ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.17 by pcg, Wed Mar 26 01:58:46 2003 UTC vs.
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC

58 58
59static time_t next_timecheck; 59static time_t next_timecheck;
60 60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62 62
63static u8
64best_protocol (u8 protset)
65{
66 if (protset & PROT_IPv4)
67 return PROT_IPv4;
68
69 return PROT_UDPv4;
70}
71
63struct crypto_ctx 72struct crypto_ctx
64 { 73 {
65 EVP_CIPHER_CTX cctx; 74 EVP_CIPHER_CTX cctx;
66 HMAC_CTX hctx; 75 HMAC_CTX hctx;
67 76
82 EVP_CIPHER_CTX_cleanup (&cctx); 91 EVP_CIPHER_CTX_cleanup (&cctx);
83 HMAC_CTX_cleanup (&hctx); 92 HMAC_CTX_cleanup (&hctx);
84} 93}
85 94
86static void 95static void
87rsa_hash (const rsachallenge &chg, rsaresponse &h) 96rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88{ 97{
89 EVP_MD_CTX ctx; 98 EVP_MD_CTX ctx;
90 99
91 EVP_MD_CTX_init (&ctx); 100 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH); 101 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
94 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
95 EVP_MD_CTX_cleanup (&ctx); 105 EVP_MD_CTX_cleanup (&ctx);
96} 106}
97 107
98struct rsa_entry { 108struct rsa_entry {
236}; 246};
237 247
238// only do action once every x seconds per host whole allowing bursts. 248// only do action once every x seconds per host whole allowing bursts.
239// this implementation ("splay list" ;) is inefficient, 249// this implementation ("splay list" ;) is inefficient,
240// but low on resources. 250// but low on resources.
241struct net_rate_limiter : private list<net_rateinfo> 251struct net_rate_limiter : list<net_rateinfo>
242{ 252{
243 static const double ALPHA = 1. - 1. / 90.; // allow bursts 253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
244 static const double CUTOFF = 20.; // one event every CUTOFF seconds 254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
245 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
246 256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
247 bool can (u32 host); 258 bool can (u32 host);
248 bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
249 bool can (sockinfo &si) { return can((u32)si.host); }
250}; 259};
251 260
252net_rate_limiter auth_rate_limiter, reset_rate_limiter; 261net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253 262
254bool net_rate_limiter::can (u32 host) 263bool net_rate_limiter::can (u32 host)
289 bool send = ri.diff / ri.pcnt > CUTOFF; 298 bool send = ri.diff / ri.pcnt > CUTOFF;
290 299
291 if (send) 300 if (send)
292 ri.pcnt++; 301 ri.pcnt++;
293 302
294 //printf ("RATE %d %f,%f = %f > %f\n", !!send, ri.pcnt, ri.diff, ri.diff / ri.pcnt, CUTOFF);
295
296 push_front (ri); 303 push_front (ri);
297 304
298 return send; 305 return send;
299 } 306 }
300} 307}
308} 315}
309 316
310static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 317static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
311 318
312struct hmac_packet:net_packet 319struct hmac_packet:net_packet
320{
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326private:
327 void hmac_gen (crypto_ctx * ctx)
313 { 328 {
314 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
315
316 void hmac_set (crypto_ctx * ctx);
317 bool hmac_chk (crypto_ctx * ctx);
318
319private:
320 void hmac_gen (crypto_ctx * ctx)
321 {
322 unsigned int xlen; 329 unsigned int xlen;
323 HMAC_CTX *hctx = &ctx->hctx; 330 HMAC_CTX *hctx = &ctx->hctx;
324 331
325 HMAC_Init_ex (hctx, 0, 0, 0, 0); 332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
326 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
327 len - sizeof (hmac_packet)); 334 len - sizeof (hmac_packet));
328 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
329 }
330 }; 336 }
337};
331 338
332void 339void
333hmac_packet::hmac_set (crypto_ctx * ctx) 340hmac_packet::hmac_set (crypto_ctx * ctx)
334{ 341{
335 hmac_gen (ctx); 342 hmac_gen (ctx);
363 u8 type; 370 u8 type;
364 u8 srcdst, src1, dst1; 371 u8 srcdst, src1, dst1;
365 372
366 void set_hdr (ptype type, unsigned int dst); 373 void set_hdr (ptype type, unsigned int dst);
367 374
368 unsigned int src () 375 unsigned int src () const
369 { 376 {
370 return src1 | ((srcdst >> 4) << 8); 377 return src1 | ((srcdst >> 4) << 8);
371 } 378 }
372 379
373 unsigned int dst () 380 unsigned int dst () const
374 { 381 {
375 return dst1 | ((srcdst & 0xf) << 8); 382 return dst1 | ((srcdst & 0xf) << 8);
376 } 383 }
377 384
378 ptype typ () 385 ptype typ () const
379 { 386 {
380 return (ptype) type; 387 return (ptype) type;
381 } 388 }
382 }; 389 };
383 390
502 509
503#if ENABLE_COMPRESSION 510#if ENABLE_COMPRESSION
504 if (type == PT_DATA_COMPRESSED) 511 if (type == PT_DATA_COMPRESSED)
505 { 512 {
506 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
507 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
508 } 518 }
509 else 519 else
510 p->len = outl + (6 + 6 - DATAHDR); 520 p->len = outl + (6 + 6 - DATAHDR);
511#endif 521#endif
512 522
535 { 545 {
536 return 0x80 546 return 0x80
537 | (ENABLE_COMPRESSION ? 0x01 : 0x00); 547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
538 } 548 }
539 549
540 void setup (ptype type, int dst) 550 void setup (ptype type, int dst);
541 {
542 prot_major = PROTOCOL_MAJOR;
543 prot_minor = PROTOCOL_MINOR;
544 randsize = RAND_SIZE;
545 hmaclen = HMACLENGTH;
546 flags = curflags ();
547 challengelen = sizeof (rsachallenge);
548
549 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
550 digest_nid = htonl (EVP_MD_type (RSA_HASH));
551 hmac_nid = htonl (EVP_MD_type (DIGEST));
552
553 len = sizeof (*this) - sizeof (net_packet);
554 set_hdr (type, dst);
555 }
556
557 bool chk_config () 551 bool chk_config () const;
558 {
559 return prot_major == PROTOCOL_MAJOR
560 && randsize == RAND_SIZE
561 && hmaclen == HMACLENGTH
562 && flags == curflags ()
563 && challengelen == sizeof (rsachallenge)
564 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
565 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
566 && hmac_nid == htonl (EVP_MD_type (DIGEST));
567 }
568}; 552};
569 553
554void config_packet::setup (ptype type, int dst)
555{
556 prot_major = PROTOCOL_MAJOR;
557 prot_minor = PROTOCOL_MINOR;
558 randsize = RAND_SIZE;
559 hmaclen = HMACLENGTH;
560 flags = curflags ();
561 challengelen = sizeof (rsachallenge);
562
563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
566
567 len = sizeof (*this) - sizeof (net_packet);
568 set_hdr (type, dst);
569}
570
571bool config_packet::chk_config () const
572{
573 return prot_major == PROTOCOL_MAJOR
574 && randsize == RAND_SIZE
575 && hmaclen == HMACLENGTH
576 && flags == curflags ()
577 && challengelen == sizeof (rsachallenge)
578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
581}
582
570struct auth_req_packet : config_packet 583struct auth_req_packet : config_packet
571{ 584{
572 char magic[8]; 585 char magic[8];
573 u8 initiate; // false if this is just an automatic reply 586 u8 initiate, can_recv; // false if this is just an automatic reply
574 u8 pad1, pad2, pad3; 587 u8 pad2, pad3;
575 rsaid id; 588 rsaid id;
576 rsaencrdata encr; 589 rsaencrdata encr;
577 590
578 auth_req_packet (int dst, bool initiate_) 591 auth_req_packet (int dst, bool initiate_, u8 can_recv_)
579 { 592 {
580 config_packet::setup (PT_AUTH_REQ, dst); 593 config_packet::setup (PT_AUTH_REQ, dst);
594 strncpy (magic, MAGIC, 8);
581 initiate = !!initiate_; 595 initiate = !!initiate_;
582 strncpy (magic, MAGIC, 8); 596 can_recv = can_recv_;
597
583 len = sizeof (*this) - sizeof (net_packet); 598 len = sizeof (*this) - sizeof (net_packet);
584 } 599 }
585}; 600};
586 601
587struct auth_res_packet : config_packet 602struct auth_res_packet : config_packet
588{ 603{
589 rsaid id; 604 rsaid id;
605 u8 pad1, pad2, pad3;
606 u8 response_len; // encrypted length
590 rsaresponse response; 607 rsaresponse response;
591 608
592 auth_res_packet (int dst) 609 auth_res_packet (int dst)
593 { 610 {
594 config_packet::setup (PT_AUTH_RES, dst); 611 config_packet::setup (PT_AUTH_RES, dst);
612
595 len = sizeof (*this) - sizeof (net_packet); 613 len = sizeof (*this) - sizeof (net_packet);
596 } 614 }
597}; 615};
598 616
599struct connect_req_packet : vpn_packet 617struct connect_req_packet : vpn_packet
609 } 627 }
610}; 628};
611 629
612struct connect_info_packet : vpn_packet 630struct connect_info_packet : vpn_packet
613{ 631{
614 u8 id; 632 u8 id, can_recv;
615 u8 pad1, pad2, pad3; 633 u8 pad1, pad2;
616 sockinfo si; 634 sockinfo si;
617 635
618 connect_info_packet (int dst, int id_, sockinfo &si_) 636 connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
619 { 637 {
620 id = id_; 638 id = id_;
639 can_recv = can_recv_;
621 si = si_; 640 si = si_;
622 set_hdr (PT_CONNECT_INFO, dst); 641 set_hdr (PT_CONNECT_INFO, dst);
642
623 len = sizeof (*this) - sizeof (net_packet); 643 len = sizeof (*this) - sizeof (net_packet);
624 } 644 }
625}; 645};
626 646
627///////////////////////////////////////////////////////////////////////////// 647/////////////////////////////////////////////////////////////////////////////
628 648
629void 649void
630fill_sa (SOCKADDR *sa, conf_node *conf)
631{
632 sa->sin_family = AF_INET;
633 sa->sin_port = htons (conf->port);
634 sa->sin_addr.s_addr = 0;
635
636 if (conf->hostname)
637 {
638 struct hostent *he = gethostbyname (conf->hostname);
639
640 if (he
641 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
642 {
643 //sa->sin_family = he->h_addrtype;
644 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
645 }
646 else
647 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
648 }
649}
650
651void
652connection::reset_dstaddr () 650connection::reset_dstaddr ()
653{ 651{
654 fill_sa (&sa, conf); 652 si.set (conf);
655} 653}
656 654
657void 655void
658connection::send_ping (SOCKADDR *dsa, u8 pong) 656connection::send_ping (const sockinfo &si, u8 pong)
659{ 657{
660 ping_packet *pkt = new ping_packet; 658 ping_packet *pkt = new ping_packet;
661 659
662 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 660 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
663 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); 661 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
664 662
665 delete pkt; 663 delete pkt;
666} 664}
667 665
668void 666void
669connection::send_reset (SOCKADDR *dsa) 667connection::send_reset (const sockinfo &si)
670{ 668{
671 if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED) 669 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
672 { 670 {
673 config_packet *pkt = new config_packet; 671 config_packet *pkt = new config_packet;
674 672
675 pkt->setup (vpn_packet::PT_RESET, conf->id); 673 pkt->setup (vpn_packet::PT_RESET, conf->id);
676 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 674 send_vpn_packet (pkt, si, IPTOS_MINCOST);
677 675
678 delete pkt; 676 delete pkt;
679 } 677 }
680} 678}
681 679
682void 680void
683connection::send_auth_request (SOCKADDR *sa, bool initiate) 681connection::send_auth_request (const sockinfo &si, bool initiate)
684{ 682{
685 if (auth_rate_limiter.can (sa))
686 {
687 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate); 683 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
688 684
685 // the next line is very conservative
686 prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
687
689 rsachallenge chg; 688 rsachallenge chg;
690 689
691 rsa_cache.gen (pkt->id, chg); 690 rsa_cache.gen (pkt->id, chg);
692 691
693 if (0 > RSA_public_encrypt (sizeof chg, 692 if (0 > RSA_public_encrypt (sizeof chg,
694 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 693 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
695 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 694 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
696 fatal ("RSA_public_encrypt error"); 695 fatal ("RSA_public_encrypt error");
697 696
698 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)sockinfo (sa)); 697 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
699 698
700 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly 699 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
701 700
702 delete pkt; 701 delete pkt;
703 }
704} 702}
705 703
706void 704void
707connection::send_auth_response (SOCKADDR *sa, const rsaid &id, const rsachallenge &chg) 705connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
708{ 706{
709 if (auth_rate_limiter.can (sa))
710 {
711 auth_res_packet *pkt = new auth_res_packet (conf->id); 707 auth_res_packet *pkt = new auth_res_packet (conf->id);
712 708
713 pkt->id = id; 709 pkt->id = id;
710
714 rsa_hash (chg, pkt->response); 711 rsa_hash (id, chg, pkt->response);
715 712
713 pkt->hmac_set (octx);
714
716 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)sockinfo (sa)); 715 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
717 716
718 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly 717 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
719 718
720 delete pkt; 719 delete pkt;
721 }
722} 720}
723 721
724void 722void
725connection::establish_connection_cb (tstamp &ts) 723connection::establish_connection_cb (tstamp &ts)
726{ 724{
727 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) 725 if (ictx || conf == THISNODE
726 || connectmode == conf_node::C_NEVER
727 || connectmode == conf_node::C_DISABLED)
728 ts = TSTAMP_CANCEL; 728 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW) 729 else if (ts <= NOW)
730 { 730 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732 732
736 ts = NOW + retry_int; 736 ts = NOW + retry_int;
737 737
738 if (conf->hostname) 738 if (conf->hostname)
739 { 739 {
740 reset_dstaddr (); 740 reset_dstaddr ();
741 if (sa.sin_addr.s_addr) 741 if (si.host && auth_rate_limiter.can (si))
742 {
742 if (retry_cnt < 4) 743 if (retry_cnt < 4)
743 send_auth_request (&sa, true); 744 send_auth_request (si, true);
744 else if (auth_rate_limiter.can (&sa)) 745 else
745 send_ping (&sa, 0); 746 send_ping (si, 0);
747 }
746 } 748 }
747 else 749 else
748 vpn->connect_request (conf->id); 750 vpn->connect_request (conf->id);
749 } 751 }
750} 752}
752void 754void
753connection::reset_connection () 755connection::reset_connection ()
754{ 756{
755 if (ictx && octx) 757 if (ictx && octx)
756 { 758 {
757 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 759 slog (L_INFO, _("%s(%s): connection lost"),
760 conf->nodename, (const char *)si);
758 761
759 if (::conf.script_node_down) 762 if (::conf.script_node_down)
760 run_script (run_script_cb (this, &connection::script_node_down), false); 763 run_script (run_script_cb (this, &connection::script_node_down), false);
761 } 764 }
762 765
763 delete ictx; ictx = 0; 766 delete ictx; ictx = 0;
764 delete octx; octx = 0; 767 delete octx; octx = 0;
765 768
766 sa.sin_port = 0; 769 si.host= 0;
767 sa.sin_addr.s_addr = 0;
768 770
769 last_activity = 0; 771 last_activity = 0;
772 retry_cnt = 0;
770 773
771 rekey.reset (); 774 rekey.reset ();
772 keepalive.reset (); 775 keepalive.reset ();
773 establish_connection.reset (); 776 establish_connection.reset ();
774} 777}
775 778
776void 779void
777connection::shutdown () 780connection::shutdown ()
778{ 781{
779 if (ictx && octx) 782 if (ictx && octx)
780 send_reset (&sa); 783 send_reset (si);
781 784
782 reset_connection (); 785 reset_connection ();
783} 786}
784 787
785void 788void
790 reset_connection (); 793 reset_connection ();
791 establish_connection (); 794 establish_connection ();
792} 795}
793 796
794void 797void
795connection::send_data_packet (tap_packet * pkt, bool broadcast) 798connection::send_data_packet (tap_packet *pkt, bool broadcast)
796{ 799{
797 vpndata_packet *p = new vpndata_packet; 800 vpndata_packet *p = new vpndata_packet;
798 int tos = 0; 801 int tos = 0;
799 802
800 if (conf->inherit_tos 803 if (conf->inherit_tos
801 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 804 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
802 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 805 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
803 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
804 807
805 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
806 vpn->send_vpn_packet (p, &sa, tos); 809 send_vpn_packet (p, si, tos);
807 810
808 delete p; 811 delete p;
809 812
810 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
811 rekey (); 814 rekey ();
824 establish_connection (); 827 establish_connection ();
825 } 828 }
826} 829}
827 830
828void 831void
829connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 832connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
830{ 833{
831 last_activity = NOW; 834 last_activity = NOW;
832 835
833 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 836 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
834 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 837 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
835 838
836 switch (pkt->typ ()) 839 switch (pkt->typ ())
837 { 840 {
838 case vpn_packet::PT_PING: 841 case vpn_packet::PT_PING:
839 // we send pings instead of auth packets after some retries, 842 // we send pings instead of auth packets after some retries,
840 // so reset the retry counter and establish a conenction 843 // so reset the retry counter and establish a connection
841 // when we receive a pong. 844 // when we receive a ping.
842 if (!ictx && !octx) 845 if (!ictx)
843 { 846 {
844 retry_cnt = 0; 847 if (auth_rate_limiter.can (rsi))
845 establish_connection.at = 0; 848 send_auth_request (rsi, true);
846 establish_connection ();
847 } 849 }
848 else 850 else
849 send_ping (ssa, 1); // pong 851 send_ping (rsi, 1); // pong
850 852
851 break; 853 break;
852 854
853 case vpn_packet::PT_PONG: 855 case vpn_packet::PT_PONG:
854 break; 856 break;
859 861
860 config_packet *p = (config_packet *) pkt; 862 config_packet *p = (config_packet *) pkt;
861 863
862 if (!p->chk_config ()) 864 if (!p->chk_config ())
863 { 865 {
864 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); 866 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867 conf->nodename, (const char *)rsi);
865 connectmode = conf_node::C_DISABLED; 868 connectmode = conf_node::C_DISABLED;
866 } 869 }
867 else if (connectmode == conf_node::C_ALWAYS) 870 else if (connectmode == conf_node::C_ALWAYS)
868 establish_connection (); 871 establish_connection ();
869 } 872 }
870 break; 873 break;
871 874
872 case vpn_packet::PT_AUTH_REQ: 875 case vpn_packet::PT_AUTH_REQ:
876 if (auth_rate_limiter.can (rsi))
873 { 877 {
874 auth_req_packet *p = (auth_req_packet *) pkt; 878 auth_req_packet *p = (auth_req_packet *) pkt;
875 879
876 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 880 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
877 881
878 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 882 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
879 { 883 {
880 if (p->prot_minor != PROTOCOL_MINOR) 884 if (p->prot_minor != PROTOCOL_MINOR)
881 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 885 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886 conf->nodename, (const char *)rsi,
882 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 887 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
883 888
884 if (p->initiate) 889 if (p->initiate)
885 send_auth_request (ssa, false); 890 send_auth_request (rsi, false);
886 891
887 rsachallenge k; 892 rsachallenge k;
888 893
889 if (0 > RSA_private_decrypt (sizeof (p->encr), 894 if (0 > RSA_private_decrypt (sizeof (p->encr),
890 (unsigned char *)&p->encr, (unsigned char *)&k, 895 (unsigned char *)&p->encr, (unsigned char *)&k,
891 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 896 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
892 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 897 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
893 conf->nodename, (const char *)sockinfo (ssa)); 898 conf->nodename, (const char *)rsi);
894 else 899 else
895 { 900 {
896 retry_cnt = 0; 901 retry_cnt = 0;
897 establish_connection.set (NOW + 8); //? ;) 902 establish_connection.set (NOW + 8); //? ;)
898 keepalive.reset (); 903 keepalive.reset ();
899 rekey.reset (); 904 rekey.reset ();
900 905
901 delete ictx; 906 delete ictx;
902 ictx = 0; 907 ictx = 0;
903 908
904 delete octx; 909 delete octx;
905 910
906 octx = new crypto_ctx (k, 1); 911 octx = new crypto_ctx (k, 1);
907 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 912 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
908 913
914 conf->can_recv = p->can_recv;
909 send_auth_response (ssa, p->id, k); 915 send_auth_response (rsi, p->id, k);
910 916
911 break; 917 break;
912 } 918 }
913 } 919 }
914 920
915 921 send_reset (rsi);
916 } 922 }
917 923
918 send_reset (ssa);
919 break; 924 break;
920 925
921 case vpn_packet::PT_AUTH_RES: 926 case vpn_packet::PT_AUTH_RES:
922 { 927 {
923 auth_res_packet *p = (auth_res_packet *) pkt; 928 auth_res_packet *p = (auth_res_packet *) pkt;
925 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 930 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
926 931
927 if (p->chk_config ()) 932 if (p->chk_config ())
928 { 933 {
929 if (p->prot_minor != PROTOCOL_MINOR) 934 if (p->prot_minor != PROTOCOL_MINOR)
930 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 935 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936 conf->nodename, (const char *)rsi,
931 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 937 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
932 938
933 rsachallenge chg; 939 rsachallenge chg;
934 940
935 if (!rsa_cache.find (p->id, chg)) 941 if (!rsa_cache.find (p->id, chg))
936 slog (L_ERR, _("unrequested auth response from %s (%s)"), 942 slog (L_ERR, _("%s(%s): unrequested auth response"),
937 conf->nodename, (const char *)sockinfo (ssa)); 943 conf->nodename, (const char *)rsi);
938 else 944 else
939 { 945 {
946 crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948 if (!p->hmac_chk (cctx))
949 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950 "could be an attack, or just corruption or an synchronization error"),
951 conf->nodename, (const char *)rsi);
940 rsaresponse h; 952 else
941
942 rsa_hash (chg, h);
943
944 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
945 { 953 {
946 delete ictx;
947
948 ictx = new crypto_ctx (chg, 0);
949 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
950
951 sa = *ssa; 954 rsaresponse h;
952 955
953 rekey.set (NOW + ::conf.rekey); 956 rsa_hash (p->id, chg, h);
954 keepalive.set (NOW + ::conf.keepalive);
955 957
956 // send queued packets 958 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
957 while (tap_packet *p = queue.get ())
958 { 959 {
960 prot_minor = p->prot_minor;
961
962 delete ictx; ictx = cctx;
963
964 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966 si = rsi;
967
968 rekey.set (NOW + ::conf.rekey);
969 keepalive.set (NOW + ::conf.keepalive);
970
971 // send queued packets
972 while (tap_packet *p = queue.get ())
973 {
959 send_data_packet (p); 974 send_data_packet (p);
960 delete p; 975 delete p;
976 }
977
978 connectmode = conf->connectmode;
979
980 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981 conf->nodename, (const char *)rsi,
982 p->prot_major, p->prot_minor);
983
984 if (::conf.script_node_up)
985 run_script (run_script_cb (this, &connection::script_node_up), false);
986
987 break;
961 } 988 }
962 989 else
963 connectmode = conf->connectmode; 990 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
964
965 slog (L_INFO, _("connection to %d (%s %s) established"),
966 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 991 conf->nodename, (const char *)rsi);
967
968 if (::conf.script_node_up)
969 run_script (run_script_cb (this, &connection::script_node_up), false);
970
971 break;
972 } 992 }
993
973 else 994 delete cctx;
974 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
975 conf->nodename, (const char *)sockinfo (ssa));
976 } 995 }
977 } 996 }
978 } 997 }
979 998
980 send_reset (ssa); 999 send_reset (rsi);
981 break; 1000 break;
982 1001
983 case vpn_packet::PT_DATA_COMPRESSED: 1002 case vpn_packet::PT_DATA_COMPRESSED:
984#if !ENABLE_COMPRESSION 1003#if !ENABLE_COMPRESSION
985 send_reset (ssa); 1004 send_reset (rsi);
986 break; 1005 break;
987#endif 1006#endif
988 1007
989 case vpn_packet::PT_DATA_UNCOMPRESSED: 1008 case vpn_packet::PT_DATA_UNCOMPRESSED:
990 1009
991 if (ictx && octx) 1010 if (ictx && octx)
992 { 1011 {
993 vpndata_packet *p = (vpndata_packet *)pkt; 1012 vpndata_packet *p = (vpndata_packet *)pkt;
994 1013
995 if (*ssa == sa) 1014 if (rsi == si)
996 { 1015 {
997 if (!p->hmac_chk (ictx)) 1016 if (!p->hmac_chk (ictx))
998 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1017 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
999 "could be an attack, or just corruption or an synchronization error")); 1018 "could be an attack, or just corruption or an synchronization error"),
1019 conf->nodename, (const char *)rsi);
1000 else 1020 else
1001 { 1021 {
1002 u32 seqno; 1022 u32 seqno;
1003 tap_packet *d = p->unpack (this, seqno); 1023 tap_packet *d = p->unpack (this, seqno);
1004 1024
1020 break; 1040 break;
1021 } 1041 }
1022 } 1042 }
1023 } 1043 }
1024 else 1044 else
1025 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1045 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1026 } 1046 }
1027 1047
1028 send_reset (ssa); 1048 send_reset (rsi);
1029 break; 1049 break;
1030 1050
1031 case vpn_packet::PT_CONNECT_REQ: 1051 case vpn_packet::PT_CONNECT_REQ:
1032 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1052 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1033 { 1053 {
1034 connect_req_packet *p = (connect_req_packet *) pkt; 1054 connect_req_packet *p = (connect_req_packet *) pkt;
1035 1055
1036 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1056 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1037 1057
1043 if (c->ictx && c->octx) 1063 if (c->ictx && c->octx)
1044 { 1064 {
1045 // send connect_info packets to both sides, in case one is 1065 // send connect_info packets to both sides, in case one is
1046 // behind a nat firewall (or both ;) 1066 // behind a nat firewall (or both ;)
1047 { 1067 {
1048 sockinfo si(sa);
1049
1050 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1068 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1051 c->conf->id, conf->id, (const char *)si); 1069 c->conf->id, conf->id, (const char *)si);
1052 1070
1053 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 1071 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
1054 1072
1055 r->hmac_set (c->octx); 1073 r->hmac_set (c->octx);
1056 vpn->send_vpn_packet (r, &c->sa); 1074 send_vpn_packet (r, c->si);
1057 1075
1058 delete r; 1076 delete r;
1059 } 1077 }
1060 1078
1061 { 1079 {
1062 sockinfo si(c->sa);
1063
1064 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1080 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1065 conf->id, c->conf->id, (const char *)si); 1081 conf->id, c->conf->id, (const char *)c->si);
1066 1082
1067 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); 1083 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
1068 1084
1069 r->hmac_set (octx); 1085 r->hmac_set (octx);
1070 vpn->send_vpn_packet (r, &sa); 1086 send_vpn_packet (r, si);
1071 1087
1072 delete r; 1088 delete r;
1073 } 1089 }
1074 } 1090 }
1075 } 1091 }
1076 1092
1077 break; 1093 break;
1078 1094
1079 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
1080 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1081 { 1097 {
1082 connect_info_packet *p = (connect_info_packet *) pkt; 1098 connect_info_packet *p = (connect_info_packet *) pkt;
1083 1099
1084 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1085 1101
1086 connection *c = vpn->conns[p->id - 1]; 1102 connection *c = vpn->conns[p->id - 1];
1087 1103
1088 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1104 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1089 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1105 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1090 1106
1107 c->conf->can_recv = p->can_recv;
1091 c->send_auth_request (p->si.sa (), true); 1108 c->send_auth_request (p->si, true);
1092 } 1109 }
1093 1110
1094 break; 1111 break;
1095 1112
1096 default: 1113 default:
1097 send_reset (ssa); 1114 send_reset (rsi);
1098 break; 1115 break;
1099 1116
1100 } 1117 }
1101} 1118}
1102 1119
1108 establish_connection (); 1125 establish_connection ();
1109 } 1126 }
1110 else if (NOW < last_activity + ::conf.keepalive) 1127 else if (NOW < last_activity + ::conf.keepalive)
1111 ts = last_activity + ::conf.keepalive; 1128 ts = last_activity + ::conf.keepalive;
1112 else if (conf->connectmode != conf_node::C_ONDEMAND 1129 else if (conf->connectmode != conf_node::C_ONDEMAND
1113 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1130 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1114 { 1131 {
1115 send_ping (&sa); 1132 send_ping (si);
1116 ts = NOW + 5; 1133 ts = NOW + 5;
1117 } 1134 }
1118 else 1135 else
1119 reset_connection (); 1136 reset_connection ();
1120
1121} 1137}
1122 1138
1123void connection::connect_request (int id) 1139void connection::connect_request (int id)
1124{ 1140{
1125 connect_req_packet *p = new connect_req_packet (conf->id, id); 1141 connect_req_packet *p = new connect_req_packet (conf->id, id);
1126 1142
1127 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1143 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1128 p->hmac_set (octx); 1144 p->hmac_set (octx);
1129 vpn->send_vpn_packet (p, &sa); 1145 send_vpn_packet (p, si);
1130 1146
1131 delete p; 1147 delete p;
1132} 1148}
1133 1149
1134void connection::script_node () 1150void connection::script_node ()
1135{ 1151{
1136 vpn->script_if_up (0); 1152 vpn->script_if_up (0);
1137 1153
1138 char *env; 1154 char *env;
1139 asprintf (&env, "DESTID=%d", conf->id); 1155 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1140 putenv (env);
1141 asprintf (&env, "DESTNODE=%s", conf->nodename); 1156 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1142 putenv (env); 1157 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1143 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1144 putenv (env);
1145 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1158 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1146 putenv (env);
1147} 1159}
1148 1160
1149const char *connection::script_node_up (int) 1161const char *connection::script_node_up (int)
1150{ 1162{
1151 script_node (); 1163 script_node ();
1160 script_node (); 1172 script_node ();
1161 1173
1162 putenv ("STATE=down"); 1174 putenv ("STATE=down");
1163 1175
1164 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1176 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1177}
1178
1179// send a vpn packet out to other hosts
1180void
1181connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1182{
1183 if (prot_send & PROT_IPv4)
1184 vpn->send_ipv4_packet (pkt, si, tos);
1185 else
1186 vpn->send_udpv4_packet (pkt, si, tos);
1165} 1187}
1166 1188
1167connection::connection(struct vpn *vpn_) 1189connection::connection(struct vpn *vpn_)
1168: vpn(vpn_) 1190: vpn(vpn_)
1169, rekey (this, &connection::rekey_cb) 1191, rekey (this, &connection::rekey_cb)
1211 1233
1212 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1234 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1213} 1235}
1214 1236
1215int 1237int
1216vpn::setup (void) 1238vpn::setup ()
1217{ 1239{
1218 struct sockaddr_in sa; 1240 u8 prots = 0;
1219 1241
1242 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1243 i != conf.nodes.end (); ++i)
1244 prots |= (*i)->can_send | (*i)->can_recv;
1245
1246 sockinfo si;
1247
1248 si.set (THISNODE);
1249
1250 udpv4_fd = -1;
1251
1252 if (prots & PROT_UDPv4)
1253 {
1220 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1254 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1221 if (socket_fd < 0) 1255
1256 if (udpv4_fd < 0)
1222 return -1; 1257 return -1;
1223 1258
1224 fill_sa (&sa, THISNODE); 1259 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1225 1260 {
1226 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1227 {
1228 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1261 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1229 exit (1); 1262 exit (1);
1230 } 1263 }
1231 1264
1232#ifdef IP_MTU_DISCOVER 1265#ifdef IP_MTU_DISCOVER
1233 // this I really consider a linux bug. I am neither connected 1266 // this I really consider a linux bug. I am neither connected
1234 // nor do I fragment myself. Linux still sets DF and doesn't 1267 // nor do I fragment myself. Linux still sets DF and doesn't
1235 // fragment for me sometimes. 1268 // fragment for me sometimes.
1236 { 1269 {
1237 int oval = IP_PMTUDISC_DONT; 1270 int oval = IP_PMTUDISC_DONT;
1238 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1271 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1239 } 1272 }
1240#endif 1273#endif
1241 { 1274
1275 // standard daemon practise...
1276 {
1242 int oval = 1; 1277 int oval = 1;
1243 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1278 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1244 } 1279 }
1245 1280
1246 udp_ev_watcher.start (socket_fd, POLLIN); 1281 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1282 }
1283
1284 ipv4_fd = -1;
1285 if (prots & PROT_IPv4)
1286 {
1287 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1288
1289 if (ipv4_fd < 0)
1290 return -1;
1291
1292 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1293 {
1294 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1295 exit (1);
1296 }
1297
1298#ifdef IP_MTU_DISCOVER
1299 // this I really consider a linux bug. I am neither connected
1300 // nor do I fragment myself. Linux still sets DF and doesn't
1301 // fragment for me sometimes.
1302 {
1303 int oval = IP_PMTUDISC_DONT;
1304 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1305 }
1306#endif
1307
1308 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1309 }
1247 1310
1248 tap = new tap_device (); 1311 tap = new tap_device ();
1249 if (!tap) //D this, of course, never catches 1312 if (!tap) //D this, of course, never catches
1250 { 1313 {
1251 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1314 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1252 exit (1); 1315 exit (1);
1253 } 1316 }
1254 1317
1255 run_script (run_script_cb (this, &vpn::script_if_up), true); 1318 run_script (run_script_cb (this, &vpn::script_if_up), true);
1256 1319
1257 vpn_ev_watcher.start (tap->fd, POLLIN); 1320 tap_ev_watcher.start (tap->fd, POLLIN);
1258 1321
1259 reconnect_all (); 1322 reconnect_all ();
1260 1323
1261 return 0; 1324 return 0;
1262} 1325}
1263 1326
1264void 1327void
1265vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1328vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1266{ 1329{
1267 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1330 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1268 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1331 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1269} 1332}
1270 1333
1271void 1334void
1272vpn::shutdown_all () 1335vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1273{ 1336{
1274 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1337 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1275 (*c)->shutdown (); 1338 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1276} 1339}
1277 1340
1278void 1341void
1279vpn::reconnect_all () 1342vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1280{ 1343{
1281 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1344 unsigned int src = pkt->src ();
1282 delete *c; 1345 unsigned int dst = pkt->dst ();
1283 1346
1284 conns.clear (); 1347 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1348 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1285 1349
1286 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1350 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1287 i != conf.nodes.end (); ++i) 1351 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1288 { 1352 pkt->typ (), pkt->src (), pkt->dst ());
1289 connection *conn = new connection (this); 1353 else if (dst == 0 && !THISNODE->routerprio)
1290 1354 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1291 conn->conf = *i; 1355 else if (dst != 0 && dst != THISNODE->id)
1292 conns.push_back (conn); 1356 slog (L_WARN,
1293 1357 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1294 conn->establish_connection (); 1358 dst, conns[dst - 1]->conf->nodename,
1295 } 1359 (const char *)rsi,
1360 THISNODE->id, THISNODE->nodename);
1361 else if (src == 0 || src > conns.size ())
1362 slog (L_WARN, _("received frame from unknown node %d (%s)"),
1363 src, (const char *)rsi);
1364 else
1365 conns[src - 1]->recv_vpn_packet (pkt, rsi);
1296} 1366}
1297 1367
1298connection *vpn::find_router ()
1299{
1300 u32 prio = 0;
1301 connection *router = 0;
1302
1303 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1304 {
1305 connection *c = *i;
1306
1307 if (c->conf->routerprio > prio
1308 && c->connectmode == conf_node::C_ALWAYS
1309 && c->conf != THISNODE
1310 && c->ictx && c->octx)
1311 {
1312 prio = c->conf->routerprio;
1313 router = c;
1314 }
1315 }
1316
1317 return router;
1318}
1319
1320void vpn::connect_request (int id)
1321{
1322 connection *c = find_router ();
1323
1324 if (c)
1325 c->connect_request (id);
1326 //else // does not work, because all others must connect to the same router
1327 // // no router found, aggressively connect to all routers
1328 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1329 // if ((*i)->conf->routerprio)
1330 // (*i)->establish_connection ();
1331}
1332
1333void 1368void
1334vpn::udp_ev (short revents) 1369vpn::udpv4_ev (short revents)
1335{ 1370{
1336 if (revents & (POLLIN | POLLERR)) 1371 if (revents & (POLLIN | POLLERR))
1337 { 1372 {
1338 vpn_packet *pkt = new vpn_packet; 1373 vpn_packet *pkt = new vpn_packet;
1339 struct sockaddr_in sa; 1374 struct sockaddr_in sa;
1340 socklen_t sa_len = sizeof (sa); 1375 socklen_t sa_len = sizeof (sa);
1341 int len; 1376 int len;
1342 1377
1343 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 1378 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1379
1380 sockinfo si(sa);
1344 1381
1345 if (len > 0) 1382 if (len > 0)
1346 { 1383 {
1347 pkt->len = len; 1384 pkt->len = len;
1348 1385
1349 unsigned int src = pkt->src ();
1350 unsigned int dst = pkt->dst ();
1351
1352 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1353 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1354
1355 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1356 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1357 pkt->typ (), pkt->src (), pkt->dst ());
1358 else if (dst == 0 && !THISNODE->routerprio)
1359 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1360 else if (dst != 0 && dst != THISNODE->id)
1361 slog (L_WARN,
1362 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1363 dst, conns[dst - 1]->conf->nodename,
1364 (const char *)sockinfo (sa),
1365 THISNODE->id, THISNODE->nodename);
1366 else if (src == 0 || src > conns.size ())
1367 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1368 else
1369 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1386 recv_vpn_packet (pkt, si);
1370 } 1387 }
1371 else 1388 else
1372 { 1389 {
1373 // probably ECONNRESET or somesuch 1390 // probably ECONNRESET or somesuch
1374 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1391 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1375 } 1392 }
1376 1393
1377 delete pkt; 1394 delete pkt;
1378 } 1395 }
1379 else if (revents & POLLHUP) 1396 else if (revents & POLLHUP)
1380 { 1397 {
1381 // this cannot ;) happen on udp sockets 1398 // this cannot ;) happen on udp sockets
1382 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1399 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1383 exit (1); 1400 exit (1);
1384 } 1401 }
1385 else 1402 else
1386 { 1403 {
1387 slog (L_ERR, 1404 slog (L_ERR,
1390 exit (1); 1407 exit (1);
1391 } 1408 }
1392} 1409}
1393 1410
1394void 1411void
1412vpn::ipv4_ev (short revents)
1413{
1414 if (revents & (POLLIN | POLLERR))
1415 {
1416 vpn_packet *pkt = new vpn_packet;
1417 struct sockaddr_in sa;
1418 socklen_t sa_len = sizeof (sa);
1419 int len;
1420
1421 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1422
1423 sockinfo si(sa, PROT_IPv4);
1424
1425 if (len > 0)
1426 {
1427 pkt->len = len;
1428
1429 // raw sockets deliver the ipv4, but don't expect it on sends
1430 // this is slow, but...
1431 pkt->skip_hdr (IP_OVERHEAD);
1432
1433 recv_vpn_packet (pkt, si);
1434 }
1435 else
1436 {
1437 // probably ECONNRESET or somesuch
1438 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1439 }
1440
1441 delete pkt;
1442 }
1443 else if (revents & POLLHUP)
1444 {
1445 // this cannot ;) happen on udp sockets
1446 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1447 exit (1);
1448 }
1449 else
1450 {
1451 slog (L_ERR,
1452 _("FATAL: unknown revents %08x in socket, terminating\n"),
1453 revents);
1454 exit (1);
1455 }
1456}
1457
1458void
1395vpn::vpn_ev (short revents) 1459vpn::tap_ev (short revents)
1396{ 1460{
1397 if (revents & POLLIN) 1461 if (revents & POLLIN)
1398 { 1462 {
1399 /* process data */ 1463 /* process data */
1400 tap_packet *pkt; 1464 tap_packet *pkt;
1456{ 1520{
1457 if (events) 1521 if (events)
1458 { 1522 {
1459 if (events & EVENT_SHUTDOWN) 1523 if (events & EVENT_SHUTDOWN)
1460 { 1524 {
1525 slog (L_INFO, _("preparing shutdown..."));
1526
1461 shutdown_all (); 1527 shutdown_all ();
1462 1528
1463 remove_pid (pidfilename); 1529 remove_pid (pidfilename);
1464 1530
1465 slog (L_INFO, _("vped terminating")); 1531 slog (L_INFO, _("terminating"));
1466 1532
1467 exit (0); 1533 exit (0);
1468 } 1534 }
1469 1535
1470 if (events & EVENT_RECONNECT) 1536 if (events & EVENT_RECONNECT)
1537 {
1538 slog (L_INFO, _("forced reconnect"));
1539
1471 reconnect_all (); 1540 reconnect_all ();
1541 }
1472 1542
1473 events = 0; 1543 events = 0;
1474 } 1544 }
1475 1545
1476 ts = TSTAMP_CANCEL; 1546 ts = TSTAMP_CANCEL;
1477} 1547}
1478 1548
1549void
1550vpn::shutdown_all ()
1551{
1552 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1553 (*c)->shutdown ();
1554}
1555
1556void
1557vpn::reconnect_all ()
1558{
1559 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1560 delete *c;
1561
1562 conns.clear ();
1563
1564 auth_rate_limiter.clear ();
1565 reset_rate_limiter.clear ();
1566
1567 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1568 i != conf.nodes.end (); ++i)
1569 {
1570 connection *conn = new connection (this);
1571
1572 conn->conf = *i;
1573 conns.push_back (conn);
1574
1575 conn->establish_connection ();
1576 }
1577}
1578
1579connection *vpn::find_router ()
1580{
1581 u32 prio = 0;
1582 connection *router = 0;
1583
1584 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1585 {
1586 connection *c = *i;
1587
1588 if (c->conf->routerprio > prio
1589 && c->connectmode == conf_node::C_ALWAYS
1590 && c->conf != THISNODE
1591 && c->ictx && c->octx)
1592 {
1593 prio = c->conf->routerprio;
1594 router = c;
1595 }
1596 }
1597
1598 return router;
1599}
1600
1601void vpn::connect_request (int id)
1602{
1603 connection *c = find_router ();
1604
1605 if (c)
1606 c->connect_request (id);
1607 //else // does not work, because all others must connect to the same router
1608 // // no router found, aggressively connect to all routers
1609 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1610 // if ((*i)->conf->routerprio)
1611 // (*i)->establish_connection ();
1612}
1613
1614void
1615connection::dump_status ()
1616{
1617 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1618 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1619 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1620 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1621 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1622 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1623 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1624}
1625
1626void
1627vpn::dump_status ()
1628{
1629 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1630
1631 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1632 (*c)->dump_status ();
1633
1634 slog (L_NOTICE, _("END status dump"));
1635}
1636
1479vpn::vpn (void) 1637vpn::vpn (void)
1480: udp_ev_watcher (this, &vpn::udp_ev) 1638: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1639, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1481, vpn_ev_watcher (this, &vpn::vpn_ev) 1640, tap_ev_watcher(this, &vpn::tap_ev)
1482, event (this, &vpn::event_cb) 1641, event(this, &vpn::event_cb)
1483{ 1642{
1484} 1643}
1485 1644
1486vpn::~vpn () 1645vpn::~vpn ()
1487{ 1646{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines