ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.1 by pcg, Sat Mar 1 15:53:03 2003 UTC vs.
Revision 1.9 by pcg, Fri Mar 21 23:17:01 2003 UTC

60 60
61static const rsachallenge & 61static const rsachallenge &
62challenge_bytes () 62challenge_bytes ()
63{ 63{
64 static rsachallenge challenge; 64 static rsachallenge challenge;
65 static time_t challenge_ttl; // time this challenge needs to be recreated 65 static double challenge_ttl; // time this challenge needs to be recreated
66 66
67 if (now > challenge_ttl) 67 if (NOW > challenge_ttl)
68 { 68 {
69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge)); 69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70 challenge_ttl = now + CHALLENGE_TTL; 70 challenge_ttl = NOW + CHALLENGE_TTL;
71 } 71 }
72 72
73 return challenge; 73 return challenge;
74} 74}
75 75
128 128
129crypto_ctx::~crypto_ctx () 129crypto_ctx::~crypto_ctx ()
130{ 130{
131 EVP_CIPHER_CTX_cleanup (&cctx); 131 EVP_CIPHER_CTX_cleanup (&cctx);
132 HMAC_CTX_cleanup (&hctx); 132 HMAC_CTX_cleanup (&hctx);
133}
134
135//////////////////////////////////////////////////////////////////////////////
136
137void pkt_queue::put (tap_packet *p)
138{
139 if (queue[i])
140 {
141 delete queue[i];
142 j = (j + 1) % QUEUEDEPTH;
143 }
144
145 queue[i] = p;
146
147 i = (i + 1) % QUEUEDEPTH;
148}
149
150tap_packet *pkt_queue::get ()
151{
152 tap_packet *p = queue[j];
153
154 if (p)
155 {
156 queue[j] = 0;
157 j = (j + 1) % QUEUEDEPTH;
158 }
159
160 return p;
161}
162
163pkt_queue::pkt_queue ()
164{
165 memset (queue, 0, sizeof (queue));
166 i = 0;
167 j = 0;
168}
169
170pkt_queue::~pkt_queue ()
171{
172 for (i = QUEUEDEPTH; --i > 0; )
173 delete queue[i];
174}
175
176// only do action once every x seconds per host.
177// currently this is quite a slow implementation,
178// but suffices for normal operation.
179struct u32_rate_limiter : private map<u32, tstamp>
180 {
181 tstamp every;
182
183 bool can (u32 host);
184
185 u32_rate_limiter (tstamp every = 1)
186 {
187 this->every = every;
188 }
189 };
190
191struct net_rate_limiter : u32_rate_limiter
192 {
193 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
194 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
195
196 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
197 };
198
199bool u32_rate_limiter::can (u32 host)
200{
201 iterator i;
202
203 for (i = begin (); i != end (); )
204 if (i->second <= NOW)
205 {
206 erase (i);
207 i = begin ();
208 }
209 else
210 ++i;
211
212 i = find (host);
213
214 if (i != end ())
215 return false;
216
217 insert (value_type (host, NOW + every));
218
219 return true;
133} 220}
134 221
135///////////////////////////////////////////////////////////////////////////// 222/////////////////////////////////////////////////////////////////////////////
136 223
137static void next_wakeup (time_t next) 224static void next_wakeup (time_t next)
200 287
201 unsigned int src () 288 unsigned int src ()
202 { 289 {
203 return src1 | ((srcdst >> 4) << 8); 290 return src1 | ((srcdst >> 4) << 8);
204 } 291 }
292
205 unsigned int dst () 293 unsigned int dst ()
206 { 294 {
207 return dst1 | ((srcdst & 0xf) << 8); 295 return dst1 | ((srcdst & 0xf) << 8);
208 } 296 }
297
209 ptype typ () 298 ptype typ ()
210 { 299 {
211 return (ptype) type; 300 return (ptype) type;
212 } 301 }
213 }; 302 };
252 u32 cl; 341 u32 cl;
253 342
254 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 343 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255 if (cl) 344 if (cl)
256 { 345 {
257 //printf ("compressed packet, %d => %d\n", l, cl);//D
258 type = PT_DATA_COMPRESSED; 346 type = PT_DATA_COMPRESSED;
259 d = cdata; 347 d = cdata;
260 l = cl + 2; 348 l = cl + 2;
261 349
262 d[0] = cl >> 8; 350 d[0] = cl >> 8;
330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 418 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331 outl += outl2; 419 outl += outl2;
332 420
333 seqno = *(u32 *)(d + RAND_SIZE); 421 seqno = *(u32 *)(d + RAND_SIZE);
334 422
335 id2mac (dst (), p->dst); 423 id2mac (dst () ? dst() : THISNODE->id, p->dst);
336 id2mac (src (), p->src); 424 id2mac (src (), p->src);
337 425
338#if ENABLE_COMPRESSION 426#if ENABLE_COMPRESSION
339 if (type == PT_DATA_COMPRESSED) 427 if (type == PT_DATA_COMPRESSED)
340 { 428 {
341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 429 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
342 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 430 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343 //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344 } 431 }
345 else 432 else
346 p->len = outl + (6 + 6 - DATAHDR); 433 p->len = outl + (6 + 6 - DATAHDR);
347#endif 434#endif
348 435
369 u32 digest_nid; 456 u32 digest_nid;
370 457
371 const u8 curflags () const 458 const u8 curflags () const
372 { 459 {
373 return 0x80 460 return 0x80
461 | 0x02
462#if PROTOCOL_MAJOR != 2
463#error hi
464#endif
374 | (ENABLE_COMPRESSION ? 0x01 : 0x00) 465 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
375 | (ENABLE_TRUST ? 0x02 : 0x00);
376 } 466 }
377 467
378 void setup (ptype type, int dst) 468 void setup (ptype type, int dst)
379 { 469 {
380 prot_major = PROTOCOL_MAJOR; 470 prot_major = PROTOCOL_MAJOR;
481connection::send_ping (SOCKADDR *dsa, u8 pong) 571connection::send_ping (SOCKADDR *dsa, u8 pong)
482{ 572{
483 ping_packet *pkt = new ping_packet; 573 ping_packet *pkt = new ping_packet;
484 574
485 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 575 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486 vpn->send_vpn_packet (pkt, dsa); 576 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
487 577
488 delete pkt; 578 delete pkt;
489} 579}
490 580
491void 581void
496 if (limiter.can (dsa)) 586 if (limiter.can (dsa))
497 { 587 {
498 config_packet *pkt = new config_packet; 588 config_packet *pkt = new config_packet;
499 589
500 pkt->setup (vpn_packet::PT_RESET, conf->id); 590 pkt->setup (vpn_packet::PT_RESET, conf->id);
501 vpn->send_vpn_packet (pkt, dsa); 591 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
502 592
503 delete pkt; 593 delete pkt;
504 } 594 }
505} 595}
506 596
523 613
524 if (subtype != AUTH_INIT || limiter.can (sa)) 614 if (subtype != AUTH_INIT || limiter.can (sa))
525 { 615 {
526 auth_packet *pkt = new auth_packet (conf->id, subtype); 616 auth_packet *pkt = new auth_packet (conf->id, subtype);
527 617
528 //printf ("send auth_packet subtype %d\n", subtype);//D
529
530 if (!k) 618 if (!k)
531 k = gen_challenge (sa); 619 k = gen_challenge (sa);
532 620
533#if ENABLE_TRUST
534 if (0 > RSA_public_encrypt (sizeof (*k), 621 if (0 > RSA_public_encrypt (sizeof (*k),
535 (unsigned char *)k, (unsigned char *)&pkt->challenge, 622 (unsigned char *)k, (unsigned char *)&pkt->challenge,
536 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 623 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537 fatal ("RSA_public_encrypt error"); 624 fatal ("RSA_public_encrypt error");
538#else
539# error untrusted mode not yet implemented: programemr does not know how to
540 rsaencrdata enc;
541
542 if (0 > RSA_private_encrypt (sizeof (*k),
543 (unsigned char *)k, (unsigned char *)&enc,
544 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545 fatal ("RSA_private_encrypt error");
546
547 if (0 > RSA_public_encrypt (sizeof (enc),
548 (unsigned char *)enc, (unsigned char *)&pkt->challenge,
549 conf->rsa_key, RSA_NO_PADDING))
550 fatal ("RSA_public_encrypt error");
551#endif
552 625
553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 626 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554 627
555 vpn->send_vpn_packet (pkt, sa); 628 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556 629
557 delete pkt; 630 delete pkt;
558 } 631 }
559} 632}
560 633
561void 634void
562connection::establish_connection () 635connection::establish_connection_cb (tstamp &ts)
563{ 636{
564 if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER) 637 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER)
638 ts = TSTAMP_CANCEL;
639 else if (ts <= NOW)
565 { 640 {
566 if (now >= next_retry) 641 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25;
642
643 if (retry_int < 3600 * 8)
644 retry_cnt++;
645
646 if (connectmode == conf_node::C_ONDEMAND
647 && retry_int > ::conf.keepalive)
648 retry_int = ::conf.keepalive;
649
650 ts = NOW + retry_int;
651
652 if (conf->hostname)
567 { 653 {
568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570 if (retry_cnt < (17 << 2) | 3)
571 retry_cnt++;
572
573 if (conf->connectmode == conf_node::C_ONDEMAND
574 && retry_int > ::conf.keepalive)
575 retry_int = ::conf.keepalive;
576
577 next_retry = now + retry_int;
578 next_wakeup (next_retry);
579
580 if (conf->hostname)
581 {
582 reset_dstaddr (); 654 reset_dstaddr ();
583 if (sa.sin_addr.s_addr) 655 if (sa.sin_addr.s_addr)
584 if (retry_cnt < 4) 656 if (retry_cnt < 4)
585 send_auth (AUTH_INIT, &sa); 657 send_auth (AUTH_INIT, &sa);
586 else 658 else
587 send_ping (&sa, 0); 659 send_ping (&sa, 0);
588 }
589 else
590 vpn->connect_request (conf->id);
591 } 660 }
661 else
662 vpn->connect_request (conf->id);
592 } 663 }
593} 664}
594 665
595void 666void
596connection::reset_connection () 667connection::reset_connection ()
610 octx = 0; 681 octx = 0;
611 682
612 sa.sin_port = 0; 683 sa.sin_port = 0;
613 sa.sin_addr.s_addr = 0; 684 sa.sin_addr.s_addr = 0;
614 685
615 next_retry = 0;
616 next_rekey = 0;
617 last_activity = 0; 686 last_activity = 0;
687
688 rekey.reset ();
689 keepalive.reset ();
690 establish_connection.reset ();
618} 691}
619 692
620void 693void
621connection::shutdown () 694connection::shutdown ()
622{ 695{
625 698
626 reset_connection (); 699 reset_connection ();
627} 700}
628 701
629void 702void
630connection::rekey () 703connection::rekey_cb (tstamp &ts)
631{ 704{
705 ts = TSTAMP_CANCEL;
706
632 reset_connection (); 707 reset_connection ();
633 establish_connection (); 708 establish_connection ();
634} 709}
635 710
636void 711void
637connection::send_data_packet (tap_packet * pkt, bool broadcast) 712connection::send_data_packet (tap_packet * pkt, bool broadcast)
638{ 713{
639 vpndata_packet *p = new vpndata_packet; 714 vpndata_packet *p = new vpndata_packet;
715 int tos = 0;
716
717 if (conf->inherit_tos
718 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
719 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
720 tos = (*pkt)[15] & IPTOS_TOS_MASK;
640 721
641 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 722 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642 vpn->send_vpn_packet (p, &sa); 723 vpn->send_vpn_packet (p, &sa, tos);
643 724
644 delete p; 725 delete p;
645 726
646 if (oseqno > MAX_SEQNO) 727 if (oseqno > MAX_SEQNO)
647 rekey (); 728 rekey ();
662} 743}
663 744
664void 745void
665connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 746connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
666{ 747{
667 last_activity = now; 748 last_activity = NOW;
668 749
669 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 750 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
670 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 751 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
671 752
672 switch (pkt->typ ()) 753 switch (pkt->typ ())
680 // so reset the retry counter and establish a conenction 761 // so reset the retry counter and establish a conenction
681 // when we receive a pong. 762 // when we receive a pong.
682 if (!ictx && !octx) 763 if (!ictx && !octx)
683 { 764 {
684 retry_cnt = 0; 765 retry_cnt = 0;
685 next_retry = 0; 766 establish_connection.at = 0;
686 establish_connection (); 767 establish_connection ();
687 } 768 }
688 769
689 break; 770 break;
690 771
691 case vpn_packet::PT_RESET: 772 case vpn_packet::PT_RESET:
692 { 773 {
693 reset_connection (); 774 reset_connection ();
694 775
695 config_packet *p = (config_packet *) pkt; 776 config_packet *p = (config_packet *) pkt;
696 if (p->chk_config ()) 777 if (!p->chk_config ())
778 {
779 slog (L_WARN, _("disabling node '%s' because of differing protocol"), conf->nodename);
780 connectmode = conf_node::C_NEVER;
781 }
697 if (conf->connectmode == conf_node::C_ALWAYS) 782 else if (connectmode == conf_node::C_ALWAYS)
698 establish_connection (); 783 establish_connection ();
699
700 //D slog the protocol mismatch?
701 } 784 }
702 break; 785 break;
703 786
704 case vpn_packet::PT_AUTH: 787 case vpn_packet::PT_AUTH:
705 { 788 {
717 if (p->subtype == AUTH_INIT) 800 if (p->subtype == AUTH_INIT)
718 send_auth (AUTH_INITREPLY, ssa); 801 send_auth (AUTH_INITREPLY, ssa);
719 802
720 rsachallenge k; 803 rsachallenge k;
721 804
722#if ENABLE_TRUST
723 if (0 > RSA_private_decrypt (sizeof (rsaencrdata), 805 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
724 (unsigned char *)&p->challenge, (unsigned char *)&k, 806 (unsigned char *)&p->challenge, (unsigned char *)&k,
725 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 807 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
726 // continued below
727#else
728 rsaencrdata j;
729
730 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731 (unsigned char *)&p->challenge, (unsigned char *)&j,
732 ::conf.rsa_key, RSA_NO_PADDING))
733 fatal ("RSA_private_decrypt error");
734
735 if (0 > RSA_public_decrypt (sizeof (k),
736 (unsigned char *)&j, (unsigned char *)&k,
737 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
738 // continued below
739#endif
740 { 808 {
741 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 809 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
742 conf->nodename, (const char *)sockinfo (ssa)); 810 conf->nodename, (const char *)sockinfo (ssa));
743 break; 811 break;
744 } 812 }
745 813
746 retry_cnt = 0; 814 retry_cnt = 0;
747 next_retry = now + 8; 815 establish_connection.set (NOW + 8); //? ;)
816 keepalive.reset ();
817 rekey.reset ();
748 818
749 switch (p->subtype) 819 switch (p->subtype)
750 { 820 {
751 case AUTH_INIT: 821 case AUTH_INIT:
752 case AUTH_INITREPLY: 822 case AUTH_INITREPLY:
766 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), 836 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
767 sizeof (rsachallenge) - sizeof (u32))) 837 sizeof (rsachallenge) - sizeof (u32)))
768 { 838 {
769 delete ictx; 839 delete ictx;
770 840
771 ictx = new crypto_ctx (k, 0); 841 ictx = new crypto_ctx (k, 0);
772 iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid 842 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
773 ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774 843
775 sa = *ssa; 844 sa = *ssa;
776 845
777 next_rekey = now + ::conf.rekey; 846 rekey.set (NOW + ::conf.rekey);
778 next_wakeup (next_rekey); 847 keepalive.set (NOW + ::conf.keepalive);
779 848
780 // send queued packets 849 // send queued packets
781 while (tap_packet *p = queue.get ()) 850 while (tap_packet *p = queue.get ())
782 { 851 {
783 send_data_packet (p); 852 send_data_packet (p);
784 delete p; 853 delete p;
785 } 854 }
855
856 connectmode = conf->connectmode;
786 857
787 slog (L_INFO, _("connection to %d (%s %s) established"), 858 slog (L_INFO, _("connection to %d (%s %s) established"),
788 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 859 conf->id, conf->nodename, (const char *)sockinfo (ssa));
789 860
790 if (::conf.script_node_up) 861 if (::conf.script_node_up)
826 else 897 else
827 { 898 {
828 u32 seqno; 899 u32 seqno;
829 tap_packet *d = p->unpack (this, seqno); 900 tap_packet *d = p->unpack (this, seqno);
830 901
831 if (seqno <= iseqno - 32) 902 if (iseqno.recv_ok (seqno))
832 slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
833 "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
834 else if (seqno > iseqno + 32)
835 slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
836 "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
837 else
838 { 903 {
839 if (seqno > iseqno)
840 {
841 ismask <<= seqno - iseqno;
842 iseqno = seqno;
843 }
844
845 u32 mask = 1 << (iseqno - seqno);
846
847 //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
848 if (ismask & mask)
849 slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
850 "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
851 else
852 {
853 ismask |= mask;
854
855 vpn->tap->send (d); 904 vpn->tap->send (d);
856 905
857 if (p->dst () == 0) // re-broadcast 906 if (p->dst () == 0) // re-broadcast
858 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) 907 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
859 { 908 {
860 connection *c = *i; 909 connection *c = *i;
861 910
862 if (c->conf != THISNODE && c->conf != conf) 911 if (c->conf != THISNODE && c->conf != conf)
863 c->inject_data_packet (d); 912 c->inject_data_packet (d);
864 }
865
866 delete d;
867
868 break;
869 } 913 }
914
915 delete d;
916
917 break;
870 } 918 }
871 } 919 }
872 } 920 }
873 else 921 else
874 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 922 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
889 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 937 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
890 conf->id, p->id, c->ictx && c->octx); 938 conf->id, p->id, c->ictx && c->octx);
891 939
892 if (c->ictx && c->octx) 940 if (c->ictx && c->octx)
893 { 941 {
942 // send connect_info packets to both sides, in case one is
943 // behind a nat firewall (or both ;)
944 {
894 sockinfo si(sa); 945 sockinfo si(sa);
895 946
896 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 947 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
897 c->conf->id, p->id, (const char *)si); 948 c->conf->id, conf->id, (const char *)si);
898 949
899 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 950 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
900 951
901 r->hmac_set (c->octx); 952 r->hmac_set (c->octx);
902 vpn->send_vpn_packet (r, &c->sa); 953 vpn->send_vpn_packet (r, &c->sa);
903 954
904 delete r; 955 delete r;
956 }
957
958 {
959 sockinfo si(c->sa);
960
961 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
962 conf->id, c->conf->id, (const char *)si);
963
964 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
965
966 r->hmac_set (octx);
967 vpn->send_vpn_packet (r, &sa);
968
969 delete r;
970 }
905 } 971 }
906 } 972 }
907 973
908 break; 974 break;
909 975
927 send_reset (ssa); 993 send_reset (ssa);
928 break; 994 break;
929 } 995 }
930} 996}
931 997
932void connection::timer () 998void connection::keepalive_cb (tstamp &ts)
933{ 999{
934 if (conf != THISNODE) 1000 if (NOW >= last_activity + ::conf.keepalive + 30)
935 { 1001 {
936 if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS) 1002 reset_connection ();
937 establish_connection (); 1003 establish_connection ();
938 1004 }
939 if (ictx && octx)
940 {
941 if (now >= next_rekey)
942 rekey ();
943 else if (now >= last_activity + ::conf.keepalive + 30)
944 {
945 reset_connection ();
946 establish_connection ();
947 }
948 else if (now >= last_activity + ::conf.keepalive) 1005 else if (NOW < last_activity + ::conf.keepalive)
1006 ts = last_activity + ::conf.keepalive;
949 if (conf->connectmode != conf_node::C_ONDEMAND 1007 else if (conf->connectmode != conf_node::C_ONDEMAND
950 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1008 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1009 {
951 send_ping (&sa); 1010 send_ping (&sa);
952 else 1011 ts = NOW + 5;
1012 }
1013 else
953 reset_connection (); 1014 reset_connection ();
954 1015
955 }
956 }
957} 1016}
958 1017
959void connection::connect_request (int id) 1018void connection::connect_request (int id)
960{ 1019{
961 connect_req_packet *p = new connect_req_packet (conf->id, id); 1020 connect_req_packet *p = new connect_req_packet (conf->id, id);
998 putenv ("STATE=down"); 1057 putenv ("STATE=down");
999 1058
1000 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1059 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1001} 1060}
1002 1061
1062connection::connection(struct vpn *vpn_)
1063: vpn(vpn_)
1064, rekey (this, &connection::rekey_cb)
1065, keepalive (this, &connection::keepalive_cb)
1066, establish_connection (this, &connection::establish_connection_cb)
1067{
1068 octx = ictx = 0;
1069 retry_cnt = 0;
1070
1071 connectmode = conf_node::C_ALWAYS; // initial setting
1072 reset_connection ();
1073}
1074
1075connection::~connection ()
1076{
1077 shutdown ();
1078}
1079
1003///////////////////////////////////////////////////////////////////////////// 1080/////////////////////////////////////////////////////////////////////////////
1004
1005vpn::vpn (void)
1006{}
1007 1081
1008const char *vpn::script_if_up () 1082const char *vpn::script_if_up ()
1009{ 1083{
1010 // the tunnel device mtu should be the physical mtu - overhead 1084 // the tunnel device mtu should be the physical mtu - overhead
1011 // the tricky part is rounding to the cipher key blocksize 1085 // the tricky part is rounding to the cipher key blocksize
1062 { 1136 {
1063 int oval = 1; 1137 int oval = 1;
1064 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1138 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1065 } 1139 }
1066 1140
1141 udp_ev_watcher.start (socket_fd, POLLIN);
1142
1067 tap = new tap_device (); 1143 tap = new tap_device ();
1068 if (!tap) //D this, of course, never catches 1144 if (!tap) //D this, of course, never catches
1069 { 1145 {
1070 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1146 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1071 exit (1); 1147 exit (1);
1072 } 1148 }
1073 1149
1074 run_script (this, &vpn::script_if_up, true); 1150 run_script (this, &vpn::script_if_up, true);
1075 1151
1152 vpn_ev_watcher.start (tap->fd, POLLIN);
1153
1154 reconnect_all ();
1155
1076 return 0; 1156 return 0;
1077} 1157}
1078 1158
1079void 1159void
1080vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) 1160vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos)
1081{ 1161{
1162 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1082 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1163 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));
1083} 1164}
1084 1165
1085void 1166void
1086vpn::shutdown_all () 1167vpn::shutdown_all ()
1103 connection *conn = new connection (this); 1184 connection *conn = new connection (this);
1104 1185
1105 conn->conf = *i; 1186 conn->conf = *i;
1106 conns.push_back (conn); 1187 conns.push_back (conn);
1107 1188
1108 if (conn->conf->connectmode == conf_node::C_ALWAYS)
1109 conn->establish_connection (); 1189 conn->establish_connection ();
1110 } 1190 }
1111} 1191}
1112 1192
1113connection *vpn::find_router () 1193connection *vpn::find_router ()
1114{ 1194{
1118 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 1198 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1119 { 1199 {
1120 connection *c = *i; 1200 connection *c = *i;
1121 1201
1122 if (c->conf->routerprio > prio 1202 if (c->conf->routerprio > prio
1123 && c->conf->connectmode == conf_node::C_ALWAYS 1203 && c->connectmode == conf_node::C_ALWAYS
1124 && c->conf != THISNODE 1204 && c->conf != THISNODE
1125 && c->ictx && c->octx) 1205 && c->ictx && c->octx)
1126 { 1206 {
1127 prio = c->conf->routerprio; 1207 prio = c->conf->routerprio;
1128 router = c; 1208 router = c;
1136{ 1216{
1137 connection *c = find_router (); 1217 connection *c = find_router ();
1138 1218
1139 if (c) 1219 if (c)
1140 c->connect_request (id); 1220 c->connect_request (id);
1221 //else // does not work, because all others must connect to the same router
1222 // // no router found, aggressively connect to all routers
1223 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1224 // if ((*i)->conf->routerprio)
1225 // (*i)->establish_connection ();
1141} 1226}
1142 1227
1143void 1228void
1144vpn::main_loop () 1229vpn::udp_ev (short revents)
1145{ 1230{
1146 struct pollfd pollfd[2]; 1231 if (revents & (POLLIN | POLLERR))
1147
1148 pollfd[0].fd = tap->fd;
1149 pollfd[0].events = POLLIN;
1150 pollfd[1].fd = socket_fd;
1151 pollfd[1].events = POLLIN;
1152
1153 events = 0;
1154 now = time (0);
1155 next_timecheck = now + 1;
1156
1157 reconnect_all ();
1158
1159 for (;;)
1160 { 1232 {
1161 int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000); 1233 vpn_packet *pkt = new vpn_packet;
1162 1234 struct sockaddr_in sa;
1163 now = time (0); 1235 socklen_t sa_len = sizeof (sa);
1236 int len;
1164 1237
1238 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1239
1165 if (npoll > 0) 1240 if (len > 0)
1166 { 1241 {
1167 if (pollfd[1].revents) 1242 pkt->len = len;
1243
1244 unsigned int src = pkt->src ();
1245 unsigned int dst = pkt->dst ();
1246
1247 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1248 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1249
1250 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1251 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1252 pkt->typ (), pkt->src (), pkt->dst ());
1253 else if (dst == 0 && !THISNODE->routerprio)
1254 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1255 else if (dst != 0 && dst != THISNODE->id)
1256 slog (L_WARN,
1257 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1258 dst, conns[dst - 1]->conf->nodename,
1259 (const char *)sockinfo (sa),
1260 THISNODE->id, THISNODE->nodename);
1261 else if (src == 0 || src > conns.size ())
1262 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1263 else
1264 conns[src - 1]->recv_vpn_packet (pkt, &sa);
1265 }
1266 else
1267 {
1268 // probably ECONNRESET or somesuch
1269 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1270 }
1271
1272 delete pkt;
1273 }
1274 else if (revents & POLLHUP)
1275 {
1276 // this cannot ;) happen on udp sockets
1277 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1278 exit (1);
1279 }
1280 else
1281 {
1282 slog (L_ERR,
1283 _("FATAL: unknown revents %08x in socket, terminating\n"),
1284 revents);
1285 exit (1);
1286 }
1287}
1288
1289void
1290vpn::vpn_ev (short revents)
1291{
1292 if (revents & POLLIN)
1293 {
1294 /* process data */
1295 tap_packet *pkt;
1296
1297 pkt = tap->recv ();
1298
1299 int dst = mac2id (pkt->dst);
1300 int src = mac2id (pkt->src);
1301
1302 if (src != THISNODE->id)
1303 {
1304 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1305 exit (1);
1306 }
1307
1308 if (dst == THISNODE->id)
1309 {
1310 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1311 exit (1);
1312 }
1313
1314 if (dst > conns.size ())
1315 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1316 else
1317 {
1318 if (dst)
1168 { 1319 {
1169 if (pollfd[1].revents & (POLLIN | POLLERR)) 1320 // unicast
1170 {
1171 vpn_packet *pkt = new vpn_packet;
1172 struct sockaddr_in sa;
1173 socklen_t sa_len = sizeof (sa);
1174 int len;
1175
1176 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1177
1178 if (len > 0)
1179 {
1180 pkt->len = len;
1181
1182 unsigned int src = pkt->src ();
1183 unsigned int dst = pkt->dst ();
1184
1185 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1186 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1187
1188 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1189 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1190 pkt->typ (), pkt->src (), pkt->dst ());
1191 else if (dst == 0 && !THISNODE->routerprio)
1192 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1193 else if (dst != 0 && dst != THISNODE->id) 1321 if (dst != THISNODE->id)
1194 slog (L_WARN,
1195 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1196 dst, conns[dst - 1]->conf->nodename,
1197 (const char *)sockinfo (sa),
1198 THISNODE->id, THISNODE->nodename);
1199 else if (src == 0 || src > conns.size ())
1200 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1201 else
1202 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1322 conns[dst - 1]->inject_data_packet (pkt);
1203 }
1204 else
1205 {
1206 // probably ECONNRESET or somesuch
1207 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1208 }
1209
1210 delete pkt;
1211 } 1323 }
1212 else if (pollfd[1].revents & POLLHUP) 1324 else
1213 { 1325 {
1214 // this cannot ;) happen on udp sockets 1326 // broadcast, first check router, then self, then english
1215 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1327 connection *router = find_router ();
1216 exit (1); 1328
1217 } 1329 if (router)
1330 router->inject_data_packet (pkt, true);
1218 else 1331 else
1219 {
1220 slog (L_ERR,
1221 _("FATAL: unknown revents %08x in socket, terminating\n"),
1222 pollfd[1].revents);
1223 exit (1);
1224 }
1225 }
1226
1227 // I use else here to give vpn_packets absolute priority
1228 else if (pollfd[0].revents)
1229 {
1230 if (pollfd[0].revents & POLLIN)
1231 {
1232 /* process data */
1233 tap_packet *pkt;
1234
1235 pkt = tap->recv ();
1236
1237 int dst = mac2id (pkt->dst);
1238 int src = mac2id (pkt->src);
1239
1240 if (src != THISNODE->id)
1241 {
1242 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1243 exit (1);
1244 }
1245
1246 if (dst == THISNODE->id)
1247 {
1248 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1249 exit (1);
1250 }
1251
1252 if (dst > conns.size ())
1253 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1254 else
1255 {
1256 if (dst)
1257 {
1258 // unicast
1259 if (dst != THISNODE->id)
1260 conns[dst - 1]->inject_data_packet (pkt);
1261 }
1262 else
1263 {
1264 // broadcast, first check router, then self, then english
1265 connection *router = find_router ();
1266
1267 if (router)
1268 router->inject_data_packet (pkt, true);
1269 else
1270 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1332 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1271 if ((*c)->conf != THISNODE) 1333 if ((*c)->conf != THISNODE)
1272 (*c)->inject_data_packet (pkt); 1334 (*c)->inject_data_packet (pkt);
1273 }
1274 }
1275
1276 delete pkt;
1277 }
1278 else if (pollfd[0].revents & (POLLHUP | POLLERR))
1279 {
1280 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1281 exit (1);
1282 }
1283 else
1284 abort ();
1285 } 1335 }
1286 } 1336 }
1287 1337
1338 delete pkt;
1339 }
1340 else if (revents & (POLLHUP | POLLERR))
1341 {
1342 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1343 exit (1);
1344 }
1345 else
1346 abort ();
1347}
1348
1349void
1350vpn::event_cb (tstamp &ts)
1351{
1288 if (events) 1352 if (events)
1353 {
1354 if (events & EVENT_SHUTDOWN)
1289 { 1355 {
1290 if (events & EVENT_SHUTDOWN)
1291 {
1292 shutdown_all (); 1356 shutdown_all ();
1293 1357
1294 remove_pid (pidfilename); 1358 remove_pid (pidfilename);
1295 1359
1296 slog (L_INFO, _("vped terminating")); 1360 slog (L_INFO, _("vped terminating"));
1297 1361
1298 exit (0); 1362 exit (0);
1299 }
1300
1301 if (events & EVENT_RECONNECT)
1302 reconnect_all ();
1303
1304 events = 0;
1305 } 1363 }
1306 1364
1307 // very very very dumb and crude and inefficient timer handling, or maybe not? 1365 if (events & EVENT_RECONNECT)
1308 if (now >= next_timecheck) 1366 reconnect_all ();
1309 {
1310 next_timecheck = now + TIMER_GRANULARITY;
1311 1367
1312 for (conns_vector::iterator c = conns.begin (); 1368 events = 0;
1313 c != conns.end (); ++c)
1314 (*c)->timer ();
1315 }
1316 } 1369 }
1370
1371 ts = TSTAMP_CANCEL;
1372}
1373
1374vpn::vpn (void)
1375: udp_ev_watcher (this, &vpn::udp_ev)
1376, vpn_ev_watcher (this, &vpn::vpn_ev)
1377, event (this, &vpn::event_cb)
1378{
1317} 1379}
1318 1380
1319vpn::~vpn () 1381vpn::~vpn ()
1320{} 1382{
1383}
1321 1384

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines