ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.20 by pcg, Wed Mar 26 17:59:12 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

32#include <arpa/inet.h> 32#include <arpa/inet.h>
33#include <errno.h> 33#include <errno.h>
34#include <time.h> 34#include <time.h>
35#include <unistd.h> 35#include <unistd.h>
36 36
37#include <openssl/rand.h>
38#include <openssl/hmac.h>
39#include <openssl/evp.h>
40#include <openssl/rsa.h>
41#include <openssl/err.h>
42
43extern "C" {
44# include "lzf/lzf.h"
45}
46
47#include "gettext.h"
48#include "pidfile.h" 37#include "pidfile.h"
49 38
50#include "conf.h" 39#include "connection.h"
51#include "slog.h" 40#include "util.h"
52#include "device.h"
53#include "protocol.h" 41#include "protocol.h"
54
55#if !HAVE_RAND_PSEUDO_BYTES
56# define RAND_pseudo_bytes RAND_bytes
57#endif
58
59static time_t next_timecheck;
60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63struct crypto_ctx
64 {
65 EVP_CIPHER_CTX cctx;
66 HMAC_CTX hctx;
67
68 crypto_ctx (const rsachallenge &challenge, int enc);
69 ~crypto_ctx ();
70 };
71
72crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
73{
74 EVP_CIPHER_CTX_init (&cctx);
75 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
76 HMAC_CTX_init (&hctx);
77 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
78}
79
80crypto_ctx::~crypto_ctx ()
81{
82 EVP_CIPHER_CTX_cleanup (&cctx);
83 HMAC_CTX_cleanup (&hctx);
84}
85
86static void
87rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88{
89 EVP_MD_CTX ctx;
90
91 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94 EVP_DigestUpdate(&ctx, &id, sizeof id);
95 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
96 EVP_MD_CTX_cleanup (&ctx);
97}
98
99struct rsa_entry {
100 tstamp expire;
101 rsaid id;
102 rsachallenge chg;
103};
104
105struct rsa_cache : list<rsa_entry>
106{
107 void cleaner_cb (tstamp &ts); time_watcher cleaner;
108
109 bool find (const rsaid &id, rsachallenge &chg)
110 {
111 for (iterator i = begin (); i != end (); ++i)
112 {
113 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
114 {
115 memcpy (&chg, &i->chg, sizeof chg);
116
117 erase (i);
118 return true;
119 }
120 }
121
122 if (cleaner.at < NOW)
123 cleaner.start (NOW + RSA_TTL);
124
125 return false;
126 }
127
128 void gen (rsaid &id, rsachallenge &chg)
129 {
130 rsa_entry e;
131
132 RAND_bytes ((unsigned char *)&id, sizeof id);
133 RAND_bytes ((unsigned char *)&chg, sizeof chg);
134
135 e.expire = NOW + RSA_TTL;
136 e.id = id;
137 memcpy (&e.chg, &chg, sizeof chg);
138
139 push_back (e);
140
141 if (cleaner.at < NOW)
142 cleaner.start (NOW + RSA_TTL);
143 }
144
145 rsa_cache ()
146 : cleaner (this, &rsa_cache::cleaner_cb)
147 { }
148
149} rsa_cache;
150
151void rsa_cache::cleaner_cb (tstamp &ts)
152{
153 if (empty ())
154 ts = TSTAMP_CANCEL;
155 else
156 {
157 ts = NOW + RSA_TTL;
158
159 for (iterator i = begin (); i != end (); )
160 if (i->expire <= NOW)
161 i = erase (i);
162 else
163 ++i;
164 }
165}
166
167typedef callback<const char *, int> run_script_cb;
168
169// run a shell script (or actually an external program).
170static void
171run_script (const run_script_cb &cb, bool wait)
172{
173 int pid;
174
175 if ((pid = fork ()) == 0)
176 {
177 char *filename;
178 asprintf (&filename, "%s/%s", confbase, cb(0));
179 execl (filename, filename, (char *) 0);
180 exit (255);
181 }
182 else if (pid > 0)
183 {
184 if (wait)
185 {
186 waitpid (pid, 0, 0);
187 /* TODO: check status */
188 }
189 }
190}
191
192//////////////////////////////////////////////////////////////////////////////
193
194void pkt_queue::put (tap_packet *p)
195{
196 if (queue[i])
197 {
198 delete queue[i];
199 j = (j + 1) % QUEUEDEPTH;
200 }
201
202 queue[i] = p;
203
204 i = (i + 1) % QUEUEDEPTH;
205}
206
207tap_packet *pkt_queue::get ()
208{
209 tap_packet *p = queue[j];
210
211 if (p)
212 {
213 queue[j] = 0;
214 j = (j + 1) % QUEUEDEPTH;
215 }
216
217 return p;
218}
219
220pkt_queue::pkt_queue ()
221{
222 memset (queue, 0, sizeof (queue));
223 i = 0;
224 j = 0;
225}
226
227pkt_queue::~pkt_queue ()
228{
229 for (i = QUEUEDEPTH; --i > 0; )
230 delete queue[i];
231}
232
233struct net_rateinfo {
234 u32 host;
235 double pcnt, diff;
236 tstamp last;
237};
238
239// only do action once every x seconds per host whole allowing bursts.
240// this implementation ("splay list" ;) is inefficient,
241// but low on resources.
242struct net_rate_limiter : private list<net_rateinfo>
243{
244 static const double ALPHA = 1. - 1. / 90.; // allow bursts
245 static const double CUTOFF = 20.; // one event every CUTOFF seconds
246 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
247
248 bool can (u32 host);
249 bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
250 bool can (sockinfo &si) { return can((u32)si.host); }
251};
252
253net_rate_limiter auth_rate_limiter, reset_rate_limiter;
254
255bool net_rate_limiter::can (u32 host)
256{
257 iterator i;
258
259 for (i = begin (); i != end (); )
260 if (i->host == host)
261 break;
262 else if (i->last < NOW - EXPIRE)
263 i = erase (i);
264 else
265 i++;
266
267 if (i == end ())
268 {
269 net_rateinfo ri;
270
271 ri.host = host;
272 ri.pcnt = 1.;
273 ri.diff = CUTOFF * (1. / (1. - ALPHA));
274 ri.last = NOW;
275
276 push_front (ri);
277
278 return true;
279 }
280 else
281 {
282 net_rateinfo ri (*i);
283 erase (i);
284
285 ri.pcnt = ri.pcnt * ALPHA;
286 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
287
288 ri.last = NOW;
289
290 bool send = ri.diff / ri.pcnt > CUTOFF;
291
292 if (send)
293 ri.pcnt++;
294
295 push_front (ri);
296
297 return send;
298 }
299}
300
301/////////////////////////////////////////////////////////////////////////////
302
303static void next_wakeup (time_t next)
304{
305 if (next_timecheck > next)
306 next_timecheck = next;
307}
308
309static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
310
311struct hmac_packet:net_packet
312{
313 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
314
315 void hmac_set (crypto_ctx * ctx);
316 bool hmac_chk (crypto_ctx * ctx);
317
318private:
319 void hmac_gen (crypto_ctx * ctx)
320 {
321 unsigned int xlen;
322 HMAC_CTX *hctx = &ctx->hctx;
323
324 HMAC_Init_ex (hctx, 0, 0, 0, 0);
325 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
326 len - sizeof (hmac_packet));
327 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
328 }
329};
330
331void
332hmac_packet::hmac_set (crypto_ctx * ctx)
333{
334 hmac_gen (ctx);
335
336 memcpy (hmac, hmac_digest, HMACLENGTH);
337}
338
339bool
340hmac_packet::hmac_chk (crypto_ctx * ctx)
341{
342 hmac_gen (ctx);
343
344 return !memcmp (hmac, hmac_digest, HMACLENGTH);
345}
346
347struct vpn_packet : hmac_packet
348 {
349 enum ptype
350 {
351 PT_RESET = 0,
352 PT_DATA_UNCOMPRESSED,
353 PT_DATA_COMPRESSED,
354 PT_PING, PT_PONG, // wasting namespace space? ;)
355 PT_AUTH_REQ, // authentification request
356 PT_AUTH_RES, // authentification response
357 PT_CONNECT_REQ, // want other host to contact me
358 PT_CONNECT_INFO, // request connection to some node
359 PT_MAX
360 };
361
362 u8 type;
363 u8 srcdst, src1, dst1;
364
365 void set_hdr (ptype type, unsigned int dst);
366
367 unsigned int src ()
368 {
369 return src1 | ((srcdst >> 4) << 8);
370 }
371
372 unsigned int dst ()
373 {
374 return dst1 | ((srcdst & 0xf) << 8);
375 }
376
377 ptype typ ()
378 {
379 return (ptype) type;
380 }
381 };
382
383void vpn_packet::set_hdr (ptype type, unsigned int dst)
384{
385 this->type = type;
386
387 int src = THISNODE->id;
388
389 src1 = src;
390 srcdst = ((src >> 8) << 4) | (dst >> 8);
391 dst1 = dst;
392}
393
394#define MAXVPNDATA (MAX_MTU - 6 - 6)
395#define DATAHDR (sizeof (u32) + RAND_SIZE)
396
397struct vpndata_packet:vpn_packet
398 {
399 u8 data[MAXVPNDATA + DATAHDR]; // seqno
400
401 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
402 tap_packet *unpack (connection *conn, u32 &seqno);
403private:
404
405 const u32 data_hdr_size () const
406 {
407 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
408 }
409 };
410
411void
412vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
413{
414 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
415 int outl = 0, outl2;
416 ptype type = PT_DATA_UNCOMPRESSED;
417
418#if ENABLE_COMPRESSION
419 u8 cdata[MAX_MTU];
420 u32 cl;
421
422 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
423 if (cl)
424 {
425 type = PT_DATA_COMPRESSED;
426 d = cdata;
427 l = cl + 2;
428
429 d[0] = cl >> 8;
430 d[1] = cl;
431 }
432#endif
433
434 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
435
436 struct {
437#if RAND_SIZE
438 u8 rnd[RAND_SIZE];
439#endif
440 u32 seqno;
441 } datahdr;
442
443 datahdr.seqno = ntohl (seqno);
444#if RAND_SIZE
445 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
446#endif
447
448 EVP_EncryptUpdate (cctx,
449 (unsigned char *) data + outl, &outl2,
450 (unsigned char *) &datahdr, DATAHDR);
451 outl += outl2;
452
453 EVP_EncryptUpdate (cctx,
454 (unsigned char *) data + outl, &outl2,
455 (unsigned char *) d, l);
456 outl += outl2;
457
458 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
459 outl += outl2;
460
461 len = outl + data_hdr_size ();
462
463 set_hdr (type, dst);
464
465 hmac_set (conn->octx);
466}
467
468tap_packet *
469vpndata_packet::unpack (connection *conn, u32 &seqno)
470{
471 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
472 int outl = 0, outl2;
473 tap_packet *p = new tap_packet;
474 u8 *d;
475 u32 l = len - data_hdr_size ();
476
477 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
478
479#if ENABLE_COMPRESSION
480 u8 cdata[MAX_MTU];
481
482 if (type == PT_DATA_COMPRESSED)
483 d = cdata;
484 else
485#endif
486 d = &(*p)[6 + 6 - DATAHDR];
487
488 /* this overwrites part of the src mac, but we fix that later */
489 EVP_DecryptUpdate (cctx,
490 d, &outl2,
491 (unsigned char *)&data, len - data_hdr_size ());
492 outl += outl2;
493
494 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
495 outl += outl2;
496
497 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
498
499 id2mac (dst () ? dst() : THISNODE->id, p->dst);
500 id2mac (src (), p->src);
501
502#if ENABLE_COMPRESSION
503 if (type == PT_DATA_COMPRESSED)
504 {
505 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
506
507 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
508 &(*p)[6 + 6], MAX_MTU)
509 + 6 + 6;
510 }
511 else
512 p->len = outl + (6 + 6 - DATAHDR);
513#endif
514
515 return p;
516}
517
518struct ping_packet : vpn_packet
519{
520 void setup (int dst, ptype type)
521 {
522 set_hdr (type, dst);
523 len = sizeof (*this) - sizeof (net_packet);
524 }
525};
526
527struct config_packet : vpn_packet
528{
529 // actually, hmaclen cannot be checked because the hmac
530 // field comes before this data, so peers with other
531 // hmacs simply will not work.
532 u8 prot_major, prot_minor, randsize, hmaclen;
533 u8 flags, challengelen, pad2, pad3;
534 u32 cipher_nid, digest_nid, hmac_nid;
535
536 const u8 curflags () const
537 {
538 return 0x80
539 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
540 }
541
542 void setup (ptype type, int dst)
543 {
544 prot_major = PROTOCOL_MAJOR;
545 prot_minor = PROTOCOL_MINOR;
546 randsize = RAND_SIZE;
547 hmaclen = HMACLENGTH;
548 flags = curflags ();
549 challengelen = sizeof (rsachallenge);
550
551 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
552 digest_nid = htonl (EVP_MD_type (RSA_HASH));
553 hmac_nid = htonl (EVP_MD_type (DIGEST));
554
555 len = sizeof (*this) - sizeof (net_packet);
556 set_hdr (type, dst);
557 }
558
559 bool chk_config ()
560 {
561 return prot_major == PROTOCOL_MAJOR
562 && randsize == RAND_SIZE
563 && hmaclen == HMACLENGTH
564 && flags == curflags ()
565 && challengelen == sizeof (rsachallenge)
566 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
567 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
568 && hmac_nid == htonl (EVP_MD_type (DIGEST));
569 }
570};
571
572struct auth_req_packet : config_packet
573{
574 char magic[8];
575 u8 initiate; // false if this is just an automatic reply
576 u8 pad1, pad2, pad3;
577 rsaid id;
578 rsaencrdata encr;
579
580 auth_req_packet (int dst, bool initiate_)
581 {
582 config_packet::setup (PT_AUTH_REQ, dst);
583 initiate = !!initiate_;
584 strncpy (magic, MAGIC, 8);
585 len = sizeof (*this) - sizeof (net_packet);
586 }
587};
588
589struct auth_res_packet : config_packet
590{
591 rsaid id;
592 u8 pad1, pad2, pad3;
593 u8 response_len; // encrypted length
594 rsaresponse response;
595
596 auth_res_packet (int dst)
597 {
598 config_packet::setup (PT_AUTH_RES, dst);
599 len = sizeof (*this) - sizeof (net_packet);
600 }
601};
602
603struct connect_req_packet : vpn_packet
604{
605 u8 id;
606 u8 pad1, pad2, pad3;
607
608 connect_req_packet (int dst, int id_)
609 {
610 id = id_;
611 set_hdr (PT_CONNECT_REQ, dst);
612 len = sizeof (*this) - sizeof (net_packet);
613 }
614};
615
616struct connect_info_packet : vpn_packet
617{
618 u8 id;
619 u8 pad1, pad2, pad3;
620 sockinfo si;
621
622 connect_info_packet (int dst, int id_, sockinfo &si_)
623 {
624 id = id_;
625 si = si_;
626 set_hdr (PT_CONNECT_INFO, dst);
627 len = sizeof (*this) - sizeof (net_packet);
628 }
629};
630
631/////////////////////////////////////////////////////////////////////////////
632
633void
634fill_sa (SOCKADDR *sa, conf_node *conf)
635{
636 sa->sin_family = AF_INET;
637 sa->sin_port = htons (conf->port);
638 sa->sin_addr.s_addr = 0;
639
640 if (conf->hostname)
641 {
642 struct hostent *he = gethostbyname (conf->hostname);
643
644 if (he
645 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
646 {
647 //sa->sin_family = he->h_addrtype;
648 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
649 }
650 else
651 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
652 }
653}
654
655void
656connection::reset_dstaddr ()
657{
658 fill_sa (&sa, conf);
659}
660
661void
662connection::send_ping (SOCKADDR *dsa, u8 pong)
663{
664 ping_packet *pkt = new ping_packet;
665
666 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
667 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
668
669 delete pkt;
670}
671
672void
673connection::send_reset (SOCKADDR *dsa)
674{
675 if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED)
676 {
677 config_packet *pkt = new config_packet;
678
679 pkt->setup (vpn_packet::PT_RESET, conf->id);
680 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
681
682 delete pkt;
683 }
684}
685
686void
687connection::send_auth_request (SOCKADDR *sa, bool initiate)
688{
689 if (!initiate || auth_rate_limiter.can (sa))
690 {
691 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate);
692
693 rsachallenge chg;
694
695 rsa_cache.gen (pkt->id, chg);
696
697 if (0 > RSA_public_encrypt (sizeof chg,
698 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
699 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
700 fatal ("RSA_public_encrypt error");
701
702 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)sockinfo (sa));
703
704 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly
705
706 delete pkt;
707 }
708}
709
710void
711connection::send_auth_response (SOCKADDR *sa, const rsaid &id, const rsachallenge &chg)
712{
713 auth_res_packet *pkt = new auth_res_packet (conf->id);
714
715 pkt->id = id;
716
717 rsa_hash (id, chg, pkt->response);
718
719 pkt->hmac_set (octx);
720
721 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)sockinfo (sa));
722
723 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly
724
725 delete pkt;
726}
727
728void
729connection::establish_connection_cb (tstamp &ts)
730{
731 if (ictx || conf == THISNODE
732 || connectmode == conf_node::C_NEVER
733 || connectmode == conf_node::C_DISABLED)
734 ts = TSTAMP_CANCEL;
735 else if (ts <= NOW)
736 {
737 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
738
739 if (retry_int < 3600 * 8)
740 retry_cnt++;
741
742 ts = NOW + retry_int;
743
744 if (conf->hostname)
745 {
746 reset_dstaddr ();
747 if (sa.sin_addr.s_addr)
748 if (retry_cnt < 4)
749 send_auth_request (&sa, true);
750 else if (auth_rate_limiter.can (&sa))
751 send_ping (&sa, 0);
752 }
753 else
754 vpn->connect_request (conf->id);
755 }
756}
757
758void
759connection::reset_connection ()
760{
761 if (ictx && octx)
762 {
763 slog (L_INFO, _("%s(%s): connection lost"),
764 conf->nodename, (const char *)sockinfo (sa));
765
766 if (::conf.script_node_down)
767 run_script (run_script_cb (this, &connection::script_node_down), false);
768 }
769
770 delete ictx; ictx = 0;
771 delete octx; octx = 0;
772
773 sa.sin_port = 0;
774 sa.sin_addr.s_addr = 0;
775
776 last_activity = 0;
777
778 rekey.reset ();
779 keepalive.reset ();
780 establish_connection.reset ();
781}
782
783void
784connection::shutdown ()
785{
786 if (ictx && octx)
787 send_reset (&sa);
788
789 reset_connection ();
790}
791
792void
793connection::rekey_cb (tstamp &ts)
794{
795 ts = TSTAMP_CANCEL;
796
797 reset_connection ();
798 establish_connection ();
799}
800
801void
802connection::send_data_packet (tap_packet * pkt, bool broadcast)
803{
804 vpndata_packet *p = new vpndata_packet;
805 int tos = 0;
806
807 if (conf->inherit_tos
808 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
809 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
810 tos = (*pkt)[15] & IPTOS_TOS_MASK;
811
812 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
813 vpn->send_vpn_packet (p, &sa, tos);
814
815 delete p;
816
817 if (oseqno > MAX_SEQNO)
818 rekey ();
819}
820
821void
822connection::inject_data_packet (tap_packet *pkt, bool broadcast)
823{
824 if (ictx && octx)
825 send_data_packet (pkt, broadcast);
826 else
827 {
828 if (!broadcast)//DDDD
829 queue.put (new tap_packet (*pkt));
830
831 establish_connection ();
832 }
833}
834
835void
836connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
837{
838 last_activity = NOW;
839
840 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
841 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
842
843 switch (pkt->typ ())
844 {
845 case vpn_packet::PT_PING:
846 // we send pings instead of auth packets after some retries,
847 // so reset the retry counter and establish a conenction
848 // when we receive a pong.
849 if (!ictx && !octx)
850 {
851 retry_cnt = 0;
852 establish_connection.at = 0;
853 establish_connection ();
854 }
855 else
856 send_ping (ssa, 1); // pong
857
858 break;
859
860 case vpn_packet::PT_PONG:
861 break;
862
863 case vpn_packet::PT_RESET:
864 {
865 reset_connection ();
866
867 config_packet *p = (config_packet *) pkt;
868
869 if (!p->chk_config ())
870 {
871 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
872 conf->nodename, (const char *)sockinfo (ssa));
873 connectmode = conf_node::C_DISABLED;
874 }
875 else if (connectmode == conf_node::C_ALWAYS)
876 establish_connection ();
877 }
878 break;
879
880 case vpn_packet::PT_AUTH_REQ:
881 if (auth_rate_limiter.can (ssa))
882 {
883 auth_req_packet *p = (auth_req_packet *) pkt;
884
885 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
886
887 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
888 {
889 if (p->prot_minor != PROTOCOL_MINOR)
890 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
891 conf->nodename, (const char *)sockinfo (ssa),
892 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
893
894 if (p->initiate)
895 send_auth_request (ssa, false);
896
897 rsachallenge k;
898
899 if (0 > RSA_private_decrypt (sizeof (p->encr),
900 (unsigned char *)&p->encr, (unsigned char *)&k,
901 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
902 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
903 conf->nodename, (const char *)sockinfo (ssa));
904 else
905 {
906 retry_cnt = 0;
907 establish_connection.set (NOW + 8); //? ;)
908 keepalive.reset ();
909 rekey.reset ();
910
911 delete ictx;
912 ictx = 0;
913
914 delete octx;
915
916 octx = new crypto_ctx (k, 1);
917 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
918
919 send_auth_response (ssa, p->id, k);
920
921 break;
922 }
923 }
924
925 send_reset (ssa);
926 }
927
928 break;
929
930 case vpn_packet::PT_AUTH_RES:
931 {
932 auth_res_packet *p = (auth_res_packet *) pkt;
933
934 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
935
936 if (p->chk_config ())
937 {
938 if (p->prot_minor != PROTOCOL_MINOR)
939 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
940 conf->nodename, (const char *)sockinfo (ssa),
941 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
942
943 rsachallenge chg;
944
945 if (!rsa_cache.find (p->id, chg))
946 slog (L_ERR, _("%s(%s): unrequested auth response"),
947 conf->nodename, (const char *)sockinfo (ssa));
948 else
949 {
950 crypto_ctx *cctx = new crypto_ctx (chg, 0);
951
952 if (!p->hmac_chk (cctx))
953 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
954 "could be an attack, or just corruption or an synchronization error"),
955 conf->nodename, (const char *)sockinfo (ssa));
956 else
957 {
958 rsaresponse h;
959
960 rsa_hash (p->id, chg, h);
961
962 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
963 {
964 prot_minor = p->prot_minor;
965
966 delete ictx; ictx = cctx;
967
968 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
969
970 sa = *ssa;
971
972 rekey.set (NOW + ::conf.rekey);
973 keepalive.set (NOW + ::conf.keepalive);
974
975 // send queued packets
976 while (tap_packet *p = queue.get ())
977 {
978 send_data_packet (p);
979 delete p;
980 }
981
982 connectmode = conf->connectmode;
983
984 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
985 conf->nodename, (const char *)sockinfo (ssa),
986 p->prot_major, p->prot_minor);
987
988 if (::conf.script_node_up)
989 run_script (run_script_cb (this, &connection::script_node_up), false);
990
991 break;
992 }
993 else
994 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
995 conf->nodename, (const char *)sockinfo (ssa));
996 }
997
998 delete cctx;
999 }
1000 }
1001 }
1002
1003 send_reset (ssa);
1004 break;
1005
1006 case vpn_packet::PT_DATA_COMPRESSED:
1007#if !ENABLE_COMPRESSION
1008 send_reset (ssa);
1009 break;
1010#endif
1011
1012 case vpn_packet::PT_DATA_UNCOMPRESSED:
1013
1014 if (ictx && octx)
1015 {
1016 vpndata_packet *p = (vpndata_packet *)pkt;
1017
1018 if (*ssa == sa)
1019 {
1020 if (!p->hmac_chk (ictx))
1021 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1022 "could be an attack, or just corruption or an synchronization error"),
1023 conf->nodename, (const char *)sockinfo (ssa));
1024 else
1025 {
1026 u32 seqno;
1027 tap_packet *d = p->unpack (this, seqno);
1028
1029 if (iseqno.recv_ok (seqno))
1030 {
1031 vpn->tap->send (d);
1032
1033 if (p->dst () == 0) // re-broadcast
1034 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1035 {
1036 connection *c = *i;
1037
1038 if (c->conf != THISNODE && c->conf != conf)
1039 c->inject_data_packet (d);
1040 }
1041
1042 delete d;
1043
1044 break;
1045 }
1046 }
1047 }
1048 else
1049 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
1050 }
1051
1052 send_reset (ssa);
1053 break;
1054
1055 case vpn_packet::PT_CONNECT_REQ:
1056 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
1057 {
1058 connect_req_packet *p = (connect_req_packet *) pkt;
1059
1060 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1061
1062 connection *c = vpn->conns[p->id - 1];
1063
1064 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1065 conf->id, p->id, c->ictx && c->octx);
1066
1067 if (c->ictx && c->octx)
1068 {
1069 // send connect_info packets to both sides, in case one is
1070 // behind a nat firewall (or both ;)
1071 {
1072 sockinfo si(sa);
1073
1074 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1075 c->conf->id, conf->id, (const char *)si);
1076
1077 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1078
1079 r->hmac_set (c->octx);
1080 vpn->send_vpn_packet (r, &c->sa);
1081
1082 delete r;
1083 }
1084
1085 {
1086 sockinfo si(c->sa);
1087
1088 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1089 conf->id, c->conf->id, (const char *)si);
1090
1091 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1092
1093 r->hmac_set (octx);
1094 vpn->send_vpn_packet (r, &sa);
1095
1096 delete r;
1097 }
1098 }
1099 }
1100
1101 break;
1102
1103 case vpn_packet::PT_CONNECT_INFO:
1104 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
1105 {
1106 connect_info_packet *p = (connect_info_packet *) pkt;
1107
1108 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1109
1110 connection *c = vpn->conns[p->id - 1];
1111
1112 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1113 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1114
1115 c->send_auth_request (p->si.sa (), true);
1116 }
1117
1118 break;
1119
1120 default:
1121 send_reset (ssa);
1122 break;
1123
1124 }
1125}
1126
1127void connection::keepalive_cb (tstamp &ts)
1128{
1129 if (NOW >= last_activity + ::conf.keepalive + 30)
1130 {
1131 reset_connection ();
1132 establish_connection ();
1133 }
1134 else if (NOW < last_activity + ::conf.keepalive)
1135 ts = last_activity + ::conf.keepalive;
1136 else if (conf->connectmode != conf_node::C_ONDEMAND
1137 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1138 {
1139 send_ping (&sa);
1140 ts = NOW + 5;
1141 }
1142 else
1143 reset_connection ();
1144
1145}
1146
1147void connection::connect_request (int id)
1148{
1149 connect_req_packet *p = new connect_req_packet (conf->id, id);
1150
1151 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1152 p->hmac_set (octx);
1153 vpn->send_vpn_packet (p, &sa);
1154
1155 delete p;
1156}
1157
1158void connection::script_node ()
1159{
1160 vpn->script_if_up (0);
1161
1162 char *env;
1163 asprintf (&env, "DESTID=%d", conf->id);
1164 putenv (env);
1165 asprintf (&env, "DESTNODE=%s", conf->nodename);
1166 putenv (env);
1167 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1168 putenv (env);
1169 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));
1170 putenv (env);
1171}
1172
1173const char *connection::script_node_up (int)
1174{
1175 script_node ();
1176
1177 putenv ("STATE=up");
1178
1179 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1180}
1181
1182const char *connection::script_node_down (int)
1183{
1184 script_node ();
1185
1186 putenv ("STATE=down");
1187
1188 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1189}
1190
1191connection::connection(struct vpn *vpn_)
1192: vpn(vpn_)
1193, rekey (this, &connection::rekey_cb)
1194, keepalive (this, &connection::keepalive_cb)
1195, establish_connection (this, &connection::establish_connection_cb)
1196{
1197 octx = ictx = 0;
1198 retry_cnt = 0;
1199
1200 connectmode = conf_node::C_ALWAYS; // initial setting
1201 reset_connection ();
1202}
1203
1204connection::~connection ()
1205{
1206 shutdown ();
1207}
1208 42
1209///////////////////////////////////////////////////////////////////////////// 43/////////////////////////////////////////////////////////////////////////////
1210 44
1211const char *vpn::script_if_up (int) 45const char *vpn::script_if_up (int)
1212{ 46{
1235 69
1236 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 70 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1237} 71}
1238 72
1239int 73int
1240vpn::setup (void) 74vpn::setup ()
1241{ 75{
1242 struct sockaddr_in sa; 76 sockinfo si;
1243 77
78 si.set (THISNODE);
79
80 udpv4_fd = -1;
81
82 if (THISNODE->protocols & PROT_UDPv4)
83 {
1244 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 84 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1245 if (socket_fd < 0) 85
86 if (udpv4_fd < 0)
1246 return -1; 87 return -1;
1247 88
1248 fill_sa (&sa, THISNODE); 89 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1249 90 {
1250 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1251 {
1252 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 91 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1253 exit (1); 92 exit (1);
1254 } 93 }
1255 94
1256#ifdef IP_MTU_DISCOVER 95#ifdef IP_MTU_DISCOVER
1257 // this I really consider a linux bug. I am neither connected 96 // this I really consider a linux bug. I am neither connected
1258 // nor do I fragment myself. Linux still sets DF and doesn't 97 // nor do I fragment myself. Linux still sets DF and doesn't
1259 // fragment for me sometimes. 98 // fragment for me sometimes.
1260 { 99 {
1261 int oval = IP_PMTUDISC_DONT; 100 int oval = IP_PMTUDISC_DONT;
1262 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 101 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1263 } 102 }
1264#endif 103#endif
1265 { 104
105 // standard daemon practise...
106 {
1266 int oval = 1; 107 int oval = 1;
1267 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 108 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1268 } 109 }
1269 110
1270 udp_ev_watcher.start (socket_fd, POLLIN); 111 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
112 }
113
114 ipv4_fd = -1;
115 if (THISNODE->protocols & PROT_IPv4)
116 {
117 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
118
119 if (ipv4_fd < 0)
120 return -1;
121
122 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
123 {
124 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
125 exit (1);
126 }
127
128#ifdef IP_MTU_DISCOVER
129 // this I really consider a linux bug. I am neither connected
130 // nor do I fragment myself. Linux still sets DF and doesn't
131 // fragment for me sometimes.
132 {
133 int oval = IP_PMTUDISC_DONT;
134 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
135 }
136#endif
137
138 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
139 }
1271 140
1272 tap = new tap_device (); 141 tap = new tap_device ();
1273 if (!tap) //D this, of course, never catches 142 if (!tap) //D this, of course, never catches
1274 { 143 {
1275 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 144 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1276 exit (1); 145 exit (1);
1277 } 146 }
1278 147
1279 run_script (run_script_cb (this, &vpn::script_if_up), true); 148 run_script (run_script_cb (this, &vpn::script_if_up), true);
1280 149
1281 vpn_ev_watcher.start (tap->fd, POLLIN); 150 tap_ev_watcher.start (tap->fd, POLLIN);
1282 151
1283 reconnect_all (); 152 reconnect_all ();
1284 153
1285 return 0; 154 return 0;
1286} 155}
1287 156
1288void 157void
1289vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 158vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1290{ 159{
1291 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 160 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1292 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 161 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1293} 162}
1294 163
1295void 164void
1296vpn::shutdown_all () 165vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1297{ 166{
1298 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 167 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1299 (*c)->shutdown (); 168 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1300} 169}
1301 170
1302void 171void
1303vpn::reconnect_all () 172vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1304{ 173{
1305 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 174 unsigned int src = pkt->src ();
1306 delete *c; 175 unsigned int dst = pkt->dst ();
1307 176
1308 conns.clear (); 177 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
178 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1309 179
1310 for (configuration::node_vector::iterator i = conf.nodes.begin (); 180 if (src == 0 || src > conns.size ()
1311 i != conf.nodes.end (); ++i) 181 || dst > conns.size ()
1312 { 182 || pkt->typ () >= vpn_packet::PT_MAX)
1313 connection *conn = new connection (this); 183 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1314 184 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1315 conn->conf = *i; 185 else
1316 conns.push_back (conn);
1317
1318 conn->establish_connection ();
1319 } 186 {
1320} 187 connection *c = conns[src - 1];
1321 188
1322connection *vpn::find_router () 189 if (dst == 0 && !THISNODE->routerprio)
1323{ 190 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1324 u32 prio = 0; 191 c->conf->nodename, (const char *)rsi);
1325 connection *router = 0; 192 else if (dst != 0 && dst != THISNODE->id)
1326 193 // FORWARDING NEEDED ;)
1327 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 194 slog (L_WARN,
195 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
196 dst, conns[dst - 1]->conf->nodename,
197 (const char *)rsi,
198 THISNODE->id, THISNODE->nodename);
199 else
200 c->recv_vpn_packet (pkt, rsi);
1328 { 201 }
1329 connection *c = *i;
1330
1331 if (c->conf->routerprio > prio
1332 && c->connectmode == conf_node::C_ALWAYS
1333 && c->conf != THISNODE
1334 && c->ictx && c->octx)
1335 {
1336 prio = c->conf->routerprio;
1337 router = c;
1338 }
1339 }
1340
1341 return router;
1342} 202}
1343 203
1344void vpn::connect_request (int id)
1345{
1346 connection *c = find_router ();
1347
1348 if (c)
1349 c->connect_request (id);
1350 //else // does not work, because all others must connect to the same router
1351 // // no router found, aggressively connect to all routers
1352 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1353 // if ((*i)->conf->routerprio)
1354 // (*i)->establish_connection ();
1355}
1356
1357void 204void
1358vpn::udp_ev (short revents) 205vpn::udpv4_ev (short revents)
1359{ 206{
1360 if (revents & (POLLIN | POLLERR)) 207 if (revents & (POLLIN | POLLERR))
1361 { 208 {
1362 vpn_packet *pkt = new vpn_packet; 209 vpn_packet *pkt = new vpn_packet;
1363 struct sockaddr_in sa; 210 struct sockaddr_in sa;
1364 socklen_t sa_len = sizeof (sa); 211 socklen_t sa_len = sizeof (sa);
1365 int len; 212 int len;
1366 213
1367 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 214 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
215
216 sockinfo si(sa);
1368 217
1369 if (len > 0) 218 if (len > 0)
1370 { 219 {
1371 pkt->len = len; 220 pkt->len = len;
1372 221
1373 unsigned int src = pkt->src ();
1374 unsigned int dst = pkt->dst ();
1375
1376 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1377 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1378
1379 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1380 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1381 pkt->typ (), pkt->src (), pkt->dst ());
1382 else if (dst == 0 && !THISNODE->routerprio)
1383 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1384 else if (dst != 0 && dst != THISNODE->id)
1385 slog (L_WARN,
1386 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1387 dst, conns[dst - 1]->conf->nodename,
1388 (const char *)sockinfo (sa),
1389 THISNODE->id, THISNODE->nodename);
1390 else if (src == 0 || src > conns.size ())
1391 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1392 else
1393 conns[src - 1]->recv_vpn_packet (pkt, &sa); 222 recv_vpn_packet (pkt, si);
1394 } 223 }
1395 else 224 else
1396 { 225 {
1397 // probably ECONNRESET or somesuch 226 // probably ECONNRESET or somesuch
1398 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 227 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1399 } 228 }
1400 229
1401 delete pkt; 230 delete pkt;
1402 } 231 }
1403 else if (revents & POLLHUP) 232 else if (revents & POLLHUP)
1404 { 233 {
1405 // this cannot ;) happen on udp sockets 234 // this cannot ;) happen on udp sockets
1406 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 235 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1407 exit (1); 236 exit (1);
1408 } 237 }
1409 else 238 else
1410 { 239 {
1411 slog (L_ERR, 240 slog (L_ERR,
1414 exit (1); 243 exit (1);
1415 } 244 }
1416} 245}
1417 246
1418void 247void
248vpn::ipv4_ev (short revents)
249{
250 if (revents & (POLLIN | POLLERR))
251 {
252 vpn_packet *pkt = new vpn_packet;
253 struct sockaddr_in sa;
254 socklen_t sa_len = sizeof (sa);
255 int len;
256
257 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
258
259 sockinfo si(sa, PROT_IPv4);
260
261 if (len > 0)
262 {
263 pkt->len = len;
264
265 // raw sockets deliver the ipv4, but don't expect it on sends
266 // this is slow, but...
267 pkt->skip_hdr (IP_OVERHEAD);
268
269 recv_vpn_packet (pkt, si);
270 }
271 else
272 {
273 // probably ECONNRESET or somesuch
274 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
275 }
276
277 delete pkt;
278 }
279 else if (revents & POLLHUP)
280 {
281 // this cannot ;) happen on udp sockets
282 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
283 exit (1);
284 }
285 else
286 {
287 slog (L_ERR,
288 _("FATAL: unknown revents %08x in socket, terminating\n"),
289 revents);
290 exit (1);
291 }
292}
293
294void
1419vpn::vpn_ev (short revents) 295vpn::tap_ev (short revents)
1420{ 296{
1421 if (revents & POLLIN) 297 if (revents & POLLIN)
1422 { 298 {
1423 /* process data */ 299 /* process data */
1424 tap_packet *pkt; 300 tap_packet *pkt;
1480{ 356{
1481 if (events) 357 if (events)
1482 { 358 {
1483 if (events & EVENT_SHUTDOWN) 359 if (events & EVENT_SHUTDOWN)
1484 { 360 {
361 slog (L_INFO, _("preparing shutdown..."));
362
1485 shutdown_all (); 363 shutdown_all ();
1486 364
1487 remove_pid (pidfilename); 365 remove_pid (pidfilename);
1488 366
1489 slog (L_INFO, _("vped terminating")); 367 slog (L_INFO, _("terminating"));
1490 368
1491 exit (0); 369 exit (0);
1492 } 370 }
1493 371
1494 if (events & EVENT_RECONNECT) 372 if (events & EVENT_RECONNECT)
373 {
374 slog (L_INFO, _("forced reconnect"));
375
1495 reconnect_all (); 376 reconnect_all ();
377 }
1496 378
1497 events = 0; 379 events = 0;
1498 } 380 }
1499 381
1500 ts = TSTAMP_CANCEL; 382 ts = TSTAMP_CANCEL;
1501} 383}
1502 384
385void
386vpn::shutdown_all ()
387{
388 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
389 (*c)->shutdown ();
390}
391
392void
393vpn::reconnect_all ()
394{
395 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
396 delete *c;
397
398 conns.clear ();
399
400 connection_init ();
401
402 for (configuration::node_vector::iterator i = conf.nodes.begin ();
403 i != conf.nodes.end (); ++i)
404 {
405 connection *conn = new connection (this);
406
407 conn->conf = *i;
408 conns.push_back (conn);
409
410 conn->establish_connection ();
411 }
412}
413
414connection *vpn::find_router ()
415{
416 u32 prio = 0;
417 connection *router = 0;
418
419 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
420 {
421 connection *c = *i;
422
423 if (c->conf->routerprio > prio
424 && c->connectmode == conf_node::C_ALWAYS
425 && c->conf != THISNODE
426 && c->ictx && c->octx)
427 {
428 prio = c->conf->routerprio;
429 router = c;
430 }
431 }
432
433 return router;
434}
435
436void vpn::connect_request (int id)
437{
438 connection *c = find_router ();
439
440 if (c)
441 c->connect_request (id);
442 //else // does not work, because all others must connect to the same router
443 // // no router found, aggressively connect to all routers
444 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
445 // if ((*i)->conf->routerprio)
446 // (*i)->establish_connection ();
447}
448
449void
450connection::dump_status ()
451{
452 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
453 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
454 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
455 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
456 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
457 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
458 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
459}
460
461void
462vpn::dump_status ()
463{
464 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
465
466 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
467 (*c)->dump_status ();
468
469 slog (L_NOTICE, _("END status dump"));
470}
471
1503vpn::vpn (void) 472vpn::vpn (void)
1504: udp_ev_watcher (this, &vpn::udp_ev) 473: udpv4_ev_watcher(this, &vpn::udpv4_ev)
474, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1505, vpn_ev_watcher (this, &vpn::vpn_ev) 475, tap_ev_watcher(this, &vpn::tap_ev)
1506, event (this, &vpn::event_cb) 476, event(this, &vpn::event_cb)
1507{ 477{
1508} 478}
1509 479
1510vpn::~vpn () 480vpn::~vpn ()
1511{ 481{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines