ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.8 by pcg, Mon Mar 17 15:20:18 2003 UTC vs.
Revision 1.15 by pcg, Sun Mar 23 14:49:16 2003 UTC

16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17*/ 17*/
18 18
19#include "config.h" 19#include "config.h"
20 20
21#include <list>
22
21#include <cstdlib> 23#include <cstdlib>
22#include <cstring> 24#include <cstring>
23#include <cstdio> 25#include <cstdio>
24 26
25#include <sys/types.h> 27#include <sys/types.h>
60 62
61static const rsachallenge & 63static const rsachallenge &
62challenge_bytes () 64challenge_bytes ()
63{ 65{
64 static rsachallenge challenge; 66 static rsachallenge challenge;
65 static time_t challenge_ttl; // time this challenge needs to be recreated 67 static double challenge_ttl; // time this challenge needs to be recreated
66 68
67 if (now > challenge_ttl) 69 if (NOW > challenge_ttl)
68 { 70 {
69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge)); 71 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70 challenge_ttl = now + CHALLENGE_TTL; 72 challenge_ttl = NOW + CHALLENGE_TTL;
71 } 73 }
72 74
73 return challenge; 75 return challenge;
76}
77
78// caching of rsa operations really helps slow computers
79struct rsa_entry {
80 tstamp expire;
81 rsachallenge chg;
82 RSA *key; // which key
83 rsaencrdata encr;
84
85 rsa_entry ()
86 {
87 expire = NOW + CHALLENGE_TTL;
88 }
89};
90
91struct rsa_cache : list<rsa_entry>
92{
93 void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95 const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96 {
97 for (iterator i = begin (); i != end (); ++i)
98 {
99 if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100 return &i->encr;
101 }
102
103 if (cleaner.at < NOW)
104 cleaner.start (NOW + CHALLENGE_TTL);
105
106 resize (size () + 1);
107 rsa_entry *e = &(*rbegin ());
108
109 e->key = key;
110 memcpy (&e->chg, &chg, sizeof chg);
111
112 if (0 > RSA_public_encrypt (sizeof chg,
113 (unsigned char *)&chg, (unsigned char *)&e->encr,
114 key, RSA_PKCS1_OAEP_PADDING))
115 fatal ("RSA_public_encrypt error");
116
117 return &e->encr;
118 }
119
120 const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121 {
122 for (iterator i = begin (); i != end (); ++i)
123 if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124 return &i->chg;
125
126 if (cleaner.at < NOW)
127 cleaner.start (NOW + CHALLENGE_TTL);
128
129 resize (size () + 1);
130 rsa_entry *e = &(*rbegin ());
131
132 e->key = key;
133 memcpy (&e->encr, &encr, sizeof encr);
134
135 if (0 > RSA_private_decrypt (sizeof encr,
136 (unsigned char *)&encr, (unsigned char *)&e->chg,
137 key, RSA_PKCS1_OAEP_PADDING))
138 {
139 pop_back ();
140 return 0;
141 }
142
143 return &e->chg;
144 }
145
146 rsa_cache ()
147 : cleaner (this, &rsa_cache::cleaner_cb)
148 { }
149
150} rsa_cache;
151
152void rsa_cache::cleaner_cb (tstamp &ts)
153{
154 if (empty ())
155 ts = TSTAMP_CANCEL;
156 else
157 {
158 ts = NOW + 3;
159 for (iterator i = begin (); i != end (); )
160 {
161 if (i->expire >= NOW)
162 i = erase (i);
163 else
164 ++i;
165 }
166 }
74} 167}
75 168
76// run a script. yes, it's a template function. yes, c++ 169// run a script. yes, it's a template function. yes, c++
77// is not a functional language. yes, this suxx. 170// is not a functional language. yes, this suxx.
78template<class owner> 171template<class owner>
112struct crypto_ctx 205struct crypto_ctx
113 { 206 {
114 EVP_CIPHER_CTX cctx; 207 EVP_CIPHER_CTX cctx;
115 HMAC_CTX hctx; 208 HMAC_CTX hctx;
116 209
117 crypto_ctx (rsachallenge &challenge, int enc); 210 crypto_ctx (const rsachallenge &challenge, int enc);
118 ~crypto_ctx (); 211 ~crypto_ctx ();
119 }; 212 };
120 213
121crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) 214crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122{ 215{
123 EVP_CIPHER_CTX_init (&cctx); 216 EVP_CIPHER_CTX_init (&cctx);
124 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 217 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125 HMAC_CTX_init (&hctx); 218 HMAC_CTX_init (&hctx);
126 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 219 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
128 221
129crypto_ctx::~crypto_ctx () 222crypto_ctx::~crypto_ctx ()
130{ 223{
131 EVP_CIPHER_CTX_cleanup (&cctx); 224 EVP_CIPHER_CTX_cleanup (&cctx);
132 HMAC_CTX_cleanup (&hctx); 225 HMAC_CTX_cleanup (&hctx);
226}
227
228//////////////////////////////////////////////////////////////////////////////
229
230void pkt_queue::put (tap_packet *p)
231{
232 if (queue[i])
233 {
234 delete queue[i];
235 j = (j + 1) % QUEUEDEPTH;
236 }
237
238 queue[i] = p;
239
240 i = (i + 1) % QUEUEDEPTH;
241}
242
243tap_packet *pkt_queue::get ()
244{
245 tap_packet *p = queue[j];
246
247 if (p)
248 {
249 queue[j] = 0;
250 j = (j + 1) % QUEUEDEPTH;
251 }
252
253 return p;
254}
255
256pkt_queue::pkt_queue ()
257{
258 memset (queue, 0, sizeof (queue));
259 i = 0;
260 j = 0;
261}
262
263pkt_queue::~pkt_queue ()
264{
265 for (i = QUEUEDEPTH; --i > 0; )
266 delete queue[i];
267}
268
269// only do action once every x seconds per host.
270// currently this is quite a slow implementation,
271// but suffices for normal operation.
272struct u32_rate_limiter : private map<u32, tstamp>
273 {
274 tstamp every;
275
276 bool can (u32 host);
277
278 u32_rate_limiter (tstamp every = 1)
279 {
280 this->every = every;
281 }
282 };
283
284struct net_rate_limiter : u32_rate_limiter
285 {
286 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
287 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
288
289 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
290 };
291
292bool u32_rate_limiter::can (u32 host)
293{
294 iterator i;
295
296 for (i = begin (); i != end (); )
297 if (i->second <= NOW)
298 {
299 erase (i);
300 i = begin ();
301 }
302 else
303 ++i;
304
305 i = find (host);
306
307 if (i != end ())
308 return false;
309
310 insert (value_type (host, NOW + every));
311
312 return true;
133} 313}
134 314
135///////////////////////////////////////////////////////////////////////////// 315/////////////////////////////////////////////////////////////////////////////
136 316
137static void next_wakeup (time_t next) 317static void next_wakeup (time_t next)
200 380
201 unsigned int src () 381 unsigned int src ()
202 { 382 {
203 return src1 | ((srcdst >> 4) << 8); 383 return src1 | ((srcdst >> 4) << 8);
204 } 384 }
385
205 unsigned int dst () 386 unsigned int dst ()
206 { 387 {
207 return dst1 | ((srcdst & 0xf) << 8); 388 return dst1 | ((srcdst & 0xf) << 8);
208 } 389 }
390
209 ptype typ () 391 ptype typ ()
210 { 392 {
211 return (ptype) type; 393 return (ptype) type;
212 } 394 }
213 }; 395 };
252 u32 cl; 434 u32 cl;
253 435
254 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 436 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255 if (cl) 437 if (cl)
256 { 438 {
257 //printf ("compressed packet, %d => %d\n", l, cl);//D
258 type = PT_DATA_COMPRESSED; 439 type = PT_DATA_COMPRESSED;
259 d = cdata; 440 d = cdata;
260 l = cl + 2; 441 l = cl + 2;
261 442
262 d[0] = cl >> 8; 443 d[0] = cl >> 8;
264 } 445 }
265#endif 446#endif
266 447
267 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 448 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268 449
450 struct {
269#if RAND_SIZE 451#if RAND_SIZE
270 struct {
271 u8 rnd[RAND_SIZE]; 452 u8 rnd[RAND_SIZE];
453#endif
272 u32 seqno; 454 u32 seqno;
273 } datahdr; 455 } datahdr;
274 456
275 datahdr.seqno = seqno; 457 datahdr.seqno = ntohl (seqno);
458#if RAND_SIZE
276 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 459 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
460#endif
277 461
278 EVP_EncryptUpdate (cctx, 462 EVP_EncryptUpdate (cctx,
279 (unsigned char *) data + outl, &outl2, 463 (unsigned char *) data + outl, &outl2,
280 (unsigned char *) &datahdr, DATAHDR); 464 (unsigned char *) &datahdr, DATAHDR);
281 outl += outl2; 465 outl += outl2;
282#else
283 EVP_EncryptUpdate (cctx,
284 (unsigned char *) data + outl, &outl2,
285 (unsigned char *) &seqno, DATAHDR);
286 outl += outl2;
287#endif
288 466
289 EVP_EncryptUpdate (cctx, 467 EVP_EncryptUpdate (cctx,
290 (unsigned char *) data + outl, &outl2, 468 (unsigned char *) data + outl, &outl2,
291 (unsigned char *) d, l); 469 (unsigned char *) d, l);
292 outl += outl2; 470 outl += outl2;
328 outl += outl2; 506 outl += outl2;
329 507
330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 508 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331 outl += outl2; 509 outl += outl2;
332 510
333 seqno = *(u32 *)(d + RAND_SIZE); 511 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
334 512
335 id2mac (dst () ? dst() : THISNODE->id, p->dst); 513 id2mac (dst () ? dst() : THISNODE->id, p->dst);
336 id2mac (src (), p->src); 514 id2mac (src (), p->src);
337 515
338#if ENABLE_COMPRESSION 516#if ENABLE_COMPRESSION
339 if (type == PT_DATA_COMPRESSED) 517 if (type == PT_DATA_COMPRESSED)
340 { 518 {
341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 519 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
342 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 520 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343 //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344 } 521 }
345 else 522 else
346 p->len = outl + (6 + 6 - DATAHDR); 523 p->len = outl + (6 + 6 - DATAHDR);
347#endif 524#endif
348 525
369 u32 digest_nid; 546 u32 digest_nid;
370 547
371 const u8 curflags () const 548 const u8 curflags () const
372 { 549 {
373 return 0x80 550 return 0x80
374 | (ENABLE_COMPRESSION ? 0x01 : 0x00) 551 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
375 | (ENABLE_TRUST ? 0x02 : 0x00);
376 } 552 }
377 553
378 void setup (ptype type, int dst) 554 void setup (ptype type, int dst)
379 { 555 {
380 prot_major = PROTOCOL_MAJOR; 556 prot_major = PROTOCOL_MAJOR;
491void 667void
492connection::send_reset (SOCKADDR *dsa) 668connection::send_reset (SOCKADDR *dsa)
493{ 669{
494 static net_rate_limiter limiter(1); 670 static net_rate_limiter limiter(1);
495 671
496 if (limiter.can (dsa)) 672 if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED)
497 { 673 {
498 config_packet *pkt = new config_packet; 674 config_packet *pkt = new config_packet;
499 675
500 pkt->setup (vpn_packet::PT_RESET, conf->id); 676 pkt->setup (vpn_packet::PT_RESET, conf->id);
501 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 677 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
503 delete pkt; 679 delete pkt;
504 } 680 }
505} 681}
506 682
507static rsachallenge * 683static rsachallenge *
508gen_challenge (SOCKADDR *sa) 684gen_challenge (u32 seqrand, SOCKADDR *sa)
509{ 685{
510 static rsachallenge k; 686 static rsachallenge k;
511 687
512 memcpy (&k, &challenge_bytes (), sizeof (k)); 688 memcpy (&k, &challenge_bytes (), sizeof (k));
513 RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32)); 689 *(u32 *)&k[CHG_SEQNO] ^= seqrand;
514 xor_sa (k, sa); 690 xor_sa (k, sa);
515 691
516 return &k; 692 return &k;
517} 693}
518 694
519void 695void
520connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k) 696connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k)
521{ 697{
522 static net_rate_limiter limiter(2); 698 static net_rate_limiter limiter(0.2);
523 699
524 if (subtype != AUTH_INIT || limiter.can (sa)) 700 if (subtype != AUTH_INIT || limiter.can (sa))
525 { 701 {
702 if (!k)
703 k = gen_challenge (seqrand, sa);
704
526 auth_packet *pkt = new auth_packet (conf->id, subtype); 705 auth_packet *pkt = new auth_packet (conf->id, subtype);
527 706
528 //printf ("send auth_packet subtype %d\n", subtype);//D 707 memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata));
529
530 if (!k)
531 k = gen_challenge (sa);
532
533#if ENABLE_TRUST
534 if (0 > RSA_public_encrypt (sizeof (*k),
535 (unsigned char *)k, (unsigned char *)&pkt->challenge,
536 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537 fatal ("RSA_public_encrypt error");
538#else
539# error untrusted mode not yet implemented: programemr does not know how to
540 rsaencrdata enc;
541
542 if (0 > RSA_private_encrypt (sizeof (*k),
543 (unsigned char *)k, (unsigned char *)&enc,
544 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545 fatal ("RSA_private_encrypt error");
546
547 if (0 > RSA_public_encrypt (sizeof (enc),
548 (unsigned char *)enc, (unsigned char *)&pkt->challenge,
549 conf->rsa_key, RSA_NO_PADDING))
550 fatal ("RSA_public_encrypt error");
551#endif
552 708
553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 709 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554 710
555 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); 711 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556 712
557 delete pkt; 713 delete pkt;
558 } 714 }
559} 715}
560 716
561void 717void
562connection::establish_connection () 718connection::establish_connection_cb (tstamp &ts)
563{ 719{
564 if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER) 720 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER)
721 ts = TSTAMP_CANCEL;
722 else if (ts <= NOW)
565 { 723 {
566 if (now >= next_retry) 724 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25;
567 {
568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569 725
570 if (retry_cnt < (17 << 2) | 3) 726 if (retry_int < 3600 * 8)
571 retry_cnt++; 727 retry_cnt++;
572 728
573 if (connectmode == conf_node::C_ONDEMAND 729 ts = NOW + retry_int;
574 && retry_int > ::conf.keepalive)
575 retry_int = ::conf.keepalive;
576 730
577 next_retry = now + retry_int;
578 next_wakeup (next_retry);
579
580 if (conf->hostname) 731 if (conf->hostname)
581 { 732 {
582 reset_dstaddr (); 733 reset_dstaddr ();
583 if (sa.sin_addr.s_addr) 734 if (sa.sin_addr.s_addr)
584 if (retry_cnt < 4) 735 if (retry_cnt < 4)
585 send_auth (AUTH_INIT, &sa); 736 send_auth (AUTH_INIT, &sa);
586 else 737 else
587 send_ping (&sa, 0); 738 send_ping (&sa, 0);
588 } 739 }
589 else 740 else
590 vpn->connect_request (conf->id); 741 vpn->connect_request (conf->id);
591 }
592 } 742 }
593} 743}
594 744
595void 745void
596connection::reset_connection () 746connection::reset_connection ()
601 751
602 if (::conf.script_node_down) 752 if (::conf.script_node_down)
603 run_script (this, &connection::script_node_down, false); 753 run_script (this, &connection::script_node_down, false);
604 } 754 }
605 755
606 delete ictx; 756 delete ictx; ictx = 0;
607 ictx = 0; 757 delete octx; octx = 0;
608 758
609 delete octx; 759 RAND_bytes ((unsigned char *)&seqrand, sizeof (u32));
610 octx = 0;
611 760
612 sa.sin_port = 0; 761 sa.sin_port = 0;
613 sa.sin_addr.s_addr = 0; 762 sa.sin_addr.s_addr = 0;
614 763
615 next_retry = 0;
616 next_rekey = 0;
617 last_activity = 0; 764 last_activity = 0;
765
766 rekey.reset ();
767 keepalive.reset ();
768 establish_connection.reset ();
618} 769}
619 770
620void 771void
621connection::shutdown () 772connection::shutdown ()
622{ 773{
625 776
626 reset_connection (); 777 reset_connection ();
627} 778}
628 779
629void 780void
630connection::rekey () 781connection::rekey_cb (tstamp &ts)
631{ 782{
783 ts = TSTAMP_CANCEL;
784
632 reset_connection (); 785 reset_connection ();
633 establish_connection (); 786 establish_connection ();
634} 787}
635 788
636void 789void
668} 821}
669 822
670void 823void
671connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 824connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
672{ 825{
673 last_activity = now; 826 last_activity = NOW;
674 827
675 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 828 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
676 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 829 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
677 830
678 switch (pkt->typ ()) 831 switch (pkt->typ ())
686 // so reset the retry counter and establish a conenction 839 // so reset the retry counter and establish a conenction
687 // when we receive a pong. 840 // when we receive a pong.
688 if (!ictx && !octx) 841 if (!ictx && !octx)
689 { 842 {
690 retry_cnt = 0; 843 retry_cnt = 0;
691 next_retry = 0; 844 establish_connection.at = 0;
692 establish_connection (); 845 establish_connection ();
693 } 846 }
694 847
695 break; 848 break;
696 849
697 case vpn_packet::PT_RESET: 850 case vpn_packet::PT_RESET:
698 { 851 {
699 reset_connection (); 852 reset_connection ();
700 853
701 config_packet *p = (config_packet *) pkt; 854 config_packet *p = (config_packet *) pkt;
702 if (p->chk_config ()) 855 if (!p->chk_config ())
856 {
857 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);
858 connectmode = conf_node::C_DISABLED;
859 }
703 if (connectmode == conf_node::C_ALWAYS) 860 else if (connectmode == conf_node::C_ALWAYS)
704 establish_connection (); 861 establish_connection ();
705
706 //D slog the protocol mismatch?
707 } 862 }
708 break; 863 break;
709 864
710 case vpn_packet::PT_AUTH: 865 case vpn_packet::PT_AUTH:
711 { 866 {
721 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 876 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
722 877
723 if (p->subtype == AUTH_INIT) 878 if (p->subtype == AUTH_INIT)
724 send_auth (AUTH_INITREPLY, ssa); 879 send_auth (AUTH_INITREPLY, ssa);
725 880
726 rsachallenge k; 881 const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge);
727 882
728#if ENABLE_TRUST
729 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
730 (unsigned char *)&p->challenge, (unsigned char *)&k,
731 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
732 // continued below
733#else
734 rsaencrdata j;
735 883 if (!k)
736 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
737 (unsigned char *)&p->challenge, (unsigned char *)&j,
738 ::conf.rsa_key, RSA_NO_PADDING))
739 fatal ("RSA_private_decrypt error");
740
741 if (0 > RSA_public_decrypt (sizeof (k),
742 (unsigned char *)&j, (unsigned char *)&k,
743 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
744 // continued below
745#endif
746 { 884 {
747 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 885 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
748 conf->nodename, (const char *)sockinfo (ssa)); 886 conf->nodename, (const char *)sockinfo (ssa));
749 break; 887 break;
750 } 888 }
751 889
752 retry_cnt = 0; 890 retry_cnt = 0;
753 next_retry = now + 8; 891 establish_connection.set (NOW + 8); //? ;)
892 keepalive.reset ();
893 rekey.reset ();
754 894
755 switch (p->subtype) 895 switch (p->subtype)
756 { 896 {
757 case AUTH_INIT: 897 case AUTH_INIT:
758 case AUTH_INITREPLY: 898 case AUTH_INITREPLY:
759 delete ictx; 899 delete ictx;
760 ictx = 0; 900 ictx = 0;
761 901
762 delete octx; 902 delete octx;
763 903
764 octx = new crypto_ctx (k, 1); 904 octx = new crypto_ctx (*k, 1);
765 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; 905 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
766 906
767 send_auth (AUTH_REPLY, ssa, &k); 907 send_auth (AUTH_REPLY, ssa, k);
768 break; 908 break;
769 909
770 case AUTH_REPLY: 910 case AUTH_REPLY:
771 911
772 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), 912 if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
773 sizeof (rsachallenge) - sizeof (u32)))
774 { 913 {
775 delete ictx; 914 delete ictx;
776 915
777 ictx = new crypto_ctx (k, 0); 916 ictx = new crypto_ctx (*k, 0);
778 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid 917 iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
779 918
780 sa = *ssa; 919 sa = *ssa;
781 920
782 next_rekey = now + ::conf.rekey; 921 rekey.set (NOW + ::conf.rekey);
783 next_wakeup (next_rekey); 922 keepalive.set (NOW + ::conf.keepalive);
784 923
785 // send queued packets 924 // send queued packets
786 while (tap_packet *p = queue.get ()) 925 while (tap_packet *p = queue.get ())
787 { 926 {
788 send_data_packet (p); 927 send_data_packet (p);
929 send_reset (ssa); 1068 send_reset (ssa);
930 break; 1069 break;
931 } 1070 }
932} 1071}
933 1072
934void connection::timer () 1073void connection::keepalive_cb (tstamp &ts)
935{ 1074{
936 if (conf != THISNODE) 1075 if (NOW >= last_activity + ::conf.keepalive + 30)
937 { 1076 {
938 if (now >= next_retry && connectmode == conf_node::C_ALWAYS) 1077 reset_connection ();
939 establish_connection (); 1078 establish_connection ();
940 1079 }
941 if (ictx && octx)
942 {
943 if (now >= next_rekey)
944 rekey ();
945 else if (now >= last_activity + ::conf.keepalive + 30)
946 {
947 reset_connection ();
948 establish_connection ();
949 }
950 else if (now >= last_activity + ::conf.keepalive) 1080 else if (NOW < last_activity + ::conf.keepalive)
1081 ts = last_activity + ::conf.keepalive;
951 if (conf->connectmode != conf_node::C_ONDEMAND 1082 else if (conf->connectmode != conf_node::C_ONDEMAND
952 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1083 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1084 {
953 send_ping (&sa); 1085 send_ping (&sa);
954 else 1086 ts = NOW + 5;
1087 }
1088 else
955 reset_connection (); 1089 reset_connection ();
956 1090
957 }
958 }
959} 1091}
960 1092
961void connection::connect_request (int id) 1093void connection::connect_request (int id)
962{ 1094{
963 connect_req_packet *p = new connect_req_packet (conf->id, id); 1095 connect_req_packet *p = new connect_req_packet (conf->id, id);
1000 putenv ("STATE=down"); 1132 putenv ("STATE=down");
1001 1133
1002 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1134 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1003} 1135}
1004 1136
1137connection::connection(struct vpn *vpn_)
1138: vpn(vpn_)
1139, rekey (this, &connection::rekey_cb)
1140, keepalive (this, &connection::keepalive_cb)
1141, establish_connection (this, &connection::establish_connection_cb)
1142{
1143 octx = ictx = 0;
1144 retry_cnt = 0;
1145
1146 connectmode = conf_node::C_ALWAYS; // initial setting
1147 reset_connection ();
1148}
1149
1150connection::~connection ()
1151{
1152 shutdown ();
1153}
1154
1005///////////////////////////////////////////////////////////////////////////// 1155/////////////////////////////////////////////////////////////////////////////
1006
1007vpn::vpn (void)
1008{}
1009 1156
1010const char *vpn::script_if_up () 1157const char *vpn::script_if_up ()
1011{ 1158{
1012 // the tunnel device mtu should be the physical mtu - overhead 1159 // the tunnel device mtu should be the physical mtu - overhead
1013 // the tricky part is rounding to the cipher key blocksize 1160 // the tricky part is rounding to the cipher key blocksize
1064 { 1211 {
1065 int oval = 1; 1212 int oval = 1;
1066 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1213 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1067 } 1214 }
1068 1215
1216 udp_ev_watcher.start (socket_fd, POLLIN);
1217
1069 tap = new tap_device (); 1218 tap = new tap_device ();
1070 if (!tap) //D this, of course, never catches 1219 if (!tap) //D this, of course, never catches
1071 { 1220 {
1072 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1221 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1073 exit (1); 1222 exit (1);
1074 } 1223 }
1075 1224
1076 run_script (this, &vpn::script_if_up, true); 1225 run_script (this, &vpn::script_if_up, true);
1226
1227 vpn_ev_watcher.start (tap->fd, POLLIN);
1228
1229 reconnect_all ();
1077 1230
1078 return 0; 1231 return 0;
1079} 1232}
1080 1233
1081void 1234void
1146 // if ((*i)->conf->routerprio) 1299 // if ((*i)->conf->routerprio)
1147 // (*i)->establish_connection (); 1300 // (*i)->establish_connection ();
1148} 1301}
1149 1302
1150void 1303void
1151vpn::main_loop () 1304vpn::udp_ev (short revents)
1152{ 1305{
1153 struct pollfd pollfd[2]; 1306 if (revents & (POLLIN | POLLERR))
1154
1155 pollfd[0].fd = tap->fd;
1156 pollfd[0].events = POLLIN;
1157 pollfd[1].fd = socket_fd;
1158 pollfd[1].events = POLLIN;
1159
1160 events = 0;
1161 now = time (0);
1162 next_timecheck = now + 1;
1163
1164 reconnect_all ();
1165
1166 for (;;)
1167 { 1307 {
1168 int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000); 1308 vpn_packet *pkt = new vpn_packet;
1169 1309 struct sockaddr_in sa;
1170 now = time (0); 1310 socklen_t sa_len = sizeof (sa);
1311 int len;
1171 1312
1313 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1314
1172 if (npoll > 0) 1315 if (len > 0)
1316 {
1317 pkt->len = len;
1318
1319 unsigned int src = pkt->src ();
1320 unsigned int dst = pkt->dst ();
1321
1322 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1323 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1324
1325 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1326 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1327 pkt->typ (), pkt->src (), pkt->dst ());
1328 else if (dst == 0 && !THISNODE->routerprio)
1329 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1330 else if (dst != 0 && dst != THISNODE->id)
1331 slog (L_WARN,
1332 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1333 dst, conns[dst - 1]->conf->nodename,
1334 (const char *)sockinfo (sa),
1335 THISNODE->id, THISNODE->nodename);
1336 else if (src == 0 || src > conns.size ())
1337 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1338 else
1339 conns[src - 1]->recv_vpn_packet (pkt, &sa);
1173 { 1340 }
1174 if (pollfd[1].revents) 1341 else
1342 {
1343 // probably ECONNRESET or somesuch
1344 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1345 }
1346
1347 delete pkt;
1348 }
1349 else if (revents & POLLHUP)
1350 {
1351 // this cannot ;) happen on udp sockets
1352 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1353 exit (1);
1354 }
1355 else
1356 {
1357 slog (L_ERR,
1358 _("FATAL: unknown revents %08x in socket, terminating\n"),
1359 revents);
1360 exit (1);
1361 }
1362}
1363
1364void
1365vpn::vpn_ev (short revents)
1366{
1367 if (revents & POLLIN)
1368 {
1369 /* process data */
1370 tap_packet *pkt;
1371
1372 pkt = tap->recv ();
1373
1374 int dst = mac2id (pkt->dst);
1375 int src = mac2id (pkt->src);
1376
1377 if (src != THISNODE->id)
1378 {
1379 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1380 exit (1);
1381 }
1382
1383 if (dst == THISNODE->id)
1384 {
1385 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1386 exit (1);
1387 }
1388
1389 if (dst > conns.size ())
1390 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1391 else
1392 {
1393 if (dst)
1175 { 1394 {
1176 if (pollfd[1].revents & (POLLIN | POLLERR)) 1395 // unicast
1177 {
1178 vpn_packet *pkt = new vpn_packet;
1179 struct sockaddr_in sa;
1180 socklen_t sa_len = sizeof (sa);
1181 int len;
1182
1183 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1184
1185 if (len > 0)
1186 {
1187 pkt->len = len;
1188
1189 unsigned int src = pkt->src ();
1190 unsigned int dst = pkt->dst ();
1191
1192 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1193 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1194
1195 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1196 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1197 pkt->typ (), pkt->src (), pkt->dst ());
1198 else if (dst == 0 && !THISNODE->routerprio)
1199 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1200 else if (dst != 0 && dst != THISNODE->id) 1396 if (dst != THISNODE->id)
1201 slog (L_WARN,
1202 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1203 dst, conns[dst - 1]->conf->nodename,
1204 (const char *)sockinfo (sa),
1205 THISNODE->id, THISNODE->nodename);
1206 else if (src == 0 || src > conns.size ())
1207 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1208 else
1209 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1397 conns[dst - 1]->inject_data_packet (pkt);
1210 }
1211 else
1212 {
1213 // probably ECONNRESET or somesuch
1214 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1215 }
1216
1217 delete pkt;
1218 } 1398 }
1219 else if (pollfd[1].revents & POLLHUP) 1399 else
1220 { 1400 {
1221 // this cannot ;) happen on udp sockets 1401 // broadcast, first check router, then self, then english
1222 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1402 connection *router = find_router ();
1223 exit (1); 1403
1224 } 1404 if (router)
1405 router->inject_data_packet (pkt, true);
1225 else 1406 else
1226 { 1407 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1227 slog (L_ERR, 1408 if ((*c)->conf != THISNODE)
1228 _("FATAL: unknown revents %08x in socket, terminating\n"), 1409 (*c)->inject_data_packet (pkt);
1229 pollfd[1].revents);
1230 exit (1);
1231 }
1232 } 1410 }
1411 }
1233 1412
1234 // I use else here to give vpn_packets absolute priority 1413 delete pkt;
1235 else if (pollfd[0].revents) 1414 }
1236 {
1237 if (pollfd[0].revents & POLLIN)
1238 {
1239 /* process data */
1240 tap_packet *pkt;
1241
1242 pkt = tap->recv ();
1243
1244 int dst = mac2id (pkt->dst);
1245 int src = mac2id (pkt->src);
1246
1247 if (src != THISNODE->id)
1248 {
1249 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1250 exit (1);
1251 }
1252
1253 if (dst == THISNODE->id)
1254 {
1255 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1256 exit (1);
1257 }
1258
1259 if (dst > conns.size ())
1260 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1261 else
1262 {
1263 if (dst)
1264 {
1265 // unicast
1266 if (dst != THISNODE->id)
1267 conns[dst - 1]->inject_data_packet (pkt);
1268 }
1269 else
1270 {
1271 // broadcast, first check router, then self, then english
1272 connection *router = find_router ();
1273
1274 if (router)
1275 router->inject_data_packet (pkt, true);
1276 else
1277 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1278 if ((*c)->conf != THISNODE)
1279 (*c)->inject_data_packet (pkt);
1280 }
1281 }
1282
1283 delete pkt;
1284 }
1285 else if (pollfd[0].revents & (POLLHUP | POLLERR)) 1415 else if (revents & (POLLHUP | POLLERR))
1286 { 1416 {
1287 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating.")); 1417 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1288 exit (1); 1418 exit (1);
1289 } 1419 }
1290 else 1420 else
1291 abort (); 1421 abort ();
1292 } 1422}
1293 }
1294 1423
1424void
1425vpn::event_cb (tstamp &ts)
1426{
1295 if (events) 1427 if (events)
1296 { 1428 {
1297 if (events & EVENT_SHUTDOWN) 1429 if (events & EVENT_SHUTDOWN)
1298 { 1430 {
1299 shutdown_all (); 1431 shutdown_all ();
1300 1432
1301 remove_pid (pidfilename); 1433 remove_pid (pidfilename);
1302 1434
1303 slog (L_INFO, _("vped terminating")); 1435 slog (L_INFO, _("vped terminating"));
1304 1436
1305 exit (0); 1437 exit (0);
1306 } 1438 }
1307 1439
1308 if (events & EVENT_RECONNECT) 1440 if (events & EVENT_RECONNECT)
1309 reconnect_all (); 1441 reconnect_all ();
1310 1442
1311 events = 0; 1443 events = 0;
1312 }
1313
1314 // very very very dumb and crude and inefficient timer handling, or maybe not?
1315 if (now >= next_timecheck)
1316 {
1317 next_timecheck = now + TIMER_GRANULARITY;
1318
1319 for (conns_vector::iterator c = conns.begin ();
1320 c != conns.end (); ++c)
1321 (*c)->timer ();
1322 }
1323 } 1444 }
1445
1446 ts = TSTAMP_CANCEL;
1447}
1448
1449vpn::vpn (void)
1450: udp_ev_watcher (this, &vpn::udp_ev)
1451, vpn_ev_watcher (this, &vpn::vpn_ev)
1452, event (this, &vpn::event_cb)
1453{
1324} 1454}
1325 1455
1326vpn::~vpn () 1456vpn::~vpn ()
1327{} 1457{
1458}
1328 1459

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines