ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
Revision: 1.61
Committed: Sat Nov 10 19:43:37 2007 UTC (16 years, 6 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.60: +8 -0 lines
Log Message: 
*** empty log message ***

File Contents

# Content
1 /*
2 connection.C -- manage a single connection
3 Copyright (C) 2003-2005 Marc Lehmann <gvpe@schmorp.de>
4
5 This file is part of GVPE.
6
7 GVPE is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with gvpe; if not, write to the Free Software
19 Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "config.h"
23
24 #include <list>
25
26 #include <openssl/rand.h>
27 #include <openssl/evp.h>
28 #include <openssl/rsa.h>
29 #include <openssl/err.h>
30
31 #include "conf.h"
32 #include "slog.h"
33 #include "device.h"
34 #include "vpn.h"
35 #include "connection.h"
36
37 #include "netcompat.h"
38
39 #if !HAVE_RAND_PSEUDO_BYTES
40 # define RAND_pseudo_bytes RAND_bytes
41 #endif
42
43 #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
44
45 #define ULTRA_FAST 1
46 #define HLOG 15
47 #include "lzf/lzf.h"
48 #include "lzf/lzf_c.c"
49 #include "lzf/lzf_d.c"
50
51 struct crypto_ctx
52 {
53 EVP_CIPHER_CTX cctx;
54 HMAC_CTX hctx;
55
56 crypto_ctx (const rsachallenge &challenge, int enc);
57 ~crypto_ctx ();
58 };
59
60 crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
61 {
62 EVP_CIPHER_CTX_init (&cctx);
63 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
64 HMAC_CTX_init (&hctx);
65 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
66 }
67
68 crypto_ctx::~crypto_ctx ()
69 {
70 require (EVP_CIPHER_CTX_cleanup (&cctx));
71 HMAC_CTX_cleanup (&hctx);
72 }
73
74 static void
75 rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
76 {
77 EVP_MD_CTX ctx;
78
79 EVP_MD_CTX_init (&ctx);
80 require (EVP_DigestInit (&ctx, RSA_HASH));
81 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
84 EVP_MD_CTX_cleanup (&ctx);
85 }
86
87 struct rsa_entry {
88 tstamp expire;
89 rsaid id;
90 rsachallenge chg;
91 };
92
93 struct rsa_cache : list<rsa_entry>
94 {
95 void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
96
97 bool find (const rsaid &id, rsachallenge &chg)
98 {
99 for (iterator i = begin (); i != end (); ++i)
100 {
101 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev::ev_now ())
102 {
103 memcpy (&chg, &i->chg, sizeof chg);
104
105 erase (i);
106 return true;
107 }
108 }
109
110 if (!cleaner.is_active ())
111 cleaner.again ();
112
113 return false;
114 }
115
116 void gen (rsaid &id, rsachallenge &chg)
117 {
118 rsa_entry e;
119
120 RAND_bytes ((unsigned char *)&id, sizeof id);
121 RAND_bytes ((unsigned char *)&chg, sizeof chg);
122
123 e.expire = ev::ev_now () + RSA_TTL;
124 e.id = id;
125 memcpy (&e.chg, &chg, sizeof chg);
126
127 push_back (e);
128
129 if (!cleaner.is_active ())
130 cleaner.again ();
131 }
132
133 rsa_cache ()
134 : cleaner (this, &rsa_cache::cleaner_cb)
135 {
136 cleaner.set (RSA_TTL, RSA_TTL);
137 }
138
139 } rsa_cache;
140
141 void rsa_cache::cleaner_cb (ev::timer &w, int revents)
142 {
143 if (empty ())
144 w.stop ();
145 else
146 {
147 for (iterator i = begin (); i != end (); )
148 if (i->expire <= ev::ev_now ())
149 i = erase (i);
150 else
151 ++i;
152 }
153 }
154
155 //////////////////////////////////////////////////////////////////////////////
156
157 void pkt_queue::put (net_packet *p)
158 {
159 if (queue[i])
160 {
161 delete queue[i];
162 j = (j + 1) % QUEUEDEPTH;
163 }
164
165 queue[i] = p;
166
167 i = (i + 1) % QUEUEDEPTH;
168 }
169
170 net_packet *pkt_queue::get ()
171 {
172 net_packet *p = queue[j];
173
174 if (p)
175 {
176 queue[j] = 0;
177 j = (j + 1) % QUEUEDEPTH;
178 }
179
180 return p;
181 }
182
183 pkt_queue::pkt_queue ()
184 {
185 memset (queue, 0, sizeof (queue));
186 i = 0;
187 j = 0;
188 }
189
190 pkt_queue::~pkt_queue ()
191 {
192 for (i = QUEUEDEPTH; --i > 0; )
193 delete queue[i];
194 }
195
196 struct net_rateinfo {
197 u32 host;
198 double pcnt, diff;
199 tstamp last;
200 };
201
202 // only do action once every x seconds per host whole allowing bursts.
203 // this implementation ("splay list" ;) is inefficient,
204 // but low on resources.
205 struct net_rate_limiter : list<net_rateinfo>
206 {
207 # define NRL_ALPHA (1. - 1. / 600.) // allow bursts
208 # define NRL_CUTOFF 10. // one event every CUTOFF seconds
209 # define NRL_EXPIRE (NRL_CUTOFF * 30.) // expire entries after this time
210 # define NRL_MAXDIF (NRL_CUTOFF * (1. / (1. - NRL_ALPHA))) // maximum diff /count value
211
212 bool can (const sockinfo &si) { return can((u32)si.host); }
213 bool can (u32 host);
214 };
215
216 net_rate_limiter auth_rate_limiter, reset_rate_limiter;
217
218 bool net_rate_limiter::can (u32 host)
219 {
220 iterator i;
221
222 for (i = begin (); i != end (); )
223 if (i->host == host)
224 break;
225 else if (i->last < ev::ev_now () - NRL_EXPIRE)
226 i = erase (i);
227 else
228 i++;
229
230 if (i == end ())
231 {
232 net_rateinfo ri;
233
234 ri.host = host;
235 ri.pcnt = 1.;
236 ri.diff = NRL_MAXDIF;
237 ri.last = ev::ev_now ();
238
239 push_front (ri);
240
241 return true;
242 }
243 else
244 {
245 net_rateinfo ri (*i);
246 erase (i);
247
248 ri.pcnt = ri.pcnt * NRL_ALPHA;
249 ri.diff = ri.diff * NRL_ALPHA + (ev::ev_now () - ri.last);
250
251 ri.last = ev::ev_now ();
252
253 double dif = ri.diff / ri.pcnt;
254
255 bool send = dif > NRL_CUTOFF;
256
257 if (dif > NRL_MAXDIF)
258 {
259 ri.pcnt = 1.;
260 ri.diff = NRL_MAXDIF;
261 }
262 else if (send)
263 ri.pcnt++;
264
265 push_front (ri);
266
267 return send;
268 }
269 }
270
271 /////////////////////////////////////////////////////////////////////////////
272
273 unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE];
274
275 void hmac_packet::hmac_gen (crypto_ctx *ctx)
276 {
277 unsigned int xlen;
278
279 HMAC_CTX *hctx = &ctx->hctx;
280
281 HMAC_Init_ex (hctx, 0, 0, 0, 0);
282 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
283 len - sizeof (hmac_packet));
284 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
285 }
286
287 void
288 hmac_packet::hmac_set (crypto_ctx *ctx)
289 {
290 hmac_gen (ctx);
291
292 memcpy (hmac, hmac_digest, HMACLENGTH);
293 }
294
295 bool
296 hmac_packet::hmac_chk (crypto_ctx *ctx)
297 {
298 hmac_gen (ctx);
299
300 return !memcmp (hmac, hmac_digest, HMACLENGTH);
301 }
302
303 void vpn_packet::set_hdr (ptype type_, unsigned int dst)
304 {
305 type = type_;
306
307 int src = THISNODE->id;
308
309 src1 = src;
310 srcdst = ((src >> 8) << 4) | (dst >> 8);
311 dst1 = dst;
312 }
313
314 #define MAXVPNDATA (MAX_MTU - 6 - 6)
315 #define DATAHDR (sizeof (u32) + RAND_SIZE)
316
317 struct vpndata_packet : vpn_packet
318 {
319 u8 data[MAXVPNDATA + DATAHDR]; // seqno
320
321 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
322 tap_packet *unpack (connection *conn, u32 &seqno);
323 private:
324
325 const u32 data_hdr_size () const
326 {
327 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
328 }
329 };
330
331 void
332 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
333 {
334 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
335 int outl = 0, outl2;
336 ptype type = PT_DATA_UNCOMPRESSED;
337
338 #if ENABLE_COMPRESSION
339 u8 cdata[MAX_MTU];
340
341 if (conn->features & ENABLE_COMPRESSION)
342 {
343 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
344
345 if (cl)
346 {
347 type = PT_DATA_COMPRESSED;
348 d = cdata;
349 l = cl + 2;
350
351 d[0] = cl >> 8;
352 d[1] = cl;
353 }
354 }
355 #endif
356
357 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
358
359 struct {
360 #if RAND_SIZE
361 u8 rnd[RAND_SIZE];
362 #endif
363 u32 seqno;
364 } datahdr;
365
366 datahdr.seqno = ntohl (seqno);
367 #if RAND_SIZE
368 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
369 #endif
370
371 require (EVP_EncryptUpdate (cctx,
372 (unsigned char *) data + outl, &outl2,
373 (unsigned char *) &datahdr, DATAHDR));
374 outl += outl2;
375
376 require (EVP_EncryptUpdate (cctx,
377 (unsigned char *) data + outl, &outl2,
378 (unsigned char *) d, l));
379 outl += outl2;
380
381 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
382 outl += outl2;
383
384 len = outl + data_hdr_size ();
385
386 set_hdr (type, dst);
387
388 hmac_set (conn->octx);
389 }
390
391 tap_packet *
392 vpndata_packet::unpack (connection *conn, u32 &seqno)
393 {
394 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
395 int outl = 0, outl2;
396 tap_packet *p = new tap_packet;
397 u8 *d;
398 u32 l = len - data_hdr_size ();
399
400 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
401
402 #if ENABLE_COMPRESSION
403 u8 cdata[MAX_MTU];
404
405 if (type == PT_DATA_COMPRESSED)
406 d = cdata;
407 else
408 #endif
409 d = &(*p)[6 + 6 - DATAHDR];
410
411 /* this overwrites part of the src mac, but we fix that later */
412 require (EVP_DecryptUpdate (cctx,
413 d, &outl2,
414 (unsigned char *)&data, len - data_hdr_size ()));
415 outl += outl2;
416
417 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
418 outl += outl2;
419
420 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
421
422 id2mac (dst () ? dst() : THISNODE->id, p->dst);
423 id2mac (src (), p->src);
424
425 #if ENABLE_COMPRESSION
426 if (type == PT_DATA_COMPRESSED)
427 {
428 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
429
430 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
431 &(*p)[6 + 6], MAX_MTU)
432 + 6 + 6;
433 }
434 else
435 p->len = outl + (6 + 6 - DATAHDR);
436 #endif
437
438 return p;
439 }
440
441 struct ping_packet : vpn_packet
442 {
443 void setup (int dst, ptype type)
444 {
445 set_hdr (type, dst);
446 len = sizeof (*this) - sizeof (net_packet);
447 }
448 };
449
450 struct config_packet : vpn_packet
451 {
452 // actually, hmaclen cannot be checked because the hmac
453 // field comes before this data, so peers with other
454 // hmacs simply will not work.
455 u8 prot_major, prot_minor, randsize, hmaclen;
456 u8 flags, challengelen, features, pad3;
457 u32 cipher_nid, digest_nid, hmac_nid;
458
459 void setup (ptype type, int dst);
460 bool chk_config () const;
461
462 static u8 get_features ()
463 {
464 u8 f = 0;
465 #if ENABLE_COMPRESSION
466 f |= FEATURE_COMPRESSION;
467 #endif
468 #if ENABLE_ROHC
469 f |= FEATURE_ROHC;
470 #endif
471 #if ENABLE_BRIDGING
472 f |= FEATURE_BRIDGING;
473 #endif
474 return f;
475 }
476 };
477
478 void config_packet::setup (ptype type, int dst)
479 {
480 prot_major = PROTOCOL_MAJOR;
481 prot_minor = PROTOCOL_MINOR;
482 randsize = RAND_SIZE;
483 hmaclen = HMACLENGTH;
484 flags = 0;
485 challengelen = sizeof (rsachallenge);
486 features = get_features ();
487
488 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
489 digest_nid = htonl (EVP_MD_type (RSA_HASH));
490 hmac_nid = htonl (EVP_MD_type (DIGEST));
491
492 len = sizeof (*this) - sizeof (net_packet);
493 set_hdr (type, dst);
494 }
495
496 bool config_packet::chk_config () const
497 {
498 if (prot_major != PROTOCOL_MAJOR)
499 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
500 else if (randsize != RAND_SIZE)
501 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
502 else if (hmaclen != HMACLENGTH)
503 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
504 else if (challengelen != sizeof (rsachallenge))
505 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
506 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
507 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
508 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
509 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
510 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
511 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
512 else
513 return true;
514
515 return false;
516 }
517
518 struct auth_req_packet : config_packet
519 {
520 char magic[8];
521 u8 initiate; // false if this is just an automatic reply
522 u8 protocols; // supported protocols (will be patched on forward)
523 u8 pad2, pad3;
524 rsaid id;
525 rsaencrdata encr;
526
527 auth_req_packet (int dst, bool initiate_, u8 protocols_)
528 {
529 config_packet::setup (PT_AUTH_REQ, dst);
530 strncpy (magic, MAGIC, 8);
531 initiate = !!initiate_;
532 protocols = protocols_;
533
534 len = sizeof (*this) - sizeof (net_packet);
535 }
536 };
537
538 struct auth_res_packet : config_packet
539 {
540 rsaid id;
541 u8 pad1, pad2, pad3;
542 u8 response_len; // encrypted length
543 rsaresponse response;
544
545 auth_res_packet (int dst)
546 {
547 config_packet::setup (PT_AUTH_RES, dst);
548
549 len = sizeof (*this) - sizeof (net_packet);
550 }
551 };
552
553 struct connect_req_packet : vpn_packet
554 {
555 u8 id, protocols;
556 u8 pad1, pad2;
557
558 connect_req_packet (int dst, int id_, u8 protocols_)
559 : id(id_)
560 , protocols(protocols_)
561 {
562 set_hdr (PT_CONNECT_REQ, dst);
563 len = sizeof (*this) - sizeof (net_packet);
564 }
565 };
566
567 struct connect_info_packet : vpn_packet
568 {
569 u8 id, protocols;
570 u8 pad1, pad2;
571 sockinfo si;
572
573 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
574 : id(id_)
575 , protocols(protocols_)
576 , si(si_)
577 {
578 set_hdr (PT_CONNECT_INFO, dst);
579
580 len = sizeof (*this) - sizeof (net_packet);
581 }
582 };
583
584 /////////////////////////////////////////////////////////////////////////////
585
586 void
587 connection::connection_established ()
588 {
589 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
590
591 if (ictx && octx)
592 {
593 connectmode = conf->connectmode;
594
595 // make sure rekeying timeouts are slightly asymmetric
596 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
597 rekey.start (rekey_interval, rekey_interval);
598 keepalive.start (::conf.keepalive);
599
600 // send queued packets
601 if (ictx && octx)
602 {
603 while (tap_packet *p = (tap_packet *)data_queue.get ())
604 {
605 send_data_packet (p);
606 delete p;
607 }
608
609 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
610 {
611 send_vpn_packet (p, si, IPTOS_RELIABILITY);
612 delete p;
613 }
614 }
615 }
616 else
617 {
618 retry_cnt = 0;
619 establish_connection.start (5);
620 keepalive.stop ();
621 rekey.stop ();
622 }
623 }
624
625 void
626 connection::reset_si ()
627 {
628 protocol = best_protocol (THISNODE->protocols & conf->protocols);
629
630 // mask out protocols we cannot establish
631 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
632 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
633 if (!conf->dns_port) protocol &= ~PROT_DNSv4;
634
635 if (protocol
636 && (!conf->can_direct (THISNODE)
637 || !THISNODE->can_direct (conf)))
638 {
639 slog (L_DEBUG, _("%s: direct connection denied"), conf->nodename);
640 protocol = 0;
641 }
642
643 si.set (conf, protocol);
644 }
645
646 // ensure sockinfo is valid, forward if necessary
647 const sockinfo &
648 connection::forward_si (const sockinfo &si) const
649 {
650 if (!si.valid ())
651 {
652 connection *r = vpn->find_router ();
653
654 if (r)
655 {
656 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
657 conf->nodename, r->conf->nodename, (const char *)r->si);
658 return r->si;
659 }
660 else
661 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
662 conf->nodename);
663 }
664
665 return si;
666 }
667
668 void
669 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
670 {
671 if (!vpn->send_vpn_packet (pkt, si, tos))
672 reset_connection ();
673 }
674
675 void
676 connection::send_ping (const sockinfo &si, u8 pong)
677 {
678 ping_packet *pkt = new ping_packet;
679
680 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
681 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
682
683 delete pkt;
684 }
685
686 void
687 connection::send_reset (const sockinfo &si)
688 {
689 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
690 {
691 config_packet *pkt = new config_packet;
692
693 pkt->setup (vpn_packet::PT_RESET, conf->id);
694 send_vpn_packet (pkt, si, IPTOS_MINCOST);
695
696 delete pkt;
697 }
698 }
699
700 void
701 connection::send_auth_request (const sockinfo &si, bool initiate)
702 {
703 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
704
705 rsachallenge chg;
706 rsa_cache.gen (pkt->id, chg);
707 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
708
709 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
710
711 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
712
713 delete pkt;
714 }
715
716 void
717 connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
718 {
719 auth_res_packet *pkt = new auth_res_packet (conf->id);
720
721 pkt->id = id;
722
723 rsa_hash (id, chg, pkt->response);
724
725 pkt->hmac_set (octx);
726
727 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
728
729 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
730
731 delete pkt;
732 }
733
734 void
735 connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
736 {
737 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)",
738 conf->id, rid, (const char *)rsi);
739
740 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
741
742 r->hmac_set (octx);
743 send_vpn_packet (r, si);
744
745 delete r;
746 }
747
748 void
749 connection::establish_connection_cb (ev::timer &w, int revents)
750 {
751 if (!ictx
752 && conf != THISNODE
753 && connectmode != conf_node::C_NEVER
754 && connectmode != conf_node::C_DISABLED
755 && !w.is_active ())
756 {
757 ev::tstamp retry_int = ev::tstamp (retry_cnt & 3
758 ? (retry_cnt & 3) + 1
759 : 1 << (retry_cnt >> 2));
760
761 reset_si ();
762
763 bool slow = si.prot & PROT_SLOW;
764
765 if (si.prot && !si.host)
766 {
767 slog (L_TRACE, _("%s: connection request (indirect)"), conf->nodename);
768 /*TODO*/ /* start the timer so we don't recurse endlessly */
769 w.start (1);
770 vpn->send_connect_request (conf->id);
771 }
772 else
773 {
774 slog (L_TRACE, _("%s: connection request (direct)"), conf->nodename, !!ictx, !!octx);
775
776 const sockinfo &dsi = forward_si (si);
777
778 slow = slow || (dsi.prot & PROT_SLOW);
779
780 if (dsi.valid () && auth_rate_limiter.can (dsi))
781 {
782 if (retry_cnt < 4)
783 send_auth_request (dsi, true);
784 else
785 send_ping (dsi, 0);
786 }
787 }
788
789 retry_int *= slow ? 8. : 0.7;
790
791 if (retry_int < conf->max_retry)
792 retry_cnt++;
793 else
794 retry_int = conf->max_retry;
795
796 w.start (retry_int);
797 }
798 }
799
800 void
801 connection::reset_connection ()
802 {
803 if (ictx && octx)
804 {
805 slog (L_INFO, _("%s(%s): connection lost"),
806 conf->nodename, (const char *)si);
807
808 if (::conf.script_node_down)
809 if (!run_script (run_script_cb (this, &connection::script_node_down), false))
810 slog (L_WARN, _("node-down command execution failed, continuing."));
811 }
812
813 delete ictx; ictx = 0;
814 delete octx; octx = 0;
815 #if ENABLE_DNS
816 dnsv4_reset_connection ();
817 #endif
818
819 si.host = 0;
820
821 last_activity = 0;
822 retry_cnt = 0;
823
824 rekey.stop ();
825 keepalive.stop ();
826 establish_connection.stop ();
827 }
828
829 void
830 connection::shutdown ()
831 {
832 if (ictx && octx)
833 send_reset (si);
834
835 reset_connection ();
836 }
837
838 void
839 connection::rekey_cb (ev::timer &w, int revents)
840 {
841 reset_connection ();
842 establish_connection ();
843 }
844
845 void
846 connection::send_data_packet (tap_packet *pkt)
847 {
848 vpndata_packet *p = new vpndata_packet;
849 int tos = 0;
850
851 // I am not hilarious about peeking into packets, but so be it.
852 if (conf->inherit_tos && pkt->is_ipv4 ())
853 tos = (*pkt)[15] & IPTOS_TOS_MASK;
854
855 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
856 send_vpn_packet (p, si, tos);
857
858 delete p;
859
860 if (oseqno > MAX_SEQNO)
861 rekey ();
862 }
863
864 void
865 connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
866 {
867 if (ictx && octx)
868 send_data_packet (pkt);
869 else
870 {
871 if (!broadcast)
872 data_queue.put (new tap_packet (*pkt));
873
874 establish_connection ();
875 }
876 }
877
878 void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
879 {
880 if (ictx && octx)
881 send_vpn_packet (pkt, si, tos);
882 else
883 {
884 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
885
886 establish_connection ();
887 }
888 }
889
890 void
891 connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
892 {
893 last_activity = ev::ev_now ();
894
895 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
896 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
897
898 if (connectmode == conf_node::C_DISABLED)
899 return;
900
901 switch (pkt->typ ())
902 {
903 case vpn_packet::PT_PING:
904 // we send pings instead of auth packets after some retries,
905 // so reset the retry counter and establish a connection
906 // when we receive a ping.
907 if (!ictx)
908 {
909 if (auth_rate_limiter.can (rsi))
910 send_auth_request (rsi, true);
911 }
912 else
913 send_ping (rsi, 1); // pong
914
915 break;
916
917 case vpn_packet::PT_PONG:
918 break;
919
920 case vpn_packet::PT_RESET:
921 {
922 reset_connection ();
923
924 config_packet *p = (config_packet *) pkt;
925
926 if (!p->chk_config ())
927 {
928 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
929 conf->nodename, (const char *)rsi);
930 connectmode = conf_node::C_DISABLED;
931 }
932 else if (connectmode == conf_node::C_ALWAYS)
933 establish_connection ();
934 }
935 break;
936
937 case vpn_packet::PT_AUTH_REQ:
938 if (auth_rate_limiter.can (rsi))
939 {
940 auth_req_packet *p = (auth_req_packet *) pkt;
941
942 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
943
944 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
945 {
946 if (p->prot_minor != PROTOCOL_MINOR)
947 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
948 conf->nodename, (const char *)rsi,
949 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
950
951 if (p->initiate)
952 send_auth_request (rsi, false);
953
954 rsachallenge k;
955
956 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
957 {
958 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
959 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
960 break;
961 }
962 else
963 {
964 delete octx;
965
966 octx = new crypto_ctx (k, 1);
967 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
968
969 conf->protocols = p->protocols;
970 features = p->features & config_packet::get_features ();
971
972 send_auth_response (rsi, p->id, k);
973
974 connection_established ();
975
976 break;
977 }
978 }
979 else
980 slog (L_WARN, _("%s(%s): protocol mismatch"),
981 conf->nodename, (const char *)rsi);
982
983 send_reset (rsi);
984 }
985
986 break;
987
988 case vpn_packet::PT_AUTH_RES:
989 {
990 auth_res_packet *p = (auth_res_packet *) pkt;
991
992 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
993
994 if (p->chk_config ())
995 {
996 if (p->prot_minor != PROTOCOL_MINOR)
997 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
998 conf->nodename, (const char *)rsi,
999 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1000
1001 rsachallenge chg;
1002
1003 if (!rsa_cache.find (p->id, chg))
1004 {
1005 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
1006 conf->nodename, (const char *)rsi);
1007 break;
1008 }
1009 else
1010 {
1011 crypto_ctx *cctx = new crypto_ctx (chg, 0);
1012
1013 if (!p->hmac_chk (cctx))
1014 {
1015 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1016 "could be an attack, or just corruption or a synchronization error"),
1017 conf->nodename, (const char *)rsi);
1018 break;
1019 }
1020 else
1021 {
1022 rsaresponse h;
1023
1024 rsa_hash (p->id, chg, h);
1025
1026 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1027 {
1028 prot_minor = p->prot_minor;
1029
1030 delete ictx; ictx = cctx;
1031
1032 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1033
1034 si = rsi;
1035 protocol = rsi.prot;
1036
1037 connection_established ();
1038
1039 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1040 conf->nodename, (const char *)rsi,
1041 p->prot_major, p->prot_minor);
1042
1043 if (::conf.script_node_up)
1044 if (!run_script (run_script_cb (this, &connection::script_node_up), false))
1045 slog (L_WARN, _("node-up command execution failed, continuing."));
1046
1047 break;
1048 }
1049 else
1050 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1051 conf->nodename, (const char *)rsi);
1052 }
1053
1054 delete cctx;
1055 }
1056 }
1057 }
1058
1059 send_reset (rsi);
1060 break;
1061
1062 case vpn_packet::PT_DATA_COMPRESSED:
1063 #if !ENABLE_COMPRESSION
1064 send_reset (rsi);
1065 break;
1066 #endif
1067
1068 case vpn_packet::PT_DATA_UNCOMPRESSED:
1069
1070 if (ictx && octx)
1071 {
1072 vpndata_packet *p = (vpndata_packet *)pkt;
1073
1074 if (!p->hmac_chk (ictx))
1075 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1076 "could be an attack, or just corruption or a synchronization error"),
1077 conf->nodename, (const char *)rsi);
1078 else
1079 {
1080 u32 seqno;
1081 tap_packet *d = p->unpack (this, seqno);
1082
1083 if (iseqno.recv_ok (seqno))
1084 {
1085 vpn->tap->send (d);
1086
1087 if (si != rsi)
1088 {
1089 // fast re-sync on source address changes, useful especially for tcp/ip
1090 si = rsi;
1091
1092 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1093 conf->nodename, (const char *)si, (const char *)rsi);
1094 }
1095 }
1096
1097 delete d;
1098 break;
1099 }
1100 }
1101
1102 send_reset (rsi);
1103 break;
1104
1105 case vpn_packet::PT_CONNECT_REQ:
1106 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1107 {
1108 connect_req_packet *p = (connect_req_packet *) pkt;
1109
1110 if (p->id > 0 && p->id <= vpn->conns.size ())
1111 {
1112 connection *c = vpn->conns[p->id - 1];
1113 conf->protocols = p->protocols;
1114
1115 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]",
1116 conf->id, p->id, c->ictx && c->octx);
1117
1118 if (c->ictx && c->octx)
1119 {
1120 // send connect_info packets to both sides, in case one is
1121 // behind a nat firewall (or both ;)
1122 c->send_connect_info (conf->id, si, conf->protocols);
1123 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1124 }
1125 else
1126 c->establish_connection ();
1127 }
1128 else
1129 slog (L_WARN,
1130 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1131 p->id);
1132 }
1133
1134 break;
1135
1136 case vpn_packet::PT_CONNECT_INFO:
1137 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1138 {
1139 connect_info_packet *p = (connect_info_packet *)pkt;
1140
1141 if (p->id > 0 && p->id <= vpn->conns.size ())
1142 {
1143 connection *c = vpn->conns[p->id - 1];
1144
1145 c->conf->protocols = p->protocols;
1146 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1147 p->si.upgrade_protocol (protocol, c->conf);
1148
1149 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1150 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1151
1152 const sockinfo &dsi = forward_si (p->si);
1153
1154 if (dsi.valid ())
1155 c->send_auth_request (dsi, true);
1156 }
1157 else
1158 slog (L_WARN,
1159 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1160 p->id);
1161 }
1162
1163 break;
1164
1165 default:
1166 send_reset (rsi);
1167 break;
1168 }
1169 }
1170
1171 void connection::keepalive_cb (ev::timer &w, int revents)
1172 {
1173 if (ev::ev_now () >= last_activity + ::conf.keepalive + 30)
1174 {
1175 reset_connection ();
1176 establish_connection ();
1177 }
1178 else if (ev::ev_now () < last_activity + ::conf.keepalive)
1179 w.start (last_activity + ::conf.keepalive - ev::now ());
1180 else if (conf->connectmode != conf_node::C_ONDEMAND
1181 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1182 {
1183 send_ping (si);
1184 w.start (5);
1185 }
1186 else if (ev::ev_now () < last_activity + ::conf.keepalive + 10)
1187 // hold ondemand connections implicitly a few seconds longer
1188 // should delete octx, though, or something like that ;)
1189 w.start (last_activity + ::conf.keepalive + 10 - ev::now ());
1190 else
1191 reset_connection ();
1192 }
1193
1194 void connection::send_connect_request (int id)
1195 {
1196 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1197
1198 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1199 p->hmac_set (octx);
1200 send_vpn_packet (p, si);
1201
1202 delete p;
1203 }
1204
1205 void connection::script_init_env (const char *ext)
1206 {
1207 char *env;
1208 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1209 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1210 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1211 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1212 conf->id & 0xff); putenv (env);
1213 }
1214
1215 void connection::script_init_connect_env ()
1216 {
1217 vpn->script_init_env ();
1218
1219 char *env;
1220 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1221 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1222 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1223 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1224 }
1225
1226 const char *connection::script_node_up ()
1227 {
1228 script_init_connect_env ();
1229
1230 putenv ((char *)"STATE=up");
1231
1232 char *filename;
1233 asprintf (&filename,
1234 "%s/%s",
1235 confbase,
1236 ::conf.script_node_up ? ::conf.script_node_up : "node-up");
1237
1238 return filename;
1239 }
1240
1241 const char *connection::script_node_down ()
1242 {
1243 script_init_connect_env ();
1244
1245 putenv ((char *)"STATE=down");
1246
1247 char *filename;
1248 asprintf (&filename,
1249 "%s/%s",
1250 confbase,
1251 ::conf.script_node_down ? ::conf.script_node_down : "node-down");
1252
1253 return filename;
1254 }
1255
1256 connection::connection (struct vpn *vpn, conf_node *conf)
1257 : vpn(vpn), conf(conf)
1258 , rekey (this, &connection::rekey_cb)
1259 , keepalive (this, &connection::keepalive_cb)
1260 , establish_connection (this, &connection::establish_connection_cb)
1261 #if ENABLE_DNS
1262 , dns (0)
1263 #endif
1264 {
1265 octx = ictx = 0;
1266 retry_cnt = 0;
1267
1268 if (!conf->protocols) // make sure some protocol is enabled
1269 conf->protocols = PROT_UDPv4;
1270
1271 connectmode = conf_node::C_ALWAYS; // initial setting
1272 reset_connection ();
1273 }
1274
1275 connection::~connection ()
1276 {
1277 shutdown ();
1278 }
1279
1280 void connection_init ()
1281 {
1282 auth_rate_limiter.clear ();
1283 reset_rate_limiter.clear ();
1284 }
1285