> local %x)"), ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
598 else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
599 slog (L_WARN, _("auth algo mismatch (remote %x <=> local %x)"), ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
600 else
601 return true;
489 602
603 return false;
604}
605
490struct auth_req_packet : config_packet 606struct auth_req_packet : config_packet // UNPROTECTED
491{ 607{
492 char magic[8]; 608 char magic[8];
493 u8 initiate; // false if this is just an automatic reply 609 u8 initiate; // false if this is just an automatic reply
494 u8 protocols; // supported protocols (will get patches on forward) 610 u8 protocols; // supported protocols (will be patched on forward)
495 u8 pad2, pad3; 611 u8 pad2, pad3;
496 rsaid id; 612 auth_encr encr;
497 rsaencrdata encr;
498 613
499 auth_req_packet (int dst, bool initiate_, u8 protocols_) 614 auth_req_packet (int dst, bool initiate_, u8 protocols_)
500 { 615 {
501 config_packet::setup (PT_AUTH_REQ, dst); 616 config_packet::setup (PT_AUTH_REQ, dst);
502 strncpy (magic, MAGIC, 8); 617 memcpy (magic, MAGIC, 8);
503 initiate = !!initiate_; 618 initiate = !!initiate_;
504 protocols = protocols_; 619 protocols = protocols_;
505 620
506 len = sizeof (*this) - sizeof (net_packet); 621 len = sizeof (*this) - sizeof (net_packet);
507 } 622 }
508}; 623};
509 624
510struct auth_res_packet : config_packet 625struct auth_res_packet : config_packet // UNPROTECTED
511{ 626{
512 rsaid id;
513 u8 pad1, pad2, pad3;
514 u8 response_len; // encrypted length
515 rsaresponse response; 627 auth_response response;
516 628
517 auth_res_packet (int dst) 629 auth_res_packet (int dst)
518 { 630 {
519 config_packet::setup (PT_AUTH_RES, dst); 631 config_packet::setup (PT_AUTH_RES, dst);
520 632
554}; 666};
555 667
556///////////////////////////////////////////////////////////////////////////// 668/////////////////////////////////////////////////////////////////////////////
557 669
558void 670void
559connection::connection_established () 671connection::connection_established (const sockinfo &rsi)
560{ 672{
673 if (!have_snd_auth || !have_rcv_auth)
674 return;
675
676 si = rsi;
677 protocol = rsi.prot;
678
679 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
680 conf->nodename, (const char *)rsi,
681 is_direct ? "direct" : "forwarded",
682 PROTOCOL_MAJOR, prot_minor);
683
684 if (::conf.script_node_up)
685 {
686 run_script_cb *cb = new run_script_cb;
687 cb->set<connection, &connection::script_node_up> (this);
688 run_script_queued (cb, _("node-up command execution failed, continuing."));
689 }
690
691 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
692 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
693
694 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
695 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
696
561 if (ictx && octx) 697 if (ictx && octx)
562 { 698 {
563 connectmode = conf->connectmode; 699 // make sure rekeying timeouts are slightly asymmetric
700 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
701 rekey.start (rekey_interval, rekey_interval);
564 702
565 rekey.start (NOW + ::conf.rekey);
566 keepalive.start (NOW + ::conf.keepalive); 703 keepalive.start (::conf.keepalive);
567 704
568 // send queued packets 705 // send queued packets
569 if (ictx && octx) 706 if (ictx && octx)
707 {
570 while (tap_packet *p = queue.get ()) 708 while (tap_packet *p = (tap_packet *)data_queue.get ())
571 { 709 {
572 send_data_packet (p); 710 if (p->len) send_data_packet (p);
573 delete p; 711 delete p;
574 } 712 }
713
714 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
715 {
716 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
717 delete p;
718 }
719 }
720
721 vpn->connection_established (this);
575 } 722 }
723#if 0
576 else 724 else
577 { 725 {
578 retry_cnt = 0; 726 retry_cnt = 0;
579 establish_connection.start (NOW + 5); 727 establish_connection.start (5);
580 keepalive.reset (); 728 keepalive.stop ();
581 rekey.reset (); 729 rekey.stop ();
582 } 730 }
731#endif
583} 732}
584 733
585void 734void
586connection::reset_si () 735connection::reset_si ()
587{ 736{
737 if (vpn->can_direct (THISNODE, conf))
588 protocol = best_protocol (THISNODE->protocols & conf->protocols); 738 protocol = best_protocol (THISNODE->protocols & conf->connectable_protocols ());
589 739 else
590 // mask out protocols we cannot establish 740 {
591 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 741 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
592 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 742 protocol = 0;
743 }
593 744
594 si.set (conf, protocol); 745 si.set (conf, protocol);
746
747 is_direct = si.valid ();
595} 748}
596 749
597// ensure sockinfo is valid, forward if necessary 750// ensure sockinfo is valid, forward if necessary
598const sockinfo & 751const sockinfo &
599connection::forward_si (const sockinfo &si) const 752connection::forward_si (const sockinfo &si) const
600{ 753{
601 if (!si.valid ()) 754 if (!si.valid ())
602 { 755 {
603 connection *r = vpn->find_router (); 756 connection *r = vpn->find_router_for (this);
604 757
605 if (r) 758 if (r)
606 { 759 {
607 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), 760 slog (L_DEBUG, _("%s: no common protocol, trying to route through %s."),
608 conf->nodename, r->conf->nodename); 761 conf->nodename, r->conf->nodename);
609 return r->si; 762 return r->si;
610 } 763 }
611 else 764 else
612 slog (L_DEBUG, _("%s: node unreachable, no common protocol"), 765 slog (L_DEBUG, _("%s: node unreachable, no common protocol or no router available."),
613 conf->nodename); 766 conf->nodename);
614 } 767 }
615 768
616 return si; 769 return si;
617} 770}
627connection::send_ping (const sockinfo &si, u8 pong) 780connection::send_ping (const sockinfo &si, u8 pong)
628{ 781{
629 ping_packet *pkt = new ping_packet; 782 ping_packet *pkt = new ping_packet;
630 783
631 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 784 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
785
786 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
632 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 787 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
633 788
634 delete pkt; 789 delete pkt;
635} 790}
636 791
651void 806void
652connection::send_auth_request (const sockinfo &si, bool initiate) 807connection::send_auth_request (const sockinfo &si, bool initiate)
653{ 808{
654 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 809 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
655 810
656 rsachallenge chg; 811 generate_auth_data ();
812 auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
657 813
658 rsa_cache.gen (pkt->id, chg);
659
660 if (0 > RSA_public_encrypt (sizeof chg,
661 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
662 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
663 fatal ("RSA_public_encrypt error");
664
665 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 814 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
666
667 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
668 816
669 delete pkt; 817 delete pkt;
670} 818}
671 819
672void 820void
673connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 821connection::send_auth_response (const sockinfo &si)
674{ 822{
675 auth_res_packet *pkt = new auth_res_packet (conf->id); 823 auth_res_packet *pkt = new auth_res_packet (conf->id);
676 824
677 pkt->id = id; 825 auth_hash (rcv_auth, pkt->response.mac);
826 memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof (rcv_ecdh_b));
678 827
679 rsa_hash (id, chg, pkt->response);
680
681 pkt->hmac_set (octx);
682
683 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 828 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
684
685 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 829 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
686 830
687 delete pkt; 831 delete pkt;
688} 832}
689 833
690void 834void
691connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 835connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
692{ 836{
693 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 837 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
694 conf->id, rid, (const char *)rsi); 838 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
839 conf->protocols);
695 840
696 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 841 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
697 842
698 r->hmac_set (octx); 843 r->hmac_set (octx);
699 send_vpn_packet (r, si); 844 send_vpn_packet (r, si);
700 845
701 delete r; 846 delete r;
702} 847}
703 848
704void 849inline void
705connection::establish_connection_cb (time_watcher &w) 850connection::establish_connection_cb (ev::timer &w, int revents)
706{ 851{
707 if (ictx || conf == THISNODE 852 if (!(ictx && octx)
853 && conf != THISNODE
708 || connectmode == conf_node::C_NEVER 854 && connectmode != conf_node::C_NEVER
709 || connectmode == conf_node::C_DISABLED) 855 && connectmode != conf_node::C_DISABLED
710 w.at = TSTAMP_CANCEL; 856 && !w.is_active ())
711 else if (w.at <= NOW)
712 { 857 {
713 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 858 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
714 859 // and stop trying. should probably be handled by a per-connection expire handler.
715 if (retry_int < 3600 * 8) 860 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
861 {
862 reset_connection ();
716 retry_cnt++; 863 return;
864 }
717 865
718 w.at = NOW + retry_int; 866 last_establish_attempt = ev_now ();
867
868 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
869 ? (retry_cnt & 3) + 1
870 : 1 << (retry_cnt >> 2));
719 871
720 reset_si (); 872 reset_si ();
721 873
722 if (si.prot && !si.host) 874 bool slow = si.prot & PROT_SLOW;
875
876 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
877 {
878 /*TODO*/ /* start the timer so we don't recurse endlessly */
879 w.start (1);
723 vpn->send_connect_request (conf->id); 880 vpn->send_connect_request (this);
881 }
724 else 882 else
725 { 883 {
884 if (si.valid ())
885 slog (L_DEBUG, _("%s: sending direct connection request to %s."),
886 conf->nodename, (const char *)si);
887
726 const sockinfo &dsi = forward_si (si); 888 const sockinfo &dsi = forward_si (si);
889
890 slow = slow || (dsi.prot & PROT_SLOW);
727 891
728 if (dsi.valid () && auth_rate_limiter.can (dsi)) 892 if (dsi.valid () && auth_rate_limiter.can (dsi))
729 { 893 {
730 if (retry_cnt < 4) 894 if (retry_cnt < 4)
731 send_auth_request (dsi, true); 895 send_auth_request (dsi, true);
732 else 896 else
733 send_ping (dsi, 0); 897 send_ping (dsi, 0);
734 } 898 }
735 } 899 }
900
901 retry_int *= slow ? 8. : 0.9;
902
903 if (retry_int < conf->max_retry)
904 retry_cnt++;
905 else
906 retry_int = conf->max_retry;
907
908 w.start (retry_int);
736 } 909 }
737} 910}
738 911
739void 912void
740connection::reset_connection () 913connection::reset_connection ()
743 { 916 {
744 slog (L_INFO, _("%s(%s): connection lost"), 917 slog (L_INFO, _("%s(%s): connection lost"),
745 conf->nodename, (const char *)si); 918 conf->nodename, (const char *)si);
746 919
747 if (::conf.script_node_down) 920 if (::conf.script_node_down)
748 run_script (run_script_cb (this, &connection::script_node_down), false); 921 {
922 run_script_cb *cb = new run_script_cb;
923 cb->set<connection, &connection::script_node_down> (this);
924 run_script_queued (cb, _("node-down command execution failed, continuing."));
925 }
749 } 926 }
750 927
751 delete ictx; ictx = 0; 928 delete ictx; ictx = 0;
752 delete octx; octx = 0; 929 delete octx; octx = 0;
753 930
754 si.host= 0; 931 si.host = 0;
755 932
933 have_snd_auth = false;
934 have_rcv_auth = false;
935 auth_expire = 0.;
936
756 last_activity = 0; 937 last_activity = 0.;
938 //last_si_change = 0.;
757 retry_cnt = 0; 939 retry_cnt = 0;
758 940
759 rekey.reset (); 941 rekey.stop ();
760 keepalive.reset (); 942 keepalive.stop ();
761 establish_connection.reset (); 943 establish_connection.stop ();
762} 944}
763 945
764void 946void
765connection::shutdown () 947connection::shutdown ()
766{ 948{
768 send_reset (si); 950 send_reset (si);
769 951
770 reset_connection (); 952 reset_connection ();
771} 953}
772 954
773void 955// poor-man's rekeying
774connection::rekey_cb (time_watcher &w) 956inline void
957connection::rekey_cb (ev::timer &w, int revents)
775{ 958{
776 w.at = TSTAMP_CANCEL;
777
778 reset_connection (); 959 reset_connection ();
779 establish_connection (); 960 establish_connection ();
780} 961}
781 962
782void 963void
783connection::send_data_packet (tap_packet *pkt, bool broadcast) 964connection::send_data_packet (tap_packet *pkt)
784{ 965{
785 vpndata_packet *p = new vpndata_packet; 966 vpndata_packet *p = new vpndata_packet;
786 int tos = 0; 967 int tos = 0;
787 968
788 if (conf->inherit_tos 969 // I am not hilarious about peeking into packets, but so be it.
789 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 970 if (conf->inherit_tos && pkt->is_ipv4 ())
790 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
791 tos = (*pkt)[15] & IPTOS_TOS_MASK; 971 tos = (*pkt)[15] & IPTOS_TOS_MASK;
792 972
793 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 973 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
794 send_vpn_packet (p, si, tos); 974 send_vpn_packet (p, si, tos);
795 975
796 delete p; 976 delete p;
797 977
798 if (oseqno > MAX_SEQNO) 978 if (oseqno > MAX_SEQNO)
799 rekey (); 979 rekey ();
800} 980}
801 981
802void 982void
983connection::post_inject_queue ()
984{
985 // force a connection every now and when when packets are sent (max 1/s)
986 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
987 establish_connection.stop ();
988
989 establish_connection ();
990}
991
992void
803connection::inject_data_packet (tap_packet *pkt, bool broadcast) 993connection::inject_data_packet (tap_packet *pkt)
804{ 994{
805 if (ictx && octx) 995 if (ictx && octx)
806 send_data_packet (pkt, broadcast); 996 send_data_packet (pkt);
807 else 997 else
808 { 998 {
809 if (!broadcast)//DDDD
810 queue.put (new tap_packet (*pkt)); 999 data_queue.put (new tap_packet (*pkt));
811 1000 post_inject_queue ();
812 establish_connection ();
813 } 1001 }
814} 1002}
815 1003
1004void
816void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 1005connection::inject_vpn_packet (vpn_packet *pkt, int tos)
817{ 1006{
818 if (ictx && octx) 1007 if (ictx && octx)
819 send_vpn_packet (pkt, si, tos); 1008 send_vpn_packet (pkt, si, tos);
820 else 1009 else
821 establish_connection (); 1010 {
1011 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
1012 post_inject_queue ();
1013 }
822} 1014}
823 1015
824void 1016void
825connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1017connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
826{ 1018{
827 last_activity = NOW; 1019 last_activity = ev_now ();
828 1020
829 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 1021 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
830 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1022 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1023
1024 if (connectmode == conf_node::C_DISABLED)
1025 return;
831 1026
832 switch (pkt->typ ()) 1027 switch (pkt->typ ())
833 { 1028 {
834 case vpn_packet::PT_PING: 1029 case vpn_packet::PT_PING:
1030 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1031
835 // we send pings instead of auth packets after some retries, 1032 // we send pings instead of auth packets after some retries,
836 // so reset the retry counter and establish a connection 1033 // so reset the retry counter and establish a connection
837 // when we receive a ping. 1034 // when we receive a ping.
838 if (!ictx) 1035 if (!ictx)
839 { 1036 {
840 if (auth_rate_limiter.can (rsi)) 1037 if (auth_rate_limiter.can (rsi))
841 send_auth_request (rsi, true); 1038 send_auth_request (rsi, true);
842 } 1039 }
843 else 1040 else
1041 // we would love to change the socket address here, but ping's aren't
1042 // authenticated, so we best ignore it.
844 send_ping (rsi, 1); // pong 1043 send_ping (rsi, 1); // pong
845 1044
846 break; 1045 break;
847 1046
848 case vpn_packet::PT_PONG: 1047 case vpn_packet::PT_PONG:
1048 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1049
1050 // a PONG might mean that the other side doesn't really know
1051 // about our desire for communication.
1052 establish_connection ();
849 break; 1053 break;
850 1054
851 case vpn_packet::PT_RESET: 1055 case vpn_packet::PT_RESET:
852 { 1056 {
853 reset_connection (); 1057 reset_connection ();
854 1058
855 config_packet *p = (config_packet *) pkt; 1059 config_packet *p = (config_packet *) pkt;
856 1060
857 if (!p->chk_config ()) 1061 if (!p->chk_config ())
858 { 1062 {
859 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 1063 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
860 conf->nodename, (const char *)rsi); 1064 conf->nodename, (const char *)rsi);
861 connectmode = conf_node::C_DISABLED; 1065 connectmode = conf_node::C_DISABLED;
862 } 1066 }
863 else if (connectmode == conf_node::C_ALWAYS) 1067 else if (connectmode == conf_node::C_ALWAYS)
864 establish_connection (); 1068 establish_connection ();
866 break; 1070 break;
867 1071
868 case vpn_packet::PT_AUTH_REQ: 1072 case vpn_packet::PT_AUTH_REQ:
869 if (auth_rate_limiter.can (rsi)) 1073 if (auth_rate_limiter.can (rsi))
870 { 1074 {
871 auth_req_packet *p = (auth_req_packet *) pkt; 1075 auth_req_packet *p = (auth_req_packet *)pkt;
872 1076
873 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1077 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1078 conf->nodename, p->initiate ? "initiate" : "reply",
1079 p->protocols, p->features);
874 1080
875 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1081 if (p->chk_config () && !memcmp (p->magic, MAGIC, 8))
876 { 1082 {
877 if (p->prot_minor != PROTOCOL_MINOR) 1083 if (p->prot_minor != PROTOCOL_MINOR)
878 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1084 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
879 conf->nodename, (const char *)rsi, 1085 conf->nodename, (const char *)rsi,
880 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1086 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
881 1087
882 if (p->initiate) 1088 if (p->initiate)
883 send_auth_request (rsi, false); 1089 send_auth_request (rsi, false);
884 1090
885 rsachallenge k; 1091 auth_data auth;
886 1092
887 if (0 > RSA_private_decrypt (sizeof (p->encr), 1093 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
888 (unsigned char *)&p->encr, (unsigned char *)&k, 1094 {
889 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
890 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 1095 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
891 conf->nodename, (const char *)rsi); 1096 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1097 }
892 else 1098 else
893 { 1099 {
894 delete octx; 1100 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
895 1101
896 octx = new crypto_ctx (k, 1); 1102 rcv_auth = auth;
897 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1103 have_rcv_auth = true;
898 1104
1105 send_auth_response (rsi);
1106
1107 if (chg)
1108 {
899 conf->protocols = p->protocols; 1109 conf->protocols = p->protocols;
1110 features = p->features & config_packet::get_features ();
900 1111
901 send_auth_response (rsi, p->id, k);
902
903 connection_established (); 1112 connection_established (rsi);
904
905 break; 1113 }
906 } 1114 }
1115
1116 break;
907 } 1117 }
1118 else
1119 slog (L_WARN, _("%s(%s): protocol mismatch."),
1120 conf->nodename, (const char *)rsi);
908 1121
909 send_reset (rsi); 1122 send_reset (rsi);
910 } 1123 }
911 1124
912 break; 1125 break;
913 1126
914 case vpn_packet::PT_AUTH_RES: 1127 case vpn_packet::PT_AUTH_RES:
915 { 1128 {
916 auth_res_packet *p = (auth_res_packet *) pkt; 1129 auth_res_packet *p = (auth_res_packet *)pkt;
917 1130
918 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1131 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
919 1132
920 if (p->chk_config ()) 1133 if (p->chk_config ())
921 { 1134 {
922 if (p->prot_minor != PROTOCOL_MINOR) 1135 if (memcmp (&p->response.mac, snd_auth_mac, sizeof (snd_auth_mac)))
923 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
924 conf->nodename, (const char *)rsi,
925 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
926
927 rsachallenge chg;
928
929 if (!rsa_cache.find (p->id, chg))
930 slog (L_ERR, _("%s(%s): unrequested auth response"),
931 conf->nodename, (const char *)rsi);
932 else
933 { 1136 {
934 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1137 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
935
936 if (!p->hmac_chk (cctx))
937 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi); 1138 conf->nodename, (const char *)rsi);
940 else
941 {
942 rsaresponse h;
943
944 rsa_hash (p->id, chg, h);
945
946 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
947 {
948 prot_minor = p->prot_minor;
949
950 delete ictx; ictx = cctx;
951
952 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
953
954 si = rsi;
955 protocol = rsi.prot;
956
957 connection_established ();
958
959 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
960 conf->nodename, (const char *)rsi,
961 p->prot_major, p->prot_minor);
962
963 if (::conf.script_node_up)
964 run_script (run_script_cb (this, &connection::script_node_up), false);
965
966 break;
967 }
968 else
969 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
970 conf->nodename, (const char *)rsi);
971 }
972
973 delete cctx;
974 } 1139 }
1140 else if (!have_snd_auth)
1141 {
1142 if (p->prot_minor != PROTOCOL_MINOR)
1143 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1144 conf->nodename, (const char *)rsi,
1145 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1146
1147 prot_minor = p->prot_minor;
1148 memcpy (snd_ecdh_b, p->response.ecdh, sizeof (snd_ecdh_b));
1149
1150 have_snd_auth = true;
1151 connection_established (rsi);
1152 }
1153
1154 break;
975 } 1155 }
976 } 1156 }
977 1157
978 send_reset (rsi); 1158 send_reset (rsi);
979 break; 1159 break;
990 { 1170 {
991 vpndata_packet *p = (vpndata_packet *)pkt; 1171 vpndata_packet *p = (vpndata_packet *)pkt;
992 1172
993 if (!p->hmac_chk (ictx)) 1173 if (!p->hmac_chk (ictx))
994 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1174 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
995 "could be an attack, or just corruption or an synchronization error"), 1175 "could be an attack, or just corruption or a synchronization error."),
996 conf->nodename, (const char *)rsi); 1176 conf->nodename, (const char *)rsi);
997 else 1177 else
998 { 1178 {
999 u32 seqno; 1179 u32 seqno;
1000 tap_packet *d = p->unpack (this, seqno); 1180 tap_packet *d = p->unpack (this, seqno);
1181 int seqclass = iseqno.seqno_classify (seqno);
1001 1182
1002 if (iseqno.recv_ok (seqno)) 1183 if (seqclass == 0) // ok
1003 { 1184 {
1004 vpn->tap->send (d); 1185 vpn->tap->send (d);
1005 1186
1006 if (p->dst () == 0) // re-broadcast
1007 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1008 {
1009 connection *c = *i;
1010
1011 if (c->conf != THISNODE && c->conf != conf)
1012 c->inject_data_packet (d);
1013 }
1014
1015 if (si != rsi) 1187 if (si != rsi)
1016 { 1188 {
1017 // fast re-sync on conneciton changes, useful especially for tcp/ip 1189 // fast re-sync on source address changes, useful especially for tcp/ip
1190 //if (last_si_change < ev_now () + 5.)
1018 si = rsi; 1191 // {
1019
1020 slog (L_INFO, _("%s(%s): socket address changed to %s"), 1192 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1021 conf->nodename, (const char *)si, (const char *)rsi); 1193 conf->nodename, (const char *)si, (const char *)rsi);
1194
1195 si = rsi;
1196
1197 if (::conf.script_node_change)
1198 {
1199 run_script_cb *cb = new run_script_cb;
1200 cb->set<connection, &connection::script_node_change> (this);
1201 run_script_queued (cb, _("node-change command execution failed, continuing."));
1202 }
1203
1204 // }
1205 //else
1206 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1207 // conf->nodename, (const char *)si, (const char *)rsi);
1022 } 1208 }
1023
1024 delete d;
1025
1026 break;
1027 } 1209 }
1210 else if (seqclass == 1) // far history
1211 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1212 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1213 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1214 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1215 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1216 else if (seqclass == 3) // reset
1217 {
1218 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1219 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1220 send_reset (rsi);
1221 }
1222
1223 delete d;
1224 break;
1028 } 1225 }
1029 } 1226 }
1030 1227
1031 send_reset (rsi); 1228 send_reset (rsi);
1032 break; 1229 break;
1033 1230
1034 case vpn_packet::PT_CONNECT_REQ: 1231 case vpn_packet::PT_CONNECT_REQ:
1035 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1232 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1036 { 1233 {
1037 connect_req_packet *p = (connect_req_packet *) pkt; 1234 connect_req_packet *p = (connect_req_packet *)pkt;
1038 1235
1039 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1236 if (p->id > 0 && p->id <= vpn->conns.size ())
1040 connection *c = vpn->conns[p->id - 1];
1041 conf->protocols = p->protocols;
1042
1043 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1044 conf->id, p->id, c->ictx && c->octx);
1045
1046 if (c->ictx && c->octx)
1047 { 1237 {
1238 connection *c = vpn->conns[p->id - 1];
1239 conf->protocols = p->protocols;
1240
1241 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1242 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1243 p->protocols,
1244 c->ictx && c->octx);
1245
1246 if (c->ictx && c->octx)
1247 {
1048 // send connect_info packets to both sides, in case one is 1248 // send connect_info packets to both sides, in case one is
1049 // behind a nat firewall (or both ;) 1249 // behind a nat firewall (or both ;)
1050 c->send_connect_info (conf->id, si, conf->protocols); 1250 c->send_connect_info (conf->id, si, conf->protocols);
1051 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1251 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1252 }
1253 else
1254 c->establish_connection ();
1052 } 1255 }
1053 else 1256 else
1054 c->establish_connection (); 1257 slog (L_WARN,
1258 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1259 p->id);
1055 } 1260 }
1056 1261
1057 break; 1262 break;
1058 1263
1059 case vpn_packet::PT_CONNECT_INFO: 1264 case vpn_packet::PT_CONNECT_INFO:
1060 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1265 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1061 { 1266 {
1062 connect_info_packet *p = (connect_info_packet *) pkt; 1267 connect_info_packet *p = (connect_info_packet *)pkt;
1063 1268
1064 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1269 if (p->id > 0 && p->id <= vpn->conns.size ())
1065 1270 {
1066 connection *c = vpn->conns[p->id - 1]; 1271 connection *c = vpn->conns[p->id - 1];
1067 1272
1068 c->conf->protocols = p->protocols; 1273 c->conf->protocols = p->protocols;
1069 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1274 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1070 p->si.upgrade_protocol (protocol, c->conf); 1275 p->si.upgrade_protocol (protocol, c->conf);
1071 1276
1072 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1277 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1073 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1278 conf->nodename,
1279 vpn->conns[p->id - 1]->conf->nodename,
1280 (const char *)p->si,
1281 p->protocols,
1282 protocol,
1283 p->si.supported_protocols (c->conf),
1284 !c->ictx && !c->octx);
1074 1285
1075 const sockinfo &dsi = forward_si (p->si); 1286 const sockinfo &dsi = forward_si (p->si);
1076 1287
1077 if (dsi.valid ()) 1288 if (dsi.valid ())
1078 c->send_auth_request (dsi, true); 1289 c->send_auth_request (dsi, true);
1290 else
1291 slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1292 vpn->conns[p->id - 1]->conf->nodename,
1293 (const char *)p->si);
1294 }
1295 else
1296 slog (L_WARN,
1297 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1298 p->id);
1079 } 1299 }
1080 1300
1081 break; 1301 break;
1082 1302
1083 default: 1303 default:
1084 send_reset (rsi); 1304 send_reset (rsi);
1085 break; 1305 break;
1086 } 1306 }
1087} 1307}
1088 1308
1089void connection::keepalive_cb (time_watcher &w) 1309inline void
1310connection::keepalive_cb (ev::timer &w, int revents)
1090{ 1311{
1091 if (NOW >= last_activity + ::conf.keepalive + 30) 1312 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1313
1314 if (when >= 0)
1315 w.start (when);
1316 else if (when < -15)
1092 { 1317 {
1093 reset_connection (); 1318 reset_connection ();
1094 establish_connection (); 1319 establish_connection ();
1095 } 1320 }
1096 else if (NOW < last_activity + ::conf.keepalive)
1097 w.at = last_activity + ::conf.keepalive;
1098 else if (conf->connectmode != conf_node::C_ONDEMAND 1321 else if (conf->connectmode != conf_node::C_ONDEMAND
1099 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1322 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1100 { 1323 {
1324 w.start (3);
1101 send_ping (si); 1325 send_ping (si);
1102 w.at = NOW + 5;
1103 } 1326 }
1327 else if (when >= -10)
1328 // hold ondemand connections implicitly a few seconds longer
1329 // should delete octx, though, or something like that ;)
1330 w.start (when + 10);
1104 else 1331 else
1105 reset_connection (); 1332 reset_connection ();
1106} 1333}
1107 1334
1335void
1108void connection::send_connect_request (int id) 1336connection::send_connect_request (int id)
1109{ 1337{
1110 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1338 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1111 1339
1112 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1340 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1341 conf->nodename, vpn->conns[id - 1]->conf->nodename,
1342 THISNODE->protocols);
1113 p->hmac_set (octx); 1343 p->hmac_set (octx);
1114 send_vpn_packet (p, si); 1344 send_vpn_packet (p, si);
1115 1345
1116 delete p; 1346 delete p;
1117} 1347}
1118 1348
1119void connection::script_node () 1349void
1350connection::script_init_env (const char *ext)
1120{ 1351{
1121 vpn->script_if_up ();
1122
1123 char *env; 1352 char *env;
1353 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1354 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1355 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1356 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1357 conf->id & 0xff); putenv (env);
1358}
1359
1360void
1361connection::script_init_connect_env ()
1362{
1363 vpn->script_init_env ();
1364
1365 char *env;
1124 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1366 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1367 asprintf (&env, "DESTSI=%s", (const char *)si); putenv (env);
1125 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1368 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1126 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1369 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1127 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1370 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1128} 1371}
1129 1372
1373inline const char *
1130const char *connection::script_node_up () 1374connection::script_node_up ()
1131{ 1375{
1132 script_node (); 1376 script_init_connect_env ();
1133 1377
1134 putenv ("STATE=up"); 1378 putenv ((char *)"STATE=up");
1135 1379
1380 char *filename;
1381 asprintf (&filename,
1382 "%s/%s",
1383 confbase,
1136 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1384 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1137}
1138 1385
1386 return filename;
1387}
1388
1389inline const char *
1390connection::script_node_change ()
1391{
1392 script_init_connect_env ();
1393
1394 putenv ((char *)"STATE=change");
1395
1396 char *filename;
1397 asprintf (&filename,
1398 "%s/%s",
1399 confbase,
1400 ::conf.script_node_change ? ::conf.script_node_change : "node-change");
1401
1402 return filename;
1403}
1404
1405inline const char *
1139const char *connection::script_node_down () 1406connection::script_node_down ()
1140{ 1407{
1141 script_node (); 1408 script_init_connect_env ();
1142 1409
1143 putenv ("STATE=down"); 1410 putenv ((char *)"STATE=down");
1144 1411
1145 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1412 char *filename;
1146} 1413 asprintf (&filename,
1414 "%s/%s",
1415 confbase,
1416 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1147 1417
1418 return filename;
1419}
1420
1148connection::connection(struct vpn *vpn_) 1421connection::connection (struct vpn *vpn, conf_node *conf)
1149: vpn(vpn_) 1422: vpn(vpn), conf(conf),
1150, rekey (this, &connection::rekey_cb) 1423#if ENABLE_DNS
1151, keepalive (this, &connection::keepalive_cb) 1424 dns (0),
1425#endif
1426 data_queue(conf->max_ttl, conf->max_queue + 1),
1427 vpn_queue(conf->max_ttl, conf->max_queue + 1)
1428{
1429 rekey .set<connection, &connection::rekey_cb > (this);
1430 keepalive .set<connection, &connection::keepalive_cb > (this);
1152, establish_connection (this, &connection::establish_connection_cb) 1431 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1153{ 1432
1433 last_establish_attempt = 0.;
1154 octx = ictx = 0; 1434 octx = ictx = 0;
1155 retry_cnt = 0;
1156 1435
1157 connectmode = conf_node::C_ALWAYS; // initial setting 1436 connectmode = conf->connectmode;
1437
1438 // queue a dummy packet to force an initial connection attempt
1439 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1440 vpn_queue.put (new net_packet);
1441
1158 reset_connection (); 1442 reset_connection ();
1159} 1443}
1160 1444
1161connection::~connection () 1445connection::~connection ()
1162{ 1446{
1163 shutdown (); 1447 shutdown ();
1164} 1448}
1165 1449
1450void
1166void connection_init () 1451connection_init ()
1167{ 1452{
1168 auth_rate_limiter.clear (); 1453 auth_rate_limiter.clear ();
1169 reset_rate_limiter.clear (); 1454 reset_rate_limiter.clear ();
1170} 1455}
1171 1456

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines