ViewVC Help

View File | Revision Log | Show Annotations | Download File

/cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.5 by pcg, Sat Mar 8 10:48:41 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

…		…
16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA	16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	*/	17	*/
18		18
19	#include "config.h"	19	#include "config.h"
20		20
		21	#include <list>
		22
21	#include <cstdlib>	23	#include <cstdlib>
22	#include <cstring>	24	#include <cstring>
23	#include <cstdio>	25	#include <cstdio>
24		26
25	#include <sys/types.h>	27	#include <sys/types.h>
…		…
30	#include <arpa/inet.h>	32	#include <arpa/inet.h>
31	#include <errno.h>	33	#include <errno.h>
32	#include <time.h>	34	#include <time.h>
33	#include <unistd.h>	35	#include <unistd.h>
34		36
35	#include <openssl/rand.h>
36	#include <openssl/hmac.h>
37	#include <openssl/evp.h>
38	#include <openssl/rsa.h>
39	#include <openssl/err.h>
40
41	extern "C" {
42	# include "lzf/lzf.h"
43	}
44
45	#include "gettext.h"
46	#include "pidfile.h"	37	#include "pidfile.h"
47		38
48	#include "conf.h"	39	#include "connection.h"
49	#include "slog.h"	40	#include "util.h"
50	#include "device.h"
51	#include "protocol.h"	41	#include "protocol.h"
52		42
53	#if !HAVE_RAND_PSEUDO_BYTES
54	# define RAND_pseudo_bytes RAND_bytes
55	#endif
56
57	static time_t next_timecheck;
58
59	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60
61	static const rsachallenge &
62	challenge_bytes ()
63	{
64	static rsachallenge challenge;
65	static time_t challenge_ttl; // time this challenge needs to be recreated
66
67	if (now > challenge_ttl)
68	{
69	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70	challenge_ttl = now + CHALLENGE_TTL;
71	}
72
73	return challenge;
74	}
75
76	// run a script. yes, it's a template function. yes, c++
77	// is not a functional language. yes, this suxx.
78	template<class owner>
79	static void
80	run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81	{
82	int pid;
83
84	if ((pid = fork ()) == 0)
85	{
86	char *filename;
87	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88	execl (filename, filename, (char *) 0);
89	exit (255);
90	}
91	else if (pid > 0)
92	{
93	if (wait)
94	{
95	waitpid (pid, 0, 0);
96	/* TODO: check status */
97	}
98	}
99	}
100
101	// xor the socket address into the challenge to ensure different challenges
102	// per host. we could rely on the OAEP padding, but this doesn't hurt.
103	void
104	xor_sa (rsachallenge &k, SOCKADDR *sa)
105	{
106	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110	}
111
112	struct crypto_ctx
113	{
114	EVP_CIPHER_CTX cctx;
115	HMAC_CTX hctx;
116
117	crypto_ctx (rsachallenge &challenge, int enc);
118	~crypto_ctx ();
119	};
120
121	crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc)
122	{
123	EVP_CIPHER_CTX_init (&cctx);
124	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125	HMAC_CTX_init (&hctx);
126	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
127	}
128
129	crypto_ctx::~crypto_ctx ()
130	{
131	EVP_CIPHER_CTX_cleanup (&cctx);
132	HMAC_CTX_cleanup (&hctx);
133	}
134
135	/////////////////////////////////////////////////////////////////////////////	43	/////////////////////////////////////////////////////////////////////////////
136		44
137	static void next_wakeup (time_t next)
138	{
139	if (next_timecheck > next)
140	next_timecheck = next;
141	}
142
143	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144
145	struct hmac_packet:net_packet
146	{
147	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149	void hmac_set (crypto_ctx * ctx);
150	bool hmac_chk (crypto_ctx * ctx);
151
152	private:
153	void hmac_gen (crypto_ctx * ctx)
154	{
155	unsigned int xlen;
156	HMAC_CTX *hctx = &ctx->hctx;
157
158	HMAC_Init_ex (hctx, 0, 0, 0, 0);
159	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160	len - sizeof (hmac_packet));
161	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162	}
163	};
164
165	void
166	hmac_packet::hmac_set (crypto_ctx * ctx)
167	{
168	hmac_gen (ctx);
169
170	memcpy (hmac, hmac_digest, HMACLENGTH);
171	}
172
173	bool
174	hmac_packet::hmac_chk (crypto_ctx * ctx)
175	{
176	hmac_gen (ctx);
177
178	return !memcmp (hmac, hmac_digest, HMACLENGTH);
179	}
180
181	struct vpn_packet : hmac_packet
182	{
183	enum ptype
184	{
185	PT_RESET = 0,
186	PT_DATA_UNCOMPRESSED,
187	PT_DATA_COMPRESSED,
188	PT_PING, PT_PONG, // wasting namespace space? ;)
189	PT_AUTH, // authentification
190	PT_CONNECT_REQ, // want other host to contact me
191	PT_CONNECT_INFO, // request connection to some node
192	PT_REKEY, // rekeying (not yet implemented)
193	PT_MAX
194	};
195
196	u8 type;
197	u8 srcdst, src1, dst1;
198
199	void set_hdr (ptype type, unsigned int dst);
200
201	unsigned int src ()
202	{
203	return src1 | ((srcdst >> 4) << 8);
204	}
205	unsigned int dst ()
206	{
207	return dst1 | ((srcdst & 0xf) << 8);
208	}
209	ptype typ ()
210	{
211	return (ptype) type;
212	}
213	};
214
215	void vpn_packet::set_hdr (ptype type, unsigned int dst)
216	{
217	this->type = type;
218
219	int src = THISNODE->id;
220
221	src1 = src;
222	srcdst = ((src >> 8) << 4) | (dst >> 8);
223	dst1 = dst;
224	}
225
226	#define MAXVPNDATA (MAX_MTU - 6 - 6)
227	#define DATAHDR (sizeof (u32) + RAND_SIZE)
228
229	struct vpndata_packet:vpn_packet
230	{
231	u8 data[MAXVPNDATA + DATAHDR]; // seqno
232
233	void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
234	tap_packet *unpack (connection *conn, u32 &seqno);
235	private:
236
237	const u32 data_hdr_size () const
238	{
239	return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
240	}
241	};
242
243	void
244	vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
245	{
246	EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
247	int outl = 0, outl2;
248	ptype type = PT_DATA_UNCOMPRESSED;
249
250	#if ENABLE_COMPRESSION
251	u8 cdata[MAX_MTU];
252	u32 cl;
253
254	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255	if (cl)
256	{
257	//printf ("compressed packet, %d => %d\n", l, cl);//D
258	type = PT_DATA_COMPRESSED;
259	d = cdata;
260	l = cl + 2;
261
262	d[0] = cl >> 8;
263	d[1] = cl;
264	}
265	#endif
266
267	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268
269	#if RAND_SIZE
270	struct {
271	u8 rnd[RAND_SIZE];
272	u32 seqno;
273	} datahdr;
274
275	datahdr.seqno = seqno;
276	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
277
278	EVP_EncryptUpdate (cctx,
279	(unsigned char *) data + outl, &outl2,
280	(unsigned char *) &datahdr, DATAHDR);
281	outl += outl2;
282	#else
283	EVP_EncryptUpdate (cctx,
284	(unsigned char *) data + outl, &outl2,
285	(unsigned char *) &seqno, DATAHDR);
286	outl += outl2;
287	#endif
288
289	EVP_EncryptUpdate (cctx,
290	(unsigned char *) data + outl, &outl2,
291	(unsigned char *) d, l);
292	outl += outl2;
293
294	EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
295	outl += outl2;
296
297	len = outl + data_hdr_size ();
298
299	set_hdr (type, dst);
300
301	hmac_set (conn->octx);
302	}
303
304	tap_packet *
305	vpndata_packet::unpack (connection *conn, u32 &seqno)
306	{
307	EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
308	int outl = 0, outl2;
309	tap_packet *p = new tap_packet;
310	u8 *d;
311	u32 l = len - data_hdr_size ();
312
313	EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
314
315	#if ENABLE_COMPRESSION
316	u8 cdata[MAX_MTU];
317
318	if (type == PT_DATA_COMPRESSED)
319	d = cdata;
320	else
321	#endif
322	d = &(*p)[6 + 6 - DATAHDR];
323
324	/* this overwrites part of the src mac, but we fix that later */
325	EVP_DecryptUpdate (cctx,
326	d, &outl2,
327	(unsigned char *)&data, len - data_hdr_size ());
328	outl += outl2;
329
330	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331	outl += outl2;
332
333	seqno = *(u32 *)(d + RAND_SIZE);
334
335	id2mac (dst () ? dst() : THISNODE->id, p->dst);
336	id2mac (src (), p->src);
337
338	#if ENABLE_COMPRESSION
339	if (type == PT_DATA_COMPRESSED)
340	{
341	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
342	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343	//printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344	}
345	else
346	p->len = outl + (6 + 6 - DATAHDR);
347	#endif
348
349	return p;
350	}
351
352	struct ping_packet : vpn_packet
353	{
354	void setup (int dst, ptype type)
355	{
356	set_hdr (type, dst);
357	len = sizeof (*this) - sizeof (net_packet);
358	}
359	};
360
361	struct config_packet : vpn_packet
362	{
363	// actually, hmaclen cannot be checked because the hmac
364	// field comes before this data, so peers with other
365	// hmacs simply will not work.
366	u8 prot_major, prot_minor, randsize, hmaclen;
367	u8 flags, challengelen, pad2, pad3;
368	u32 cipher_nid;
369	u32 digest_nid;
370
371	const u8 curflags () const
372	{
373	return 0x80
374	| (ENABLE_COMPRESSION ? 0x01 : 0x00)
375	| (ENABLE_TRUST ? 0x02 : 0x00);
376	}
377
378	void setup (ptype type, int dst)
379	{
380	prot_major = PROTOCOL_MAJOR;
381	prot_minor = PROTOCOL_MINOR;
382	randsize = RAND_SIZE;
383	hmaclen = HMACLENGTH;
384	flags = curflags ();
385	challengelen = sizeof (rsachallenge);
386
387	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388	digest_nid = htonl (EVP_MD_type (DIGEST));
389
390	len = sizeof (*this) - sizeof (net_packet);
391	set_hdr (type, dst);
392	}
393
394	bool chk_config ()
395	{
396	return prot_major == PROTOCOL_MAJOR
397	&& randsize == RAND_SIZE
398	&& hmaclen == HMACLENGTH
399	&& flags == curflags ()
400	&& challengelen == sizeof (rsachallenge)
401	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
402	&& digest_nid == htonl (EVP_MD_type (DIGEST));
403	}
404	};
405
406	struct auth_packet : config_packet
407	{
408	char magic[8];
409	u8 subtype;
410	u8 pad1, pad2;
411	rsaencrdata challenge;
412
413	auth_packet (int dst, auth_subtype stype)
414	{
415	config_packet::setup (PT_AUTH, dst);
416	subtype = stype;
417	len = sizeof (*this) - sizeof (net_packet);
418	strncpy (magic, MAGIC, 8);
419	}
420	};
421
422	struct connect_req_packet : vpn_packet
423	{
424	u8 id;
425	u8 pad1, pad2, pad3;
426
427	connect_req_packet (int dst, int id)
428	{
429	this->id = id;
430	set_hdr (PT_CONNECT_REQ, dst);
431	len = sizeof (*this) - sizeof (net_packet);
432	}
433	};
434
435	struct connect_info_packet : vpn_packet
436	{
437	u8 id;
438	u8 pad1, pad2, pad3;
439	sockinfo si;
440
441	connect_info_packet (int dst, int id, sockinfo &si)
442	{
443	this->id = id;
444	this->si = si;
445	set_hdr (PT_CONNECT_INFO, dst);
446	len = sizeof (*this) - sizeof (net_packet);
447	}
448	};
449
450	/////////////////////////////////////////////////////////////////////////////
451
452	void
453	fill_sa (SOCKADDR *sa, conf_node *conf)
454	{
455	sa->sin_family = AF_INET;
456	sa->sin_port = htons (conf->port);
457	sa->sin_addr.s_addr = 0;
458
459	if (conf->hostname)
460	{
461	struct hostent *he = gethostbyname (conf->hostname);
462
463	if (he
464	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465	{
466	//sa->sin_family = he->h_addrtype;
467	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
468	}
469	else
470	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471	}
472	}
473
474	void
475	connection::reset_dstaddr ()
476	{
477	fill_sa (&sa, conf);
478	}
479
480	void
481	connection::send_ping (SOCKADDR *dsa, u8 pong)
482	{
483	ping_packet *pkt = new ping_packet;
484
485	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486	vpn->send_vpn_packet (pkt, dsa);
487
488	delete pkt;
489	}
490
491	void
492	connection::send_reset (SOCKADDR *dsa)
493	{
494	static net_rate_limiter limiter(1);
495
496	if (limiter.can (dsa))
497	{
498	config_packet *pkt = new config_packet;
499
500	pkt->setup (vpn_packet::PT_RESET, conf->id);
501	vpn->send_vpn_packet (pkt, dsa);
502
503	delete pkt;
504	}
505	}
506
507	static rsachallenge *
508	gen_challenge (SOCKADDR *sa)
509	{
510	static rsachallenge k;
511
512	memcpy (&k, &challenge_bytes (), sizeof (k));
513	RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514	xor_sa (k, sa);
515
516	return &k;
517	}
518
519	void
520	connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k)
521	{
522	static net_rate_limiter limiter(2);
523
524	if (subtype != AUTH_INIT || limiter.can (sa))
525	{
526	auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528	//printf ("send auth_packet subtype %d\n", subtype);//D
529
530	if (!k)
531	k = gen_challenge (sa);
532
533	#if ENABLE_TRUST
534	if (0 > RSA_public_encrypt (sizeof (*k),
535	(unsigned char *)k, (unsigned char *)&pkt->challenge,
536	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537	fatal ("RSA_public_encrypt error");
538	#else
539	# error untrusted mode not yet implemented: programemr does not know how to
540	rsaencrdata enc;
541
542	if (0 > RSA_private_encrypt (sizeof (*k),
543	(unsigned char *)k, (unsigned char *)&enc,
544	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545	fatal ("RSA_private_encrypt error");
546
547	if (0 > RSA_public_encrypt (sizeof (enc),
548	(unsigned char *)enc, (unsigned char *)&pkt->challenge,
549	conf->rsa_key, RSA_NO_PADDING))
550	fatal ("RSA_public_encrypt error");
551	#endif
552
553	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555	vpn->send_vpn_packet (pkt, sa);
556
557	delete pkt;
558	}
559	}
560
561	void
562	connection::establish_connection ()
563	{
564	if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER)
565	{
566	if (now >= next_retry)
567	{
568	int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570	if (retry_cnt < (17 << 2) | 3)
571	retry_cnt++;
572
573	if (connectmode == conf_node::C_ONDEMAND
574	&& retry_int > ::conf.keepalive)
575	retry_int = ::conf.keepalive;
576
577	next_retry = now + retry_int;
578	next_wakeup (next_retry);
579
580	if (conf->hostname)
581	{
582	reset_dstaddr ();
583	if (sa.sin_addr.s_addr)
584	if (retry_cnt < 4)
585	send_auth (AUTH_INIT, &sa);
586	else
587	send_ping (&sa, 0);
588	}
589	else
590	vpn->connect_request (conf->id);
591	}
592	}
593	}
594
595	void
596	connection::reset_connection ()
597	{
598	if (ictx && octx)
599	{
600	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);
601
602	if (::conf.script_node_down)
603	run_script (this, &connection::script_node_down, false);
604	}
605
606	delete ictx;
607	ictx = 0;
608
609	delete octx;
610	octx = 0;
611
612	sa.sin_port = 0;
613	sa.sin_addr.s_addr = 0;
614
615	next_retry = 0;
616	next_rekey = 0;
617	last_activity = 0;
618	}
619
620	void
621	connection::shutdown ()
622	{
623	if (ictx && octx)
624	send_reset (&sa);
625
626	reset_connection ();
627	}
628
629	void
630	connection::rekey ()
631	{
632	reset_connection ();
633	establish_connection ();
634	}
635
636	void
637	connection::send_data_packet (tap_packet * pkt, bool broadcast)
638	{
639	vpndata_packet *p = new vpndata_packet;
640
641	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642	vpn->send_vpn_packet (p, &sa);
643
644	delete p;
645
646	if (oseqno > MAX_SEQNO)
647	rekey ();
648	}
649
650	void
651	connection::inject_data_packet (tap_packet *pkt, bool broadcast)
652	{
653	if (ictx && octx)
654	send_data_packet (pkt, broadcast);
655	else
656	{
657	if (!broadcast)//DDDD
658	queue.put (new tap_packet (*pkt));
659
660	establish_connection ();
661	}
662	}
663
664	void
665	connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
666	{
667	last_activity = now;
668
669	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
670	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
671
672	switch (pkt->typ ())
673	{
674	case vpn_packet::PT_PING:
675	send_ping (ssa, 1); // pong
676	break;
677
678	case vpn_packet::PT_PONG:
679	// we send pings instead of auth packets after some retries,
680	// so reset the retry counter and establish a conenction
681	// when we receive a pong.
682	if (!ictx && !octx)
683	{
684	retry_cnt = 0;
685	next_retry = 0;
686	establish_connection ();
687	}
688
689	break;
690
691	case vpn_packet::PT_RESET:
692	{
693	reset_connection ();
694
695	config_packet *p = (config_packet *) pkt;
696	if (p->chk_config ())
697	if (connectmode == conf_node::C_ALWAYS)
698	establish_connection ();
699
700	//D slog the protocol mismatch?
701	}
702	break;
703
704	case vpn_packet::PT_AUTH:
705	{
706	auth_packet *p = (auth_packet *) pkt;
707
708	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);
709
710	if (p->chk_config ()
711	&& !strncmp (p->magic, MAGIC, 8))
712	{
713	if (p->prot_minor != PROTOCOL_MINOR)
714	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
715	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
716
717	if (p->subtype == AUTH_INIT)
718	send_auth (AUTH_INITREPLY, ssa);
719
720	rsachallenge k;
721
722	#if ENABLE_TRUST
723	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
724	(unsigned char *)&p->challenge, (unsigned char *)&k,
725	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
726	// continued below
727	#else
728	rsaencrdata j;
729
730	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731	(unsigned char *)&p->challenge, (unsigned char *)&j,
732	::conf.rsa_key, RSA_NO_PADDING))
733	fatal ("RSA_private_decrypt error");
734
735	if (0 > RSA_public_decrypt (sizeof (k),
736	(unsigned char *)&j, (unsigned char *)&k,
737	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
738	// continued below
739	#endif
740	{
741	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
742	conf->nodename, (const char *)sockinfo (ssa));
743	break;
744	}
745
746	retry_cnt = 0;
747	next_retry = now + 8;
748
749	switch (p->subtype)
750	{
751	case AUTH_INIT:
752	case AUTH_INITREPLY:
753	delete ictx;
754	ictx = 0;
755
756	delete octx;
757
758	octx = new crypto_ctx (k, 1);
759	oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
760
761	send_auth (AUTH_REPLY, ssa, &k);
762	break;
763
764	case AUTH_REPLY:
765
766	if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
767	sizeof (rsachallenge) - sizeof (u32)))
768	{
769	delete ictx;
770
771	ictx = new crypto_ctx (k, 0);
772	iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid
773	ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774
775	sa = *ssa;
776
777	next_rekey = now + ::conf.rekey;
778	next_wakeup (next_rekey);
779
780	// send queued packets
781	while (tap_packet *p = queue.get ())
782	{
783	send_data_packet (p);
784	delete p;
785	}
786
787	connectmode = conf->connectmode;
788
789	slog (L_INFO, _("connection to %d (%s %s) established"),
790	conf->id, conf->nodename, (const char *)sockinfo (ssa));
791
792	if (::conf.script_node_up)
793	run_script (this, &connection::script_node_up, false);
794	}
795	else
796	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
797	conf->nodename, (const char *)sockinfo (ssa));
798
799	break;
800	default:
801	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
802	conf->nodename, (const char *)sockinfo (ssa));
803	break;
804	}
805	}
806	else
807	send_reset (ssa);
808
809	break;
810	}
811
812	case vpn_packet::PT_DATA_COMPRESSED:
813	#if !ENABLE_COMPRESSION
814	send_reset (ssa);
815	break;
816	#endif
817	case vpn_packet::PT_DATA_UNCOMPRESSED:
818
819	if (ictx && octx)
820	{
821	vpndata_packet *p = (vpndata_packet *)pkt;
822
823	if (*ssa == sa)
824	{
825	if (!p->hmac_chk (ictx))
826	slog (L_ERR, _("hmac authentication error, received invalid packet\n"
827	"could be an attack, or just corruption or an synchronization error"));
828	else
829	{
830	u32 seqno;
831	tap_packet *d = p->unpack (this, seqno);
832
833	if (seqno <= iseqno - 32)
834	slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
835	"possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
836	else if (seqno > iseqno + 32)
837	slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
838	"possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
839	else
840	{
841	if (seqno > iseqno)
842	{
843	ismask <<= seqno - iseqno;
844	iseqno = seqno;
845	}
846
847	u32 mask = 1 << (iseqno - seqno);
848
849	//printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
850	if (ismask & mask)
851	slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
852	"possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
853	else
854	{
855	ismask |= mask;
856
857	vpn->tap->send (d);
858
859	if (p->dst () == 0) // re-broadcast
860	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
861	{
862	connection *c = *i;
863
864	if (c->conf != THISNODE && c->conf != conf)
865	c->inject_data_packet (d);
866	}
867
868	delete d;
869
870	break;
871	}
872	}
873	}
874	}
875	else
876	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
877	}
878
879	send_reset (ssa);
880	break;
881
882	case vpn_packet::PT_CONNECT_REQ:
883	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
884	{
885	connect_req_packet *p = (connect_req_packet *) pkt;
886
887	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
888
889	connection *c = vpn->conns[p->id - 1];
890
891	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
892	conf->id, p->id, c->ictx && c->octx);
893
894	if (c->ictx && c->octx)
895	{
896	// send connect_info packets to both sides, in case one is
897	// behind a nat firewall (or both ;)
898	{
899	sockinfo si(sa);
900
901	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
902	c->conf->id, conf->id, (const char *)si);
903
904	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
905
906	r->hmac_set (c->octx);
907	vpn->send_vpn_packet (r, &c->sa);
908
909	delete r;
910	}
911
912	{
913	sockinfo si(c->sa);
914
915	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
916	conf->id, c->conf->id, (const char *)si);
917
918	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
919
920	r->hmac_set (octx);
921	vpn->send_vpn_packet (r, &sa);
922
923	delete r;
924	}
925	}
926	}
927
928	break;
929
930	case vpn_packet::PT_CONNECT_INFO:
931	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
932	{
933	connect_info_packet *p = (connect_info_packet *) pkt;
934
935	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
936
937	connection *c = vpn->conns[p->id - 1];
938
939	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
940	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
941
942	c->send_auth (AUTH_INIT, p->si.sa ());
943	}
944	break;
945
946	default:
947	send_reset (ssa);
948	break;
949	}
950	}
951
952	void connection::timer ()
953	{
954	if (conf != THISNODE)
955	{
956	if (now >= next_retry && connectmode == conf_node::C_ALWAYS)
957	establish_connection ();
958
959	if (ictx && octx)
960	{
961	if (now >= next_rekey)
962	rekey ();
963	else if (now >= last_activity + ::conf.keepalive + 30)
964	{
965	reset_connection ();
966	establish_connection ();
967	}
968	else if (now >= last_activity + ::conf.keepalive)
969	if (conf->connectmode != conf_node::C_ONDEMAND
970	|| THISNODE->connectmode != conf_node::C_ONDEMAND)
971	send_ping (&sa);
972	else
973	reset_connection ();
974
975	}
976	}
977	}
978
979	void connection::connect_request (int id)
980	{
981	connect_req_packet *p = new connect_req_packet (conf->id, id);
982
983	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
984	p->hmac_set (octx);
985	vpn->send_vpn_packet (p, &sa);
986
987	delete p;
988	}
989
990	void connection::script_node ()
991	{
992	vpn->script_if_up ();
993
994	char *env;
995	asprintf (&env, "DESTID=%d", conf->id);
996	putenv (env);
997	asprintf (&env, "DESTNODE=%s", conf->nodename);
998	putenv (env);
999	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1000	putenv (env);
1001	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));
1002	putenv (env);
1003	}
1004
1005	const char *connection::script_node_up ()
1006	{
1007	script_node ();
1008
1009	putenv ("STATE=up");
1010
1011	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1012	}
1013
1014	const char *connection::script_node_down ()
1015	{
1016	script_node ();
1017
1018	putenv ("STATE=down");
1019
1020	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1021	}
1022
1023	/////////////////////////////////////////////////////////////////////////////
1024
1025	vpn::vpn (void)
1026	{}
1027
1028	const char *vpn::script_if_up ()	45	const char *vpn::script_if_up (int)
1029	{	46	{
1030	// the tunnel device mtu should be the physical mtu - overhead	47	// the tunnel device mtu should be the physical mtu - overhead
1031	// the tricky part is rounding to the cipher key blocksize	48	// the tricky part is rounding to the cipher key blocksize
1032	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	49	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1033	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	50	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1034	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	51	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1035	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	52	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1036		53
1037	char *env;	54	char *env;
…		…
1052		69
1053	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	70	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1054	}	71	}
1055		72
1056	int	73	int
1057	vpn::setup (void)	74	vpn::setup ()
1058	{	75	{
1059	struct sockaddr_in sa;	76	sockinfo si;
1060		77
		78	si.set (THISNODE);
		79
		80	udpv4_fd = -1;
		81
		82	if (THISNODE->protocols & PROT_UDPv4)
		83	{
1061	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	84	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1062	if (socket_fd < 0)	85
		86	if (udpv4_fd < 0)
1063	return -1;	87	return -1;
1064		88
1065	fill_sa (&sa, THISNODE);	89	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1066		90	{
1067	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1068	{
1069	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	91	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1070	exit (1);	92	exit (1);
1071	}	93	}
1072		94
1073	#ifdef IP_MTU_DISCOVER	95	#ifdef IP_MTU_DISCOVER
1074	// this I really consider a linux bug. I am neither connected	96	// this I really consider a linux bug. I am neither connected
1075	// nor do I fragment myself. Linux still sets DF and doesn't	97	// nor do I fragment myself. Linux still sets DF and doesn't
1076	// fragment for me sometimes.	98	// fragment for me sometimes.
1077	{	99	{
1078	int oval = IP_PMTUDISC_DONT;	100	int oval = IP_PMTUDISC_DONT;
1079	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	101	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1080	}	102	}
1081	#endif	103	#endif
1082	{	104
		105	// standard daemon practise...
		106	{
1083	int oval = 1;	107	int oval = 1;
1084	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	108	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
		109	}
		110
		111	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1085	}	112	}
		113
		114	ipv4_fd = -1;
		115	if (THISNODE->protocols & PROT_IPv4)
		116	{
		117	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		118
		119	if (ipv4_fd < 0)
		120	return -1;
		121
		122	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		123	{
		124	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		125	exit (1);
		126	}
		127
		128	#ifdef IP_MTU_DISCOVER
		129	// this I really consider a linux bug. I am neither connected
		130	// nor do I fragment myself. Linux still sets DF and doesn't
		131	// fragment for me sometimes.
		132	{
		133	int oval = IP_PMTUDISC_DONT;
		134	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		135	}
		136	#endif
		137
		138	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		139	}
1086		140
1087	tap = new tap_device ();	141	tap = new tap_device ();
1088	if (!tap) //D this, of course, never catches	142	if (!tap) //D this, of course, never catches
1089	{	143	{
1090	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	144	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1091	exit (1);	145	exit (1);
1092	}	146	}
1093		147
1094	run_script (this, &vpn::script_if_up, true);	148	run_script (run_script_cb (this, &vpn::script_if_up), true);
		149
		150	tap_ev_watcher.start (tap->fd, POLLIN);
		151
		152	reconnect_all ();
1095		153
1096	return 0;	154	return 0;
1097	}	155	}
1098		156
1099	void	157	void
1100	vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa)	158	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1101	{	159	{
1102	sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));	160	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		161	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		162	}
		163
		164	void
		165	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		166	{
		167	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		168	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		169	}
		170
		171	void
		172	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
		173	{
		174	unsigned int src = pkt->src ();
		175	unsigned int dst = pkt->dst ();
		176
		177	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		178	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
		179
		180	if (src == 0 || src > conns.size ()
		181	|| dst > conns.size ()
		182	|| pkt->typ () >= vpn_packet::PT_MAX)
		183	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
		184	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
		185	else
		186	{
		187	connection *c = conns[src - 1];
		188
		189	if (dst == 0 && !THISNODE->routerprio)
		190	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
		191	c->conf->nodename, (const char *)rsi);
		192	else if (dst != 0 && dst != THISNODE->id)
		193	// FORWARDING NEEDED ;)
		194	slog (L_WARN,
		195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		196	dst, conns[dst - 1]->conf->nodename,
		197	(const char *)rsi,
		198	THISNODE->id, THISNODE->nodename);
		199	else
		200	c->recv_vpn_packet (pkt, rsi);
		201	}
		202	}
		203
		204	void
		205	vpn::udpv4_ev (short revents)
		206	{
		207	if (revents & (POLLIN | POLLERR))
		208	{
		209	vpn_packet *pkt = new vpn_packet;
		210	struct sockaddr_in sa;
		211	socklen_t sa_len = sizeof (sa);
		212	int len;
		213
		214	len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		215
		216	sockinfo si(sa);
		217
		218	if (len > 0)
		219	{
		220	pkt->len = len;
		221
		222	recv_vpn_packet (pkt, si);
		223	}
		224	else
		225	{
		226	// probably ECONNRESET or somesuch
		227	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		228	}
		229
		230	delete pkt;
		231	}
		232	else if (revents & POLLHUP)
		233	{
		234	// this cannot ;) happen on udp sockets
		235	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
		236	exit (1);
		237	}
		238	else
		239	{
		240	slog (L_ERR,
		241	_("FATAL: unknown revents %08x in socket, terminating\n"),
		242	revents);
		243	exit (1);
		244	}
		245	}
		246
		247	void
		248	vpn::ipv4_ev (short revents)
		249	{
		250	if (revents & (POLLIN | POLLERR))
		251	{
		252	vpn_packet *pkt = new vpn_packet;
		253	struct sockaddr_in sa;
		254	socklen_t sa_len = sizeof (sa);
		255	int len;
		256
		257	len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		258
		259	sockinfo si(sa, PROT_IPv4);
		260
		261	if (len > 0)
		262	{
		263	pkt->len = len;
		264
		265	// raw sockets deliver the ipv4, but don't expect it on sends
		266	// this is slow, but...
		267	pkt->skip_hdr (IP_OVERHEAD);
		268
		269	recv_vpn_packet (pkt, si);
		270	}
		271	else
		272	{
		273	// probably ECONNRESET or somesuch
		274	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		275	}
		276
		277	delete pkt;
		278	}
		279	else if (revents & POLLHUP)
		280	{
		281	// this cannot ;) happen on udp sockets
		282	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		283	exit (1);
		284	}
		285	else
		286	{
		287	slog (L_ERR,
		288	_("FATAL: unknown revents %08x in socket, terminating\n"),
		289	revents);
		290	exit (1);
		291	}
		292	}
		293
		294	void
		295	vpn::tap_ev (short revents)
		296	{
		297	if (revents & POLLIN)
		298	{
		299	/* process data */
		300	tap_packet *pkt;
		301
		302	pkt = tap->recv ();
		303
		304	int dst = mac2id (pkt->dst);
		305	int src = mac2id (pkt->src);
		306
		307	if (src != THISNODE->id)
		308	{
		309	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
		310	exit (1);
		311	}
		312
		313	if (dst == THISNODE->id)
		314	{
		315	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
		316	exit (1);
		317	}
		318
		319	if (dst > conns.size ())
		320	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
		321	else
		322	{
		323	if (dst)
		324	{
		325	// unicast
		326	if (dst != THISNODE->id)
		327	conns[dst - 1]->inject_data_packet (pkt);
		328	}
		329	else
		330	{
		331	// broadcast, first check router, then self, then english
		332	connection *router = find_router ();
		333
		334	if (router)
		335	router->inject_data_packet (pkt, true);
		336	else
		337	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		338	if ((*c)->conf != THISNODE)
		339	(*c)->inject_data_packet (pkt);
		340	}
		341	}
		342
		343	delete pkt;
		344	}
		345	else if (revents & (POLLHUP | POLLERR))
		346	{
		347	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
		348	exit (1);
		349	}
		350	else
		351	abort ();
		352	}
		353
		354	void
		355	vpn::event_cb (tstamp &ts)
		356	{
		357	if (events)
		358	{
		359	if (events & EVENT_SHUTDOWN)
		360	{
		361	slog (L_INFO, _("preparing shutdown..."));
		362
		363	shutdown_all ();
		364
		365	remove_pid (pidfilename);
		366
		367	slog (L_INFO, _("terminating"));
		368
		369	exit (0);
		370	}
		371
		372	if (events & EVENT_RECONNECT)
		373	{
		374	slog (L_INFO, _("forced reconnect"));
		375
		376	reconnect_all ();
		377	}
		378
		379	events = 0;
		380	}
		381
		382	ts = TSTAMP_CANCEL;
1103	}	383	}
1104		384
1105	void	385	void
1106	vpn::shutdown_all ()	386	vpn::shutdown_all ()
1107	{	387	{
…		…
1114	{	394	{
1115	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	395	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1116	delete *c;	396	delete *c;
1117		397
1118	conns.clear ();	398	conns.clear ();
		399
		400	connection_init ();
1119		401
1120	for (configuration::node_vector::iterator i = conf.nodes.begin ();	402	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1121	i != conf.nodes.end (); ++i)	403	i != conf.nodes.end (); ++i)
1122	{	404	{
1123	connection *conn = new connection (this);	405	connection *conn = new connection (this);
…		…
1163	// if ((*i)->conf->routerprio)	445	// if ((*i)->conf->routerprio)
1164	// (*i)->establish_connection ();	446	// (*i)->establish_connection ();
1165	}	447	}
1166		448
1167	void	449	void
1168	vpn::main_loop ()	450	connection::dump_status ()
1169	{	451	{
1170	struct pollfd pollfd[2];	452	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		453	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		454	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		455	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		456	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		457	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		458	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		459	}
1171		460
1172	pollfd[0].fd = tap->fd;	461	void
1173	pollfd[0].events = POLLIN;	462	vpn::dump_status ()
1174	pollfd[1].fd = socket_fd;	463	{
1175	pollfd[1].events = POLLIN;	464	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1176		465
1177	events = 0;
1178	now = time (0);
1179	next_timecheck = now + 1;
1180
1181	reconnect_all ();
1182
1183	for (;;)
1184	{
1185	int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1186
1187	now = time (0);
1188
1189	if (npoll > 0)
1190	{
1191	if (pollfd[1].revents)
1192	{
1193	if (pollfd[1].revents & (POLLIN | POLLERR))
1194	{
1195	vpn_packet *pkt = new vpn_packet;
1196	struct sockaddr_in sa;
1197	socklen_t sa_len = sizeof (sa);
1198	int len;
1199
1200	len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1201
1202	if (len > 0)
1203	{
1204	pkt->len = len;
1205
1206	unsigned int src = pkt->src ();
1207	unsigned int dst = pkt->dst ();
1208
1209	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1210	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1211
1212	if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1213	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1214	pkt->typ (), pkt->src (), pkt->dst ());
1215	else if (dst == 0 && !THISNODE->routerprio)
1216	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1217	else if (dst != 0 && dst != THISNODE->id)
1218	slog (L_WARN,
1219	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1220	dst, conns[dst - 1]->conf->nodename,
1221	(const char *)sockinfo (sa),
1222	THISNODE->id, THISNODE->nodename);
1223	else if (src == 0 || src > conns.size ())
1224	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1225	else
1226	conns[src - 1]->recv_vpn_packet (pkt, &sa);
1227	}
1228	else
1229	{
1230	// probably ECONNRESET or somesuch
1231	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1232	}
1233
1234	delete pkt;
1235	}
1236	else if (pollfd[1].revents & POLLHUP)
1237	{
1238	// this cannot ;) happen on udp sockets
1239	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1240	exit (1);
1241	}
1242	else
1243	{
1244	slog (L_ERR,
1245	_("FATAL: unknown revents %08x in socket, terminating\n"),
1246	pollfd[1].revents);
1247	exit (1);
1248	}
1249	}
1250
1251	// I use else here to give vpn_packets absolute priority
1252	else if (pollfd[0].revents)
1253	{
1254	if (pollfd[0].revents & POLLIN)
1255	{
1256	/* process data */
1257	tap_packet *pkt;
1258
1259	pkt = tap->recv ();
1260
1261	int dst = mac2id (pkt->dst);
1262	int src = mac2id (pkt->src);
1263
1264	if (src != THISNODE->id)
1265	{
1266	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1267	exit (1);
1268	}
1269
1270	if (dst == THISNODE->id)
1271	{
1272	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1273	exit (1);
1274	}
1275
1276	if (dst > conns.size ())
1277	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1278	else
1279	{
1280	if (dst)
1281	{
1282	// unicast
1283	if (dst != THISNODE->id)
1284	conns[dst - 1]->inject_data_packet (pkt);
1285	}
1286	else
1287	{
1288	// broadcast, first check router, then self, then english
1289	connection *router = find_router ();
1290
1291	if (router)
1292	router->inject_data_packet (pkt, true);
1293	else
1294	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	466	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1295	if ((*c)->conf != THISNODE)	467	(*c)->dump_status ();
1296	(*c)->inject_data_packet (pkt);
1297	}
1298	}
1299		468
1300	delete pkt;	469	slog (L_NOTICE, _("END status dump"));
1301	}	470	}
1302	else if (pollfd[0].revents & (POLLHUP | POLLERR))
1303	{
1304	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1305	exit (1);
1306	}
1307	else
1308	abort ();
1309	}
1310	}
1311		471
1312	if (events)	472	vpn::vpn (void)
1313	{	473	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1314	if (events & EVENT_SHUTDOWN)	474	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1315	{	475	, tap_ev_watcher(this, &vpn::tap_ev)
1316	shutdown_all ();	476	, event(this, &vpn::event_cb)
1317		477	{
1318	remove_pid (pidfilename);
1319
1320	slog (L_INFO, _("vped terminating"));
1321
1322	exit (0);
1323	}
1324
1325	if (events & EVENT_RECONNECT)
1326	reconnect_all ();
1327
1328	events = 0;
1329	}
1330
1331	// very very very dumb and crude and inefficient timer handling, or maybe not?
1332	if (now >= next_timecheck)
1333	{
1334	next_timecheck = now + TIMER_GRANULARITY;
1335
1336	for (conns_vector::iterator c = conns.begin ();
1337	c != conns.end (); ++c)
1338	(*c)->timer ();
1339	}
1340	}
1341	}	478	}
1342		479
1343	vpn::~vpn ()	480	vpn::~vpn ()
1344	{}	481	{
		482	}
1345		483

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines