ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.17 by pcg, Wed Mar 26 01:58:46 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

32#include <arpa/inet.h> 32#include <arpa/inet.h>
33#include <errno.h> 33#include <errno.h>
34#include <time.h> 34#include <time.h>
35#include <unistd.h> 35#include <unistd.h>
36 36
37#include <openssl/rand.h>
38#include <openssl/hmac.h>
39#include <openssl/evp.h>
40#include <openssl/rsa.h>
41#include <openssl/err.h>
42
43extern "C" {
44# include "lzf/lzf.h"
45}
46
47#include "gettext.h"
48#include "pidfile.h" 37#include "pidfile.h"
49 38
50#include "conf.h" 39#include "connection.h"
51#include "slog.h" 40#include "util.h"
52#include "device.h"
53#include "protocol.h" 41#include "protocol.h"
54
55#if !HAVE_RAND_PSEUDO_BYTES
56# define RAND_pseudo_bytes RAND_bytes
57#endif
58
59static time_t next_timecheck;
60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63struct crypto_ctx
64 {
65 EVP_CIPHER_CTX cctx;
66 HMAC_CTX hctx;
67
68 crypto_ctx (const rsachallenge &challenge, int enc);
69 ~crypto_ctx ();
70 };
71
72crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
73{
74 EVP_CIPHER_CTX_init (&cctx);
75 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
76 HMAC_CTX_init (&hctx);
77 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
78}
79
80crypto_ctx::~crypto_ctx ()
81{
82 EVP_CIPHER_CTX_cleanup (&cctx);
83 HMAC_CTX_cleanup (&hctx);
84}
85
86static void
87rsa_hash (const rsachallenge &chg, rsaresponse &h)
88{
89 EVP_MD_CTX ctx;
90
91 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
95 EVP_MD_CTX_cleanup (&ctx);
96}
97
98struct rsa_entry {
99 tstamp expire;
100 rsaid id;
101 rsachallenge chg;
102};
103
104struct rsa_cache : list<rsa_entry>
105{
106 void cleaner_cb (tstamp &ts); time_watcher cleaner;
107
108 bool find (const rsaid &id, rsachallenge &chg)
109 {
110 for (iterator i = begin (); i != end (); ++i)
111 {
112 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
113 {
114 memcpy (&chg, &i->chg, sizeof chg);
115
116 erase (i);
117 return true;
118 }
119 }
120
121 if (cleaner.at < NOW)
122 cleaner.start (NOW + RSA_TTL);
123
124 return false;
125 }
126
127 void gen (rsaid &id, rsachallenge &chg)
128 {
129 rsa_entry e;
130
131 RAND_bytes ((unsigned char *)&id, sizeof id);
132 RAND_bytes ((unsigned char *)&chg, sizeof chg);
133
134 e.expire = NOW + RSA_TTL;
135 e.id = id;
136 memcpy (&e.chg, &chg, sizeof chg);
137
138 push_back (e);
139
140 if (cleaner.at < NOW)
141 cleaner.start (NOW + RSA_TTL);
142 }
143
144 rsa_cache ()
145 : cleaner (this, &rsa_cache::cleaner_cb)
146 { }
147
148} rsa_cache;
149
150void rsa_cache::cleaner_cb (tstamp &ts)
151{
152 if (empty ())
153 ts = TSTAMP_CANCEL;
154 else
155 {
156 ts = NOW + RSA_TTL;
157
158 for (iterator i = begin (); i != end (); )
159 if (i->expire <= NOW)
160 i = erase (i);
161 else
162 ++i;
163 }
164}
165
166typedef callback<const char *, int> run_script_cb;
167
168// run a shell script (or actually an external program).
169static void
170run_script (const run_script_cb &cb, bool wait)
171{
172 int pid;
173
174 if ((pid = fork ()) == 0)
175 {
176 char *filename;
177 asprintf (&filename, "%s/%s", confbase, cb(0));
178 execl (filename, filename, (char *) 0);
179 exit (255);
180 }
181 else if (pid > 0)
182 {
183 if (wait)
184 {
185 waitpid (pid, 0, 0);
186 /* TODO: check status */
187 }
188 }
189}
190
191//////////////////////////////////////////////////////////////////////////////
192
193void pkt_queue::put (tap_packet *p)
194{
195 if (queue[i])
196 {
197 delete queue[i];
198 j = (j + 1) % QUEUEDEPTH;
199 }
200
201 queue[i] = p;
202
203 i = (i + 1) % QUEUEDEPTH;
204}
205
206tap_packet *pkt_queue::get ()
207{
208 tap_packet *p = queue[j];
209
210 if (p)
211 {
212 queue[j] = 0;
213 j = (j + 1) % QUEUEDEPTH;
214 }
215
216 return p;
217}
218
219pkt_queue::pkt_queue ()
220{
221 memset (queue, 0, sizeof (queue));
222 i = 0;
223 j = 0;
224}
225
226pkt_queue::~pkt_queue ()
227{
228 for (i = QUEUEDEPTH; --i > 0; )
229 delete queue[i];
230}
231
232struct net_rateinfo {
233 u32 host;
234 double pcnt, diff;
235 tstamp last;
236};
237
238// only do action once every x seconds per host whole allowing bursts.
239// this implementation ("splay list" ;) is inefficient,
240// but low on resources.
241struct net_rate_limiter : private list<net_rateinfo>
242{
243 static const double ALPHA = 1. - 1. / 90.; // allow bursts
244 static const double CUTOFF = 20.; // one event every CUTOFF seconds
245 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
246
247 bool can (u32 host);
248 bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
249 bool can (sockinfo &si) { return can((u32)si.host); }
250};
251
252net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253
254bool net_rate_limiter::can (u32 host)
255{
256 iterator i;
257
258 for (i = begin (); i != end (); )
259 if (i->host == host)
260 break;
261 else if (i->last < NOW - EXPIRE)
262 i = erase (i);
263 else
264 i++;
265
266 if (i == end ())
267 {
268 net_rateinfo ri;
269
270 ri.host = host;
271 ri.pcnt = 1.;
272 ri.diff = CUTOFF * (1. / (1. - ALPHA));
273 ri.last = NOW;
274
275 push_front (ri);
276
277 return true;
278 }
279 else
280 {
281 net_rateinfo ri (*i);
282 erase (i);
283
284 ri.pcnt = ri.pcnt * ALPHA;
285 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
286
287 ri.last = NOW;
288
289 bool send = ri.diff / ri.pcnt > CUTOFF;
290
291 if (send)
292 ri.pcnt++;
293
294 //printf ("RATE %d %f,%f = %f > %f\n", !!send, ri.pcnt, ri.diff, ri.diff / ri.pcnt, CUTOFF);
295
296 push_front (ri);
297
298 return send;
299 }
300}
301
302/////////////////////////////////////////////////////////////////////////////
303
304static void next_wakeup (time_t next)
305{
306 if (next_timecheck > next)
307 next_timecheck = next;
308}
309
310static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
311
312struct hmac_packet:net_packet
313 {
314 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
315
316 void hmac_set (crypto_ctx * ctx);
317 bool hmac_chk (crypto_ctx * ctx);
318
319private:
320 void hmac_gen (crypto_ctx * ctx)
321 {
322 unsigned int xlen;
323 HMAC_CTX *hctx = &ctx->hctx;
324
325 HMAC_Init_ex (hctx, 0, 0, 0, 0);
326 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
327 len - sizeof (hmac_packet));
328 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
329 }
330 };
331
332void
333hmac_packet::hmac_set (crypto_ctx * ctx)
334{
335 hmac_gen (ctx);
336
337 memcpy (hmac, hmac_digest, HMACLENGTH);
338}
339
340bool
341hmac_packet::hmac_chk (crypto_ctx * ctx)
342{
343 hmac_gen (ctx);
344
345 return !memcmp (hmac, hmac_digest, HMACLENGTH);
346}
347
348struct vpn_packet : hmac_packet
349 {
350 enum ptype
351 {
352 PT_RESET = 0,
353 PT_DATA_UNCOMPRESSED,
354 PT_DATA_COMPRESSED,
355 PT_PING, PT_PONG, // wasting namespace space? ;)
356 PT_AUTH_REQ, // authentification request
357 PT_AUTH_RES, // authentification response
358 PT_CONNECT_REQ, // want other host to contact me
359 PT_CONNECT_INFO, // request connection to some node
360 PT_MAX
361 };
362
363 u8 type;
364 u8 srcdst, src1, dst1;
365
366 void set_hdr (ptype type, unsigned int dst);
367
368 unsigned int src ()
369 {
370 return src1 | ((srcdst >> 4) << 8);
371 }
372
373 unsigned int dst ()
374 {
375 return dst1 | ((srcdst & 0xf) << 8);
376 }
377
378 ptype typ ()
379 {
380 return (ptype) type;
381 }
382 };
383
384void vpn_packet::set_hdr (ptype type, unsigned int dst)
385{
386 this->type = type;
387
388 int src = THISNODE->id;
389
390 src1 = src;
391 srcdst = ((src >> 8) << 4) | (dst >> 8);
392 dst1 = dst;
393}
394
395#define MAXVPNDATA (MAX_MTU - 6 - 6)
396#define DATAHDR (sizeof (u32) + RAND_SIZE)
397
398struct vpndata_packet:vpn_packet
399 {
400 u8 data[MAXVPNDATA + DATAHDR]; // seqno
401
402 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
403 tap_packet *unpack (connection *conn, u32 &seqno);
404private:
405
406 const u32 data_hdr_size () const
407 {
408 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
409 }
410 };
411
412void
413vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
414{
415 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
416 int outl = 0, outl2;
417 ptype type = PT_DATA_UNCOMPRESSED;
418
419#if ENABLE_COMPRESSION
420 u8 cdata[MAX_MTU];
421 u32 cl;
422
423 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
424 if (cl)
425 {
426 type = PT_DATA_COMPRESSED;
427 d = cdata;
428 l = cl + 2;
429
430 d[0] = cl >> 8;
431 d[1] = cl;
432 }
433#endif
434
435 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
436
437 struct {
438#if RAND_SIZE
439 u8 rnd[RAND_SIZE];
440#endif
441 u32 seqno;
442 } datahdr;
443
444 datahdr.seqno = ntohl (seqno);
445#if RAND_SIZE
446 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
447#endif
448
449 EVP_EncryptUpdate (cctx,
450 (unsigned char *) data + outl, &outl2,
451 (unsigned char *) &datahdr, DATAHDR);
452 outl += outl2;
453
454 EVP_EncryptUpdate (cctx,
455 (unsigned char *) data + outl, &outl2,
456 (unsigned char *) d, l);
457 outl += outl2;
458
459 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
460 outl += outl2;
461
462 len = outl + data_hdr_size ();
463
464 set_hdr (type, dst);
465
466 hmac_set (conn->octx);
467}
468
469tap_packet *
470vpndata_packet::unpack (connection *conn, u32 &seqno)
471{
472 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
473 int outl = 0, outl2;
474 tap_packet *p = new tap_packet;
475 u8 *d;
476 u32 l = len - data_hdr_size ();
477
478 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
479
480#if ENABLE_COMPRESSION
481 u8 cdata[MAX_MTU];
482
483 if (type == PT_DATA_COMPRESSED)
484 d = cdata;
485 else
486#endif
487 d = &(*p)[6 + 6 - DATAHDR];
488
489 /* this overwrites part of the src mac, but we fix that later */
490 EVP_DecryptUpdate (cctx,
491 d, &outl2,
492 (unsigned char *)&data, len - data_hdr_size ());
493 outl += outl2;
494
495 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
496 outl += outl2;
497
498 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
499
500 id2mac (dst () ? dst() : THISNODE->id, p->dst);
501 id2mac (src (), p->src);
502
503#if ENABLE_COMPRESSION
504 if (type == PT_DATA_COMPRESSED)
505 {
506 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
507 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
508 }
509 else
510 p->len = outl + (6 + 6 - DATAHDR);
511#endif
512
513 return p;
514}
515
516struct ping_packet : vpn_packet
517{
518 void setup (int dst, ptype type)
519 {
520 set_hdr (type, dst);
521 len = sizeof (*this) - sizeof (net_packet);
522 }
523};
524
525struct config_packet : vpn_packet
526{
527 // actually, hmaclen cannot be checked because the hmac
528 // field comes before this data, so peers with other
529 // hmacs simply will not work.
530 u8 prot_major, prot_minor, randsize, hmaclen;
531 u8 flags, challengelen, pad2, pad3;
532 u32 cipher_nid, digest_nid, hmac_nid;
533
534 const u8 curflags () const
535 {
536 return 0x80
537 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
538 }
539
540 void setup (ptype type, int dst)
541 {
542 prot_major = PROTOCOL_MAJOR;
543 prot_minor = PROTOCOL_MINOR;
544 randsize = RAND_SIZE;
545 hmaclen = HMACLENGTH;
546 flags = curflags ();
547 challengelen = sizeof (rsachallenge);
548
549 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
550 digest_nid = htonl (EVP_MD_type (RSA_HASH));
551 hmac_nid = htonl (EVP_MD_type (DIGEST));
552
553 len = sizeof (*this) - sizeof (net_packet);
554 set_hdr (type, dst);
555 }
556
557 bool chk_config ()
558 {
559 return prot_major == PROTOCOL_MAJOR
560 && randsize == RAND_SIZE
561 && hmaclen == HMACLENGTH
562 && flags == curflags ()
563 && challengelen == sizeof (rsachallenge)
564 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
565 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
566 && hmac_nid == htonl (EVP_MD_type (DIGEST));
567 }
568};
569
570struct auth_req_packet : config_packet
571{
572 char magic[8];
573 u8 initiate; // false if this is just an automatic reply
574 u8 pad1, pad2, pad3;
575 rsaid id;
576 rsaencrdata encr;
577
578 auth_req_packet (int dst, bool initiate_)
579 {
580 config_packet::setup (PT_AUTH_REQ, dst);
581 initiate = !!initiate_;
582 strncpy (magic, MAGIC, 8);
583 len = sizeof (*this) - sizeof (net_packet);
584 }
585};
586
587struct auth_res_packet : config_packet
588{
589 rsaid id;
590 rsaresponse response;
591
592 auth_res_packet (int dst)
593 {
594 config_packet::setup (PT_AUTH_RES, dst);
595 len = sizeof (*this) - sizeof (net_packet);
596 }
597};
598
599struct connect_req_packet : vpn_packet
600{
601 u8 id;
602 u8 pad1, pad2, pad3;
603
604 connect_req_packet (int dst, int id_)
605 {
606 id = id_;
607 set_hdr (PT_CONNECT_REQ, dst);
608 len = sizeof (*this) - sizeof (net_packet);
609 }
610};
611
612struct connect_info_packet : vpn_packet
613{
614 u8 id;
615 u8 pad1, pad2, pad3;
616 sockinfo si;
617
618 connect_info_packet (int dst, int id_, sockinfo &si_)
619 {
620 id = id_;
621 si = si_;
622 set_hdr (PT_CONNECT_INFO, dst);
623 len = sizeof (*this) - sizeof (net_packet);
624 }
625};
626
627/////////////////////////////////////////////////////////////////////////////
628
629void
630fill_sa (SOCKADDR *sa, conf_node *conf)
631{
632 sa->sin_family = AF_INET;
633 sa->sin_port = htons (conf->port);
634 sa->sin_addr.s_addr = 0;
635
636 if (conf->hostname)
637 {
638 struct hostent *he = gethostbyname (conf->hostname);
639
640 if (he
641 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
642 {
643 //sa->sin_family = he->h_addrtype;
644 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
645 }
646 else
647 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
648 }
649}
650
651void
652connection::reset_dstaddr ()
653{
654 fill_sa (&sa, conf);
655}
656
657void
658connection::send_ping (SOCKADDR *dsa, u8 pong)
659{
660 ping_packet *pkt = new ping_packet;
661
662 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
663 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
664
665 delete pkt;
666}
667
668void
669connection::send_reset (SOCKADDR *dsa)
670{
671 if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED)
672 {
673 config_packet *pkt = new config_packet;
674
675 pkt->setup (vpn_packet::PT_RESET, conf->id);
676 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
677
678 delete pkt;
679 }
680}
681
682void
683connection::send_auth_request (SOCKADDR *sa, bool initiate)
684{
685 if (auth_rate_limiter.can (sa))
686 {
687 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate);
688
689 rsachallenge chg;
690
691 rsa_cache.gen (pkt->id, chg);
692
693 if (0 > RSA_public_encrypt (sizeof chg,
694 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
695 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
696 fatal ("RSA_public_encrypt error");
697
698 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)sockinfo (sa));
699
700 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly
701
702 delete pkt;
703 }
704}
705
706void
707connection::send_auth_response (SOCKADDR *sa, const rsaid &id, const rsachallenge &chg)
708{
709 if (auth_rate_limiter.can (sa))
710 {
711 auth_res_packet *pkt = new auth_res_packet (conf->id);
712
713 pkt->id = id;
714 rsa_hash (chg, pkt->response);
715
716 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)sockinfo (sa));
717
718 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly
719
720 delete pkt;
721 }
722}
723
724void
725connection::establish_connection_cb (tstamp &ts)
726{
727 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER)
728 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW)
730 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732
733 if (retry_int < 3600 * 8)
734 retry_cnt++;
735
736 ts = NOW + retry_int;
737
738 if (conf->hostname)
739 {
740 reset_dstaddr ();
741 if (sa.sin_addr.s_addr)
742 if (retry_cnt < 4)
743 send_auth_request (&sa, true);
744 else if (auth_rate_limiter.can (&sa))
745 send_ping (&sa, 0);
746 }
747 else
748 vpn->connect_request (conf->id);
749 }
750}
751
752void
753connection::reset_connection ()
754{
755 if (ictx && octx)
756 {
757 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);
758
759 if (::conf.script_node_down)
760 run_script (run_script_cb (this, &connection::script_node_down), false);
761 }
762
763 delete ictx; ictx = 0;
764 delete octx; octx = 0;
765
766 sa.sin_port = 0;
767 sa.sin_addr.s_addr = 0;
768
769 last_activity = 0;
770
771 rekey.reset ();
772 keepalive.reset ();
773 establish_connection.reset ();
774}
775
776void
777connection::shutdown ()
778{
779 if (ictx && octx)
780 send_reset (&sa);
781
782 reset_connection ();
783}
784
785void
786connection::rekey_cb (tstamp &ts)
787{
788 ts = TSTAMP_CANCEL;
789
790 reset_connection ();
791 establish_connection ();
792}
793
794void
795connection::send_data_packet (tap_packet * pkt, bool broadcast)
796{
797 vpndata_packet *p = new vpndata_packet;
798 int tos = 0;
799
800 if (conf->inherit_tos
801 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
802 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
803 tos = (*pkt)[15] & IPTOS_TOS_MASK;
804
805 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
806 vpn->send_vpn_packet (p, &sa, tos);
807
808 delete p;
809
810 if (oseqno > MAX_SEQNO)
811 rekey ();
812}
813
814void
815connection::inject_data_packet (tap_packet *pkt, bool broadcast)
816{
817 if (ictx && octx)
818 send_data_packet (pkt, broadcast);
819 else
820 {
821 if (!broadcast)//DDDD
822 queue.put (new tap_packet (*pkt));
823
824 establish_connection ();
825 }
826}
827
828void
829connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
830{
831 last_activity = NOW;
832
833 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
834 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
835
836 switch (pkt->typ ())
837 {
838 case vpn_packet::PT_PING:
839 // we send pings instead of auth packets after some retries,
840 // so reset the retry counter and establish a conenction
841 // when we receive a pong.
842 if (!ictx && !octx)
843 {
844 retry_cnt = 0;
845 establish_connection.at = 0;
846 establish_connection ();
847 }
848 else
849 send_ping (ssa, 1); // pong
850
851 break;
852
853 case vpn_packet::PT_PONG:
854 break;
855
856 case vpn_packet::PT_RESET:
857 {
858 reset_connection ();
859
860 config_packet *p = (config_packet *) pkt;
861
862 if (!p->chk_config ())
863 {
864 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);
865 connectmode = conf_node::C_DISABLED;
866 }
867 else if (connectmode == conf_node::C_ALWAYS)
868 establish_connection ();
869 }
870 break;
871
872 case vpn_packet::PT_AUTH_REQ:
873 {
874 auth_req_packet *p = (auth_req_packet *) pkt;
875
876 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
877
878 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
879 {
880 if (p->prot_minor != PROTOCOL_MINOR)
881 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
882 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
883
884 if (p->initiate)
885 send_auth_request (ssa, false);
886
887 rsachallenge k;
888
889 if (0 > RSA_private_decrypt (sizeof (p->encr),
890 (unsigned char *)&p->encr, (unsigned char *)&k,
891 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
892 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
893 conf->nodename, (const char *)sockinfo (ssa));
894 else
895 {
896 retry_cnt = 0;
897 establish_connection.set (NOW + 8); //? ;)
898 keepalive.reset ();
899 rekey.reset ();
900
901 delete ictx;
902 ictx = 0;
903
904 delete octx;
905
906 octx = new crypto_ctx (k, 1);
907 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
908
909 send_auth_response (ssa, p->id, k);
910
911 break;
912 }
913 }
914
915
916 }
917
918 send_reset (ssa);
919 break;
920
921 case vpn_packet::PT_AUTH_RES:
922 {
923 auth_res_packet *p = (auth_res_packet *) pkt;
924
925 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
926
927 if (p->chk_config ())
928 {
929 if (p->prot_minor != PROTOCOL_MINOR)
930 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
931 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
932
933 rsachallenge chg;
934
935 if (!rsa_cache.find (p->id, chg))
936 slog (L_ERR, _("unrequested auth response from %s (%s)"),
937 conf->nodename, (const char *)sockinfo (ssa));
938 else
939 {
940 rsaresponse h;
941
942 rsa_hash (chg, h);
943
944 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
945 {
946 delete ictx;
947
948 ictx = new crypto_ctx (chg, 0);
949 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
950
951 sa = *ssa;
952
953 rekey.set (NOW + ::conf.rekey);
954 keepalive.set (NOW + ::conf.keepalive);
955
956 // send queued packets
957 while (tap_packet *p = queue.get ())
958 {
959 send_data_packet (p);
960 delete p;
961 }
962
963 connectmode = conf->connectmode;
964
965 slog (L_INFO, _("connection to %d (%s %s) established"),
966 conf->id, conf->nodename, (const char *)sockinfo (ssa));
967
968 if (::conf.script_node_up)
969 run_script (run_script_cb (this, &connection::script_node_up), false);
970
971 break;
972 }
973 else
974 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
975 conf->nodename, (const char *)sockinfo (ssa));
976 }
977 }
978 }
979
980 send_reset (ssa);
981 break;
982
983 case vpn_packet::PT_DATA_COMPRESSED:
984#if !ENABLE_COMPRESSION
985 send_reset (ssa);
986 break;
987#endif
988
989 case vpn_packet::PT_DATA_UNCOMPRESSED:
990
991 if (ictx && octx)
992 {
993 vpndata_packet *p = (vpndata_packet *)pkt;
994
995 if (*ssa == sa)
996 {
997 if (!p->hmac_chk (ictx))
998 slog (L_ERR, _("hmac authentication error, received invalid packet\n"
999 "could be an attack, or just corruption or an synchronization error"));
1000 else
1001 {
1002 u32 seqno;
1003 tap_packet *d = p->unpack (this, seqno);
1004
1005 if (iseqno.recv_ok (seqno))
1006 {
1007 vpn->tap->send (d);
1008
1009 if (p->dst () == 0) // re-broadcast
1010 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1011 {
1012 connection *c = *i;
1013
1014 if (c->conf != THISNODE && c->conf != conf)
1015 c->inject_data_packet (d);
1016 }
1017
1018 delete d;
1019
1020 break;
1021 }
1022 }
1023 }
1024 else
1025 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
1026 }
1027
1028 send_reset (ssa);
1029 break;
1030
1031 case vpn_packet::PT_CONNECT_REQ:
1032 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
1033 {
1034 connect_req_packet *p = (connect_req_packet *) pkt;
1035
1036 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1037
1038 connection *c = vpn->conns[p->id - 1];
1039
1040 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1041 conf->id, p->id, c->ictx && c->octx);
1042
1043 if (c->ictx && c->octx)
1044 {
1045 // send connect_info packets to both sides, in case one is
1046 // behind a nat firewall (or both ;)
1047 {
1048 sockinfo si(sa);
1049
1050 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1051 c->conf->id, conf->id, (const char *)si);
1052
1053 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1054
1055 r->hmac_set (c->octx);
1056 vpn->send_vpn_packet (r, &c->sa);
1057
1058 delete r;
1059 }
1060
1061 {
1062 sockinfo si(c->sa);
1063
1064 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1065 conf->id, c->conf->id, (const char *)si);
1066
1067 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1068
1069 r->hmac_set (octx);
1070 vpn->send_vpn_packet (r, &sa);
1071
1072 delete r;
1073 }
1074 }
1075 }
1076
1077 break;
1078
1079 case vpn_packet::PT_CONNECT_INFO:
1080 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
1081 {
1082 connect_info_packet *p = (connect_info_packet *) pkt;
1083
1084 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1085
1086 connection *c = vpn->conns[p->id - 1];
1087
1088 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1089 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1090
1091 c->send_auth_request (p->si.sa (), true);
1092 }
1093
1094 break;
1095
1096 default:
1097 send_reset (ssa);
1098 break;
1099
1100 }
1101}
1102
1103void connection::keepalive_cb (tstamp &ts)
1104{
1105 if (NOW >= last_activity + ::conf.keepalive + 30)
1106 {
1107 reset_connection ();
1108 establish_connection ();
1109 }
1110 else if (NOW < last_activity + ::conf.keepalive)
1111 ts = last_activity + ::conf.keepalive;
1112 else if (conf->connectmode != conf_node::C_ONDEMAND
1113 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1114 {
1115 send_ping (&sa);
1116 ts = NOW + 5;
1117 }
1118 else
1119 reset_connection ();
1120
1121}
1122
1123void connection::connect_request (int id)
1124{
1125 connect_req_packet *p = new connect_req_packet (conf->id, id);
1126
1127 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1128 p->hmac_set (octx);
1129 vpn->send_vpn_packet (p, &sa);
1130
1131 delete p;
1132}
1133
1134void connection::script_node ()
1135{
1136 vpn->script_if_up (0);
1137
1138 char *env;
1139 asprintf (&env, "DESTID=%d", conf->id);
1140 putenv (env);
1141 asprintf (&env, "DESTNODE=%s", conf->nodename);
1142 putenv (env);
1143 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1144 putenv (env);
1145 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));
1146 putenv (env);
1147}
1148
1149const char *connection::script_node_up (int)
1150{
1151 script_node ();
1152
1153 putenv ("STATE=up");
1154
1155 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1156}
1157
1158const char *connection::script_node_down (int)
1159{
1160 script_node ();
1161
1162 putenv ("STATE=down");
1163
1164 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1165}
1166
1167connection::connection(struct vpn *vpn_)
1168: vpn(vpn_)
1169, rekey (this, &connection::rekey_cb)
1170, keepalive (this, &connection::keepalive_cb)
1171, establish_connection (this, &connection::establish_connection_cb)
1172{
1173 octx = ictx = 0;
1174 retry_cnt = 0;
1175
1176 connectmode = conf_node::C_ALWAYS; // initial setting
1177 reset_connection ();
1178}
1179
1180connection::~connection ()
1181{
1182 shutdown ();
1183}
1184 42
1185///////////////////////////////////////////////////////////////////////////// 43/////////////////////////////////////////////////////////////////////////////
1186 44
1187const char *vpn::script_if_up (int) 45const char *vpn::script_if_up (int)
1188{ 46{
1211 69
1212 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 70 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1213} 71}
1214 72
1215int 73int
1216vpn::setup (void) 74vpn::setup ()
1217{ 75{
1218 struct sockaddr_in sa; 76 sockinfo si;
1219 77
78 si.set (THISNODE);
79
80 udpv4_fd = -1;
81
82 if (THISNODE->protocols & PROT_UDPv4)
83 {
1220 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 84 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1221 if (socket_fd < 0) 85
86 if (udpv4_fd < 0)
1222 return -1; 87 return -1;
1223 88
1224 fill_sa (&sa, THISNODE); 89 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1225 90 {
1226 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1227 {
1228 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 91 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1229 exit (1); 92 exit (1);
1230 } 93 }
1231 94
1232#ifdef IP_MTU_DISCOVER 95#ifdef IP_MTU_DISCOVER
1233 // this I really consider a linux bug. I am neither connected 96 // this I really consider a linux bug. I am neither connected
1234 // nor do I fragment myself. Linux still sets DF and doesn't 97 // nor do I fragment myself. Linux still sets DF and doesn't
1235 // fragment for me sometimes. 98 // fragment for me sometimes.
1236 { 99 {
1237 int oval = IP_PMTUDISC_DONT; 100 int oval = IP_PMTUDISC_DONT;
1238 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 101 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1239 } 102 }
1240#endif 103#endif
1241 { 104
105 // standard daemon practise...
106 {
1242 int oval = 1; 107 int oval = 1;
1243 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 108 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1244 } 109 }
1245 110
1246 udp_ev_watcher.start (socket_fd, POLLIN); 111 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
112 }
113
114 ipv4_fd = -1;
115 if (THISNODE->protocols & PROT_IPv4)
116 {
117 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
118
119 if (ipv4_fd < 0)
120 return -1;
121
122 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
123 {
124 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
125 exit (1);
126 }
127
128#ifdef IP_MTU_DISCOVER
129 // this I really consider a linux bug. I am neither connected
130 // nor do I fragment myself. Linux still sets DF and doesn't
131 // fragment for me sometimes.
132 {
133 int oval = IP_PMTUDISC_DONT;
134 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
135 }
136#endif
137
138 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
139 }
1247 140
1248 tap = new tap_device (); 141 tap = new tap_device ();
1249 if (!tap) //D this, of course, never catches 142 if (!tap) //D this, of course, never catches
1250 { 143 {
1251 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 144 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1252 exit (1); 145 exit (1);
1253 } 146 }
1254 147
1255 run_script (run_script_cb (this, &vpn::script_if_up), true); 148 run_script (run_script_cb (this, &vpn::script_if_up), true);
1256 149
1257 vpn_ev_watcher.start (tap->fd, POLLIN); 150 tap_ev_watcher.start (tap->fd, POLLIN);
1258 151
1259 reconnect_all (); 152 reconnect_all ();
1260 153
1261 return 0; 154 return 0;
1262} 155}
1263 156
1264void 157void
1265vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 158vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1266{ 159{
1267 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 160 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1268 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 161 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1269} 162}
1270 163
1271void 164void
1272vpn::shutdown_all () 165vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1273{ 166{
1274 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 167 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1275 (*c)->shutdown (); 168 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1276} 169}
1277 170
1278void 171void
1279vpn::reconnect_all () 172vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1280{ 173{
1281 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 174 unsigned int src = pkt->src ();
1282 delete *c; 175 unsigned int dst = pkt->dst ();
1283 176
1284 conns.clear (); 177 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
178 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1285 179
1286 for (configuration::node_vector::iterator i = conf.nodes.begin (); 180 if (src == 0 || src > conns.size ()
1287 i != conf.nodes.end (); ++i) 181 || dst > conns.size ()
1288 { 182 || pkt->typ () >= vpn_packet::PT_MAX)
1289 connection *conn = new connection (this); 183 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1290 184 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1291 conn->conf = *i; 185 else
1292 conns.push_back (conn);
1293
1294 conn->establish_connection ();
1295 } 186 {
1296} 187 connection *c = conns[src - 1];
1297 188
1298connection *vpn::find_router () 189 if (dst == 0 && !THISNODE->routerprio)
1299{ 190 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1300 u32 prio = 0; 191 c->conf->nodename, (const char *)rsi);
1301 connection *router = 0; 192 else if (dst != 0 && dst != THISNODE->id)
1302 193 // FORWARDING NEEDED ;)
1303 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 194 slog (L_WARN,
195 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
196 dst, conns[dst - 1]->conf->nodename,
197 (const char *)rsi,
198 THISNODE->id, THISNODE->nodename);
199 else
200 c->recv_vpn_packet (pkt, rsi);
1304 { 201 }
1305 connection *c = *i;
1306
1307 if (c->conf->routerprio > prio
1308 && c->connectmode == conf_node::C_ALWAYS
1309 && c->conf != THISNODE
1310 && c->ictx && c->octx)
1311 {
1312 prio = c->conf->routerprio;
1313 router = c;
1314 }
1315 }
1316
1317 return router;
1318} 202}
1319 203
1320void vpn::connect_request (int id)
1321{
1322 connection *c = find_router ();
1323
1324 if (c)
1325 c->connect_request (id);
1326 //else // does not work, because all others must connect to the same router
1327 // // no router found, aggressively connect to all routers
1328 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1329 // if ((*i)->conf->routerprio)
1330 // (*i)->establish_connection ();
1331}
1332
1333void 204void
1334vpn::udp_ev (short revents) 205vpn::udpv4_ev (short revents)
1335{ 206{
1336 if (revents & (POLLIN | POLLERR)) 207 if (revents & (POLLIN | POLLERR))
1337 { 208 {
1338 vpn_packet *pkt = new vpn_packet; 209 vpn_packet *pkt = new vpn_packet;
1339 struct sockaddr_in sa; 210 struct sockaddr_in sa;
1340 socklen_t sa_len = sizeof (sa); 211 socklen_t sa_len = sizeof (sa);
1341 int len; 212 int len;
1342 213
1343 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 214 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
215
216 sockinfo si(sa);
1344 217
1345 if (len > 0) 218 if (len > 0)
1346 { 219 {
1347 pkt->len = len; 220 pkt->len = len;
1348 221
1349 unsigned int src = pkt->src ();
1350 unsigned int dst = pkt->dst ();
1351
1352 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1353 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1354
1355 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1356 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1357 pkt->typ (), pkt->src (), pkt->dst ());
1358 else if (dst == 0 && !THISNODE->routerprio)
1359 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1360 else if (dst != 0 && dst != THISNODE->id)
1361 slog (L_WARN,
1362 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1363 dst, conns[dst - 1]->conf->nodename,
1364 (const char *)sockinfo (sa),
1365 THISNODE->id, THISNODE->nodename);
1366 else if (src == 0 || src > conns.size ())
1367 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1368 else
1369 conns[src - 1]->recv_vpn_packet (pkt, &sa); 222 recv_vpn_packet (pkt, si);
1370 } 223 }
1371 else 224 else
1372 { 225 {
1373 // probably ECONNRESET or somesuch 226 // probably ECONNRESET or somesuch
1374 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 227 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1375 } 228 }
1376 229
1377 delete pkt; 230 delete pkt;
1378 } 231 }
1379 else if (revents & POLLHUP) 232 else if (revents & POLLHUP)
1380 { 233 {
1381 // this cannot ;) happen on udp sockets 234 // this cannot ;) happen on udp sockets
1382 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 235 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1383 exit (1); 236 exit (1);
1384 } 237 }
1385 else 238 else
1386 { 239 {
1387 slog (L_ERR, 240 slog (L_ERR,
1390 exit (1); 243 exit (1);
1391 } 244 }
1392} 245}
1393 246
1394void 247void
248vpn::ipv4_ev (short revents)
249{
250 if (revents & (POLLIN | POLLERR))
251 {
252 vpn_packet *pkt = new vpn_packet;
253 struct sockaddr_in sa;
254 socklen_t sa_len = sizeof (sa);
255 int len;
256
257 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
258
259 sockinfo si(sa, PROT_IPv4);
260
261 if (len > 0)
262 {
263 pkt->len = len;
264
265 // raw sockets deliver the ipv4, but don't expect it on sends
266 // this is slow, but...
267 pkt->skip_hdr (IP_OVERHEAD);
268
269 recv_vpn_packet (pkt, si);
270 }
271 else
272 {
273 // probably ECONNRESET or somesuch
274 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
275 }
276
277 delete pkt;
278 }
279 else if (revents & POLLHUP)
280 {
281 // this cannot ;) happen on udp sockets
282 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
283 exit (1);
284 }
285 else
286 {
287 slog (L_ERR,
288 _("FATAL: unknown revents %08x in socket, terminating\n"),
289 revents);
290 exit (1);
291 }
292}
293
294void
1395vpn::vpn_ev (short revents) 295vpn::tap_ev (short revents)
1396{ 296{
1397 if (revents & POLLIN) 297 if (revents & POLLIN)
1398 { 298 {
1399 /* process data */ 299 /* process data */
1400 tap_packet *pkt; 300 tap_packet *pkt;
1456{ 356{
1457 if (events) 357 if (events)
1458 { 358 {
1459 if (events & EVENT_SHUTDOWN) 359 if (events & EVENT_SHUTDOWN)
1460 { 360 {
361 slog (L_INFO, _("preparing shutdown..."));
362
1461 shutdown_all (); 363 shutdown_all ();
1462 364
1463 remove_pid (pidfilename); 365 remove_pid (pidfilename);
1464 366
1465 slog (L_INFO, _("vped terminating")); 367 slog (L_INFO, _("terminating"));
1466 368
1467 exit (0); 369 exit (0);
1468 } 370 }
1469 371
1470 if (events & EVENT_RECONNECT) 372 if (events & EVENT_RECONNECT)
373 {
374 slog (L_INFO, _("forced reconnect"));
375
1471 reconnect_all (); 376 reconnect_all ();
377 }
1472 378
1473 events = 0; 379 events = 0;
1474 } 380 }
1475 381
1476 ts = TSTAMP_CANCEL; 382 ts = TSTAMP_CANCEL;
1477} 383}
1478 384
385void
386vpn::shutdown_all ()
387{
388 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
389 (*c)->shutdown ();
390}
391
392void
393vpn::reconnect_all ()
394{
395 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
396 delete *c;
397
398 conns.clear ();
399
400 connection_init ();
401
402 for (configuration::node_vector::iterator i = conf.nodes.begin ();
403 i != conf.nodes.end (); ++i)
404 {
405 connection *conn = new connection (this);
406
407 conn->conf = *i;
408 conns.push_back (conn);
409
410 conn->establish_connection ();
411 }
412}
413
414connection *vpn::find_router ()
415{
416 u32 prio = 0;
417 connection *router = 0;
418
419 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
420 {
421 connection *c = *i;
422
423 if (c->conf->routerprio > prio
424 && c->connectmode == conf_node::C_ALWAYS
425 && c->conf != THISNODE
426 && c->ictx && c->octx)
427 {
428 prio = c->conf->routerprio;
429 router = c;
430 }
431 }
432
433 return router;
434}
435
436void vpn::connect_request (int id)
437{
438 connection *c = find_router ();
439
440 if (c)
441 c->connect_request (id);
442 //else // does not work, because all others must connect to the same router
443 // // no router found, aggressively connect to all routers
444 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
445 // if ((*i)->conf->routerprio)
446 // (*i)->establish_connection ();
447}
448
449void
450connection::dump_status ()
451{
452 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
453 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
454 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
455 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
456 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
457 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
458 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
459}
460
461void
462vpn::dump_status ()
463{
464 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
465
466 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
467 (*c)->dump_status ();
468
469 slog (L_NOTICE, _("END status dump"));
470}
471
1479vpn::vpn (void) 472vpn::vpn (void)
1480: udp_ev_watcher (this, &vpn::udp_ev) 473: udpv4_ev_watcher(this, &vpn::udpv4_ev)
474, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1481, vpn_ev_watcher (this, &vpn::vpn_ev) 475, tap_ev_watcher(this, &vpn::tap_ev)
1482, event (this, &vpn::event_cb) 476, event(this, &vpn::event_cb)
1483{ 477{
1484} 478}
1485 479
1486vpn::~vpn () 480vpn::~vpn ()
1487{ 481{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines