ViewVC Help

View File | Revision Log | Show Annotations | Download File

/cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.16 by pcg, Tue Mar 25 18:11:58 2003 UTC vs.
Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC

…		…
58		58
59	static time_t next_timecheck;	59	static time_t next_timecheck;
60		60
61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62		62
63	static const rsachallenge &
64	challenge_bytes ()
65	{
66	static rsachallenge challenge;
67	static tstamp challenge_ttl; // time this challenge needs to be recreated
68
69	if (NOW > challenge_ttl)
70	{
71	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
72	challenge_ttl = NOW + CHALLENGE_TTL;
73	}
74
75	return challenge;
76	}
77
78	// caching of rsa operations really helps slow computers
79	struct rsa_entry {
80	tstamp expire;
81	rsachallenge chg;
82	RSA *key; // which key
83	rsaencrdata encr;
84
85	rsa_entry ()
86	{
87	expire = NOW + CHALLENGE_TTL;
88	}
89	};
90
91	struct rsa_cache : list<rsa_entry>
92	{
93	void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95	const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96	{
97	for (iterator i = begin (); i != end (); ++i)
98	{
99	if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100	return &i->encr;
101	}
102
103	if (cleaner.at < NOW)
104	cleaner.start (NOW + CHALLENGE_TTL);
105
106	resize (size () + 1);
107	rsa_entry *e = &(*rbegin ());
108
109	e->key = key;
110	memcpy (&e->chg, &chg, sizeof chg);
111
112	if (0 > RSA_public_encrypt (sizeof chg,
113	(unsigned char *)&chg, (unsigned char *)&e->encr,
114	key, RSA_PKCS1_OAEP_PADDING))
115	fatal ("RSA_public_encrypt error");
116
117	return &e->encr;
118	}
119
120	const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121	{
122	for (iterator i = begin (); i != end (); ++i)
123	if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124	return &i->chg;
125
126	if (cleaner.at < NOW)
127	cleaner.start (NOW + CHALLENGE_TTL);
128
129	resize (size () + 1);
130	rsa_entry *e = &(*rbegin ());
131
132	e->key = key;
133	memcpy (&e->encr, &encr, sizeof encr);
134
135	if (0 > RSA_private_decrypt (sizeof encr,
136	(unsigned char *)&encr, (unsigned char *)&e->chg,
137	key, RSA_PKCS1_OAEP_PADDING))
138	{
139	pop_back ();
140	return 0;
141	}
142
143	return &e->chg;
144	}
145
146	rsa_cache ()
147	: cleaner (this, &rsa_cache::cleaner_cb)
148	{ }
149
150	} rsa_cache;
151
152	void rsa_cache::cleaner_cb (tstamp &ts)
153	{
154	if (empty ())
155	ts = TSTAMP_CANCEL;
156	else
157	{
158	ts = NOW + 3;
159	for (iterator i = begin (); i != end (); )
160	{
161	if (i->expire >= NOW)
162	i = erase (i);
163	else
164	++i;
165	}
166	}
167	}
168
169	// run a script. yes, it's a template function. yes, c++
170	// is not a functional language. yes, this suxx.
171	template<class owner>
172	static void
173	run_script (owner *obj, const char *(owner::*setup)(), bool wait)
174	{
175	int pid;
176
177	if ((pid = fork ()) == 0)
178	{
179	char *filename;
180	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
181	execl (filename, filename, (char *) 0);
182	exit (255);
183	}
184	else if (pid > 0)
185	{
186	if (wait)
187	{
188	waitpid (pid, 0, 0);
189	/* TODO: check status */
190	}
191	}
192	}
193
194	// xor the socket address into the challenge to ensure different challenges
195	// per host. we could rely on the OAEP padding, but this doesn't hurt.
196	void
197	xor_sa (rsachallenge &k, SOCKADDR *sa)
198	{
199	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
200	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
201	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
202	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
203	}
204
205	struct crypto_ctx	63	struct crypto_ctx
206	{	64	{
207	EVP_CIPHER_CTX cctx;	65	EVP_CIPHER_CTX cctx;
208	HMAC_CTX hctx;	66	HMAC_CTX hctx;
209		67
…		…
221		79
222	crypto_ctx::~crypto_ctx ()	80	crypto_ctx::~crypto_ctx ()
223	{	81	{
224	EVP_CIPHER_CTX_cleanup (&cctx);	82	EVP_CIPHER_CTX_cleanup (&cctx);
225	HMAC_CTX_cleanup (&hctx);	83	HMAC_CTX_cleanup (&hctx);
		84	}
		85
		86	static void
		87	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
		88	{
		89	EVP_MD_CTX ctx;
		90
		91	EVP_MD_CTX_init (&ctx);
		92	EVP_DigestInit (&ctx, RSA_HASH);
		93	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
		94	EVP_DigestUpdate(&ctx, &id, sizeof id);
		95	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
		96	EVP_MD_CTX_cleanup (&ctx);
		97	}
		98
		99	struct rsa_entry {
		100	tstamp expire;
		101	rsaid id;
		102	rsachallenge chg;
		103	};
		104
		105	struct rsa_cache : list<rsa_entry>
		106	{
		107	void cleaner_cb (tstamp &ts); time_watcher cleaner;
		108
		109	bool find (const rsaid &id, rsachallenge &chg)
		110	{
		111	for (iterator i = begin (); i != end (); ++i)
		112	{
		113	if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
		114	{
		115	memcpy (&chg, &i->chg, sizeof chg);
		116
		117	erase (i);
		118	return true;
		119	}
		120	}
		121
		122	if (cleaner.at < NOW)
		123	cleaner.start (NOW + RSA_TTL);
		124
		125	return false;
		126	}
		127
		128	void gen (rsaid &id, rsachallenge &chg)
		129	{
		130	rsa_entry e;
		131
		132	RAND_bytes ((unsigned char *)&id, sizeof id);
		133	RAND_bytes ((unsigned char *)&chg, sizeof chg);
		134
		135	e.expire = NOW + RSA_TTL;
		136	e.id = id;
		137	memcpy (&e.chg, &chg, sizeof chg);
		138
		139	push_back (e);
		140
		141	if (cleaner.at < NOW)
		142	cleaner.start (NOW + RSA_TTL);
		143	}
		144
		145	rsa_cache ()
		146	: cleaner (this, &rsa_cache::cleaner_cb)
		147	{ }
		148
		149	} rsa_cache;
		150
		151	void rsa_cache::cleaner_cb (tstamp &ts)
		152	{
		153	if (empty ())
		154	ts = TSTAMP_CANCEL;
		155	else
		156	{
		157	ts = NOW + RSA_TTL;
		158
		159	for (iterator i = begin (); i != end (); )
		160	if (i->expire <= NOW)
		161	i = erase (i);
		162	else
		163	++i;
		164	}
		165	}
		166
		167	typedef callback<const char *, int> run_script_cb;
		168
		169	// run a shell script (or actually an external program).
		170	static void
		171	run_script (const run_script_cb &cb, bool wait)
		172	{
		173	int pid;
		174
		175	if ((pid = fork ()) == 0)
		176	{
		177	char *filename;
		178	asprintf (&filename, "%s/%s", confbase, cb(0));
		179	execl (filename, filename, (char *) 0);
		180	exit (255);
		181	}
		182	else if (pid > 0)
		183	{
		184	if (wait)
		185	{
		186	waitpid (pid, 0, 0);
		187	/* TODO: check status */
		188	}
		189	}
226	}	190	}
227		191
228	//////////////////////////////////////////////////////////////////////////////	192	//////////////////////////////////////////////////////////////////////////////
229		193
230	void pkt_queue::put (tap_packet *p)	194	void pkt_queue::put (tap_packet *p)
…		…
273	};	237	};
274		238
275	// only do action once every x seconds per host whole allowing bursts.	239	// only do action once every x seconds per host whole allowing bursts.
276	// this implementation ("splay list" ;) is inefficient,	240	// this implementation ("splay list" ;) is inefficient,
277	// but low on resources.	241	// but low on resources.
278	struct net_rate_limiter : private list<net_rateinfo>	242	struct net_rate_limiter : list<net_rateinfo>
279	{	243	{
280	static const double ALPHA = 1. - 1. / 90.; // allow bursts	244	static const double ALPHA = 1. - 1. / 90.; // allow bursts
281	static const double CUTOFF = 20.; // one event every CUTOFF seconds	245	static const double CUTOFF = 20.; // one event every CUTOFF seconds
282	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	246	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
283		247
		248	bool can (const sockinfo &si) { return can((u32)si.host); }
284	bool can (u32 host);	249	bool can (u32 host);
285	bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
286	bool can (sockinfo &si) { return can((u32)si.host); }
287	};	250	};
288		251
289	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	252	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
290		253
291	bool net_rate_limiter::can (u32 host)	254	bool net_rate_limiter::can (u32 host)
…		…
326	bool send = ri.diff / ri.pcnt > CUTOFF;	289	bool send = ri.diff / ri.pcnt > CUTOFF;
327		290
328	if (send)	291	if (send)
329	ri.pcnt++;	292	ri.pcnt++;
330		293
331	//printf ("RATE %d %f,%f = %f > %f\n", !!send, ri.pcnt, ri.diff, ri.diff / ri.pcnt, CUTOFF);
332
333	push_front (ri);	294	push_front (ri);
334		295
335	return send;	296	return send;
336	}	297	}
337	}	298	}
…		…
345	}	306	}
346		307
347	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];	308	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
348		309
349	struct hmac_packet:net_packet	310	struct hmac_packet:net_packet
		311	{
		312	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
		313
		314	void hmac_set (crypto_ctx * ctx);
		315	bool hmac_chk (crypto_ctx * ctx);
		316
		317	private:
		318	void hmac_gen (crypto_ctx * ctx)
350	{	319	{
351	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
352
353	void hmac_set (crypto_ctx * ctx);
354	bool hmac_chk (crypto_ctx * ctx);
355
356	private:
357	void hmac_gen (crypto_ctx * ctx)
358	{
359	unsigned int xlen;	320	unsigned int xlen;
360	HMAC_CTX *hctx = &ctx->hctx;	321	HMAC_CTX *hctx = &ctx->hctx;
361		322
362	HMAC_Init_ex (hctx, 0, 0, 0, 0);	323	HMAC_Init_ex (hctx, 0, 0, 0, 0);
363	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),	324	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
364	len - sizeof (hmac_packet));	325	len - sizeof (hmac_packet));
365	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);	326	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
366	}
367	};	327	}
		328	};
368		329
369	void	330	void
370	hmac_packet::hmac_set (crypto_ctx * ctx)	331	hmac_packet::hmac_set (crypto_ctx * ctx)
371	{	332	{
372	hmac_gen (ctx);	333	hmac_gen (ctx);
…		…
388	{	349	{
389	PT_RESET = 0,	350	PT_RESET = 0,
390	PT_DATA_UNCOMPRESSED,	351	PT_DATA_UNCOMPRESSED,
391	PT_DATA_COMPRESSED,	352	PT_DATA_COMPRESSED,
392	PT_PING, PT_PONG, // wasting namespace space? ;)	353	PT_PING, PT_PONG, // wasting namespace space? ;)
393	PT_AUTH, // authentification	354	PT_AUTH_REQ, // authentification request
		355	PT_AUTH_RES, // authentification response
394	PT_CONNECT_REQ, // want other host to contact me	356	PT_CONNECT_REQ, // want other host to contact me
395	PT_CONNECT_INFO, // request connection to some node	357	PT_CONNECT_INFO, // request connection to some node
396	PT_REKEY, // rekeying (not yet implemented)
397	PT_MAX	358	PT_MAX
398	};	359	};
399		360
400	u8 type;	361	u8 type;
401	u8 srcdst, src1, dst1;	362	u8 srcdst, src1, dst1;
402		363
403	void set_hdr (ptype type, unsigned int dst);	364	void set_hdr (ptype type, unsigned int dst);
404		365
405	unsigned int src ()	366	unsigned int src () const
406	{	367	{
407	return src1 | ((srcdst >> 4) << 8);	368	return src1 | ((srcdst >> 4) << 8);
408	}	369	}
409		370
410	unsigned int dst ()	371	unsigned int dst () const
411	{	372	{
412	return dst1 | ((srcdst & 0xf) << 8);	373	return dst1 | ((srcdst & 0xf) << 8);
413	}	374	}
414		375
415	ptype typ ()	376	ptype typ () const
416	{	377	{
417	return (ptype) type;	378	return (ptype) type;
418	}	379	}
419	};	380	};
420		381
…		…
539		500
540	#if ENABLE_COMPRESSION	501	#if ENABLE_COMPRESSION
541	if (type == PT_DATA_COMPRESSED)	502	if (type == PT_DATA_COMPRESSED)
542	{	503	{
543	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];	504	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
		505
544	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;	506	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
		507	&(*p)[6 + 6], MAX_MTU)
		508	+ 6 + 6;
545	}	509	}
546	else	510	else
547	p->len = outl + (6 + 6 - DATAHDR);	511	p->len = outl + (6 + 6 - DATAHDR);
548	#endif	512	#endif
549		513
550	return p;	514	return p;
551	}	515	}
552		516
553	struct ping_packet : vpn_packet	517	struct ping_packet : vpn_packet
		518	{
		519	void setup (int dst, ptype type)
554	{	520	{
555	void setup (int dst, ptype type)
556	{
557	set_hdr (type, dst);	521	set_hdr (type, dst);
558	len = sizeof (*this) - sizeof (net_packet);	522	len = sizeof (*this) - sizeof (net_packet);
559	}
560	};	523	}
		524	};
561		525
562	struct config_packet : vpn_packet	526	struct config_packet : vpn_packet
		527	{
		528	// actually, hmaclen cannot be checked because the hmac
		529	// field comes before this data, so peers with other
		530	// hmacs simply will not work.
		531	u8 prot_major, prot_minor, randsize, hmaclen;
		532	u8 flags, challengelen, pad2, pad3;
		533	u32 cipher_nid, digest_nid, hmac_nid;
		534
		535	const u8 curflags () const
563	{	536	{
564	// actually, hmaclen cannot be checked because the hmac
565	// field comes before this data, so peers with other
566	// hmacs simply will not work.
567	u8 prot_major, prot_minor, randsize, hmaclen;
568	u8 flags, challengelen, pad2, pad3;
569	u32 cipher_nid;
570	u32 digest_nid;
571
572	const u8 curflags () const
573	{
574	return 0x80	537	return 0x80
575	| (ENABLE_COMPRESSION ? 0x01 : 0x00);	538	| (ENABLE_COMPRESSION ? 0x01 : 0x00);
576	}	539	}
577		540
578	void setup (ptype type, int dst)	541	void setup (ptype type, int dst);
579	{	542	bool chk_config () const;
		543	};
		544
		545	void config_packet::setup (ptype type, int dst)
		546	{
580	prot_major = PROTOCOL_MAJOR;	547	prot_major = PROTOCOL_MAJOR;
581	prot_minor = PROTOCOL_MINOR;	548	prot_minor = PROTOCOL_MINOR;
582	randsize = RAND_SIZE;	549	randsize = RAND_SIZE;
583	hmaclen = HMACLENGTH;	550	hmaclen = HMACLENGTH;
584	flags = curflags ();	551	flags = curflags ();
585	challengelen = sizeof (rsachallenge);	552	challengelen = sizeof (rsachallenge);
586		553
587	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));	554	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
588	digest_nid = htonl (EVP_MD_type (DIGEST));	555	digest_nid = htonl (EVP_MD_type (RSA_HASH));
		556	hmac_nid = htonl (EVP_MD_type (DIGEST));
589		557
590	len = sizeof (*this) - sizeof (net_packet);	558	len = sizeof (*this) - sizeof (net_packet);
591	set_hdr (type, dst);	559	set_hdr (type, dst);
592	}	560	}
593		561
594	bool chk_config ()	562	bool config_packet::chk_config () const
595	{	563	{
596	return prot_major == PROTOCOL_MAJOR	564	return prot_major == PROTOCOL_MAJOR
597	&& randsize == RAND_SIZE	565	&& randsize == RAND_SIZE
598	&& hmaclen == HMACLENGTH	566	&& hmaclen == HMACLENGTH
599	&& flags == curflags ()	567	&& flags == curflags ()
600	&& challengelen == sizeof (rsachallenge)	568	&& challengelen == sizeof (rsachallenge)
601	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	569	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
		570	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
602	&& digest_nid == htonl (EVP_MD_type (DIGEST));	571	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
603	}	572	}
604	};
605		573
606	struct auth_packet : config_packet	574	struct auth_req_packet : config_packet
		575	{
		576	char magic[8];
		577	u8 initiate; // false if this is just an automatic reply
		578	u8 protocols; // supported protocols (will get patches on forward)
		579	u8 pad2, pad3;
		580	rsaid id;
		581	rsaencrdata encr;
		582
		583	auth_req_packet (int dst, bool initiate_, u8 protocols_)
607	{	584	{
608	char magic[8];
609	u8 subtype;
610	u8 pad1, pad2;
611	rsaencrdata challenge;
612
613	auth_packet (int dst, auth_subtype stype)
614	{
615	config_packet::setup (PT_AUTH, dst);	585	config_packet::setup (PT_AUTH_REQ, dst);
616	subtype = stype;	586	strncpy (magic, MAGIC, 8);
		587	initiate = !!initiate_;
		588	protocols = protocols_;
		589
617	len = sizeof (*this) - sizeof (net_packet);	590	len = sizeof (*this) - sizeof (net_packet);
618	strncpy (magic, MAGIC, 8);
619	}
620	};	591	}
		592	};
		593
		594	struct auth_res_packet : config_packet
		595	{
		596	rsaid id;
		597	u8 pad1, pad2, pad3;
		598	u8 response_len; // encrypted length
		599	rsaresponse response;
		600
		601	auth_res_packet (int dst)
		602	{
		603	config_packet::setup (PT_AUTH_RES, dst);
		604
		605	len = sizeof (*this) - sizeof (net_packet);
		606	}
		607	};
621		608
622	struct connect_req_packet : vpn_packet	609	struct connect_req_packet : vpn_packet
		610	{
		611	u8 id, protocols;
		612	u8 pad1, pad2;
		613
		614	connect_req_packet (int dst, int id_, u8 protocols_)
		615	: id(id_)
		616	, protocols(protocols_)
623	{	617	{
624	u8 id;
625	u8 pad1, pad2, pad3;
626
627	connect_req_packet (int dst, int id)
628	{
629	this->id = id;
630	set_hdr (PT_CONNECT_REQ, dst);	618	set_hdr (PT_CONNECT_REQ, dst);
631	len = sizeof (*this) - sizeof (net_packet);	619	len = sizeof (*this) - sizeof (net_packet);
632	}
633	};	620	}
		621	};
634		622
635	struct connect_info_packet : vpn_packet	623	struct connect_info_packet : vpn_packet
		624	{
		625	u8 id, protocols;
		626	u8 pad1, pad2;
		627	sockinfo si;
		628
		629	connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
		630	: id(id_)
		631	, protocols(protocols_)
		632	, si(si_)
636	{	633	{
637	u8 id;
638	u8 pad1, pad2, pad3;
639	sockinfo si;
640
641	connect_info_packet (int dst, int id, sockinfo &si)
642	{
643	this->id = id;
644	this->si = si;
645	set_hdr (PT_CONNECT_INFO, dst);	634	set_hdr (PT_CONNECT_INFO, dst);
		635
646	len = sizeof (*this) - sizeof (net_packet);	636	len = sizeof (*this) - sizeof (net_packet);
647	}
648	};	637	}
		638	};
649		639
650	/////////////////////////////////////////////////////////////////////////////	640	/////////////////////////////////////////////////////////////////////////////
651		641
652	void	642	void
653	fill_sa (SOCKADDR *sa, conf_node *conf)
654	{
655	sa->sin_family = AF_INET;
656	sa->sin_port = htons (conf->port);
657	sa->sin_addr.s_addr = 0;
658
659	if (conf->hostname)
660	{
661	struct hostent *he = gethostbyname (conf->hostname);
662
663	if (he
664	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
665	{
666	//sa->sin_family = he->h_addrtype;
667	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
668	}
669	else
670	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
671	}
672	}
673
674	void
675	connection::reset_dstaddr ()	643	connection::reset_dstaddr ()
676	{	644	{
677	fill_sa (&sa, conf);	645	si.set (conf);
678	}	646	}
679		647
680	void	648	void
681	connection::send_ping (SOCKADDR *dsa, u8 pong)	649	connection::send_ping (const sockinfo &si, u8 pong)
682	{	650	{
683	ping_packet *pkt = new ping_packet;	651	ping_packet *pkt = new ping_packet;
684		652
685	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);	653	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
686	vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);	654	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
687		655
688	delete pkt;	656	delete pkt;
689	}	657	}
690		658
691	void	659	void
692	connection::send_reset (SOCKADDR *dsa)	660	connection::send_reset (const sockinfo &si)
693	{	661	{
694	if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED)	662	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
695	{	663	{
696	config_packet *pkt = new config_packet;	664	config_packet *pkt = new config_packet;
697		665
698	pkt->setup (vpn_packet::PT_RESET, conf->id);	666	pkt->setup (vpn_packet::PT_RESET, conf->id);
699	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);	667	send_vpn_packet (pkt, si, IPTOS_MINCOST);
700		668
701	delete pkt;	669	delete pkt;
702	}	670	}
703	}	671	}
704		672
705	static rsachallenge *
706	gen_challenge (u32 seqrand, SOCKADDR *sa)
707	{
708	static rsachallenge k;
709
710	memcpy (&k, &challenge_bytes (), sizeof (k));
711	*(u32 *)&k[CHG_SEQNO] ^= seqrand;
712	xor_sa (k, sa);
713
714	return &k;
715	}
716
717	void	673	void
718	connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k)	674	connection::send_auth_request (const sockinfo &si, bool initiate)
719	{	675	{
720	if (subtype == AUTH_REPLY || auth_rate_limiter.can (sa))	676	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
721	{
722	if (!k)
723	k = gen_challenge (seqrand, sa);
724		677
725	auth_packet *pkt = new auth_packet (conf->id, subtype);	678	protocol = best_protocol (THISNODE->protocols & conf->protocols);
726		679
727	memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata));	680	rsachallenge chg;
728		681
		682	rsa_cache.gen (pkt->id, chg);
		683
		684	if (0 > RSA_public_encrypt (sizeof chg,
		685	(unsigned char *)&chg, (unsigned char *)&pkt->encr,
		686	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
		687	fatal ("RSA_public_encrypt error");
		688
729	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));	689	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
730		690
731	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);	691	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
732		692
733	delete pkt;	693	delete pkt;
734	}	694	}
		695
		696	void
		697	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
		698	{
		699	auth_res_packet *pkt = new auth_res_packet (conf->id);
		700
		701	pkt->id = id;
		702
		703	rsa_hash (id, chg, pkt->response);
		704
		705	pkt->hmac_set (octx);
		706
		707	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
		708
		709	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
		710
		711	delete pkt;
		712	}
		713
		714	void
		715	connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
		716	{
		717	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
		718	conf->id, rid, (const char *)rsi);
		719
		720	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
		721
		722	r->hmac_set (octx);
		723	send_vpn_packet (r, si);
		724
		725	delete r;
735	}	726	}
736		727
737	void	728	void
738	connection::establish_connection_cb (tstamp &ts)	729	connection::establish_connection_cb (tstamp &ts)
739	{	730	{
740	if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER)	731	if (ictx || conf == THISNODE
		732	|| connectmode == conf_node::C_NEVER
		733	|| connectmode == conf_node::C_DISABLED)
741	ts = TSTAMP_CANCEL;	734	ts = TSTAMP_CANCEL;
742	else if (ts <= NOW)	735	else if (ts <= NOW)
743	{	736	{
744	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25;	737	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
745		738
746	if (retry_int < 3600 * 8)	739	if (retry_int < 3600 * 8)
747	retry_cnt++;	740	retry_cnt++;
748		741
749	ts = NOW + retry_int;	742	ts = NOW + retry_int;
750		743
751	if (conf->hostname)	744	if (conf->hostname)
752	{	745	{
753	reset_dstaddr ();	746	reset_dstaddr ();
754	if (sa.sin_addr.s_addr)	747	if (si.host && auth_rate_limiter.can (si))
		748	{
755	if (retry_cnt < 4)	749	if (retry_cnt < 4)
756	send_auth (AUTH_INIT, &sa);	750	send_auth_request (si, true);
757	else if (auth_rate_limiter.can (&sa))	751	else
758	send_ping (&sa, 0);	752	send_ping (si, 0);
		753	}
759	}	754	}
760	else	755	else
761	vpn->connect_request (conf->id);	756	vpn->connect_request (conf->id);
762	}	757	}
763	}	758	}
…		…
765	void	760	void
766	connection::reset_connection ()	761	connection::reset_connection ()
767	{	762	{
768	if (ictx && octx)	763	if (ictx && octx)
769	{	764	{
770	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);	765	slog (L_INFO, _("%s(%s): connection lost"),
		766	conf->nodename, (const char *)si);
771		767
772	if (::conf.script_node_down)	768	if (::conf.script_node_down)
773	run_script (this, &connection::script_node_down, false);	769	run_script (run_script_cb (this, &connection::script_node_down), false);
774	}	770	}
775		771
776	delete ictx; ictx = 0;	772	delete ictx; ictx = 0;
777	delete octx; octx = 0;	773	delete octx; octx = 0;
778		774
779	RAND_bytes ((unsigned char *)&seqrand, sizeof (u32));	775	si.host= 0;
780
781	sa.sin_port = 0;
782	sa.sin_addr.s_addr = 0;
783		776
784	last_activity = 0;	777	last_activity = 0;
		778	retry_cnt = 0;
785		779
786	rekey.reset ();	780	rekey.reset ();
787	keepalive.reset ();	781	keepalive.reset ();
788	establish_connection.reset ();	782	establish_connection.reset ();
789	}	783	}
790		784
791	void	785	void
792	connection::shutdown ()	786	connection::shutdown ()
793	{	787	{
794	if (ictx && octx)	788	if (ictx && octx)
795	send_reset (&sa);	789	send_reset (si);
796		790
797	reset_connection ();	791	reset_connection ();
798	}	792	}
799		793
800	void	794	void
…		…
805	reset_connection ();	799	reset_connection ();
806	establish_connection ();	800	establish_connection ();
807	}	801	}
808		802
809	void	803	void
810	connection::send_data_packet (tap_packet * pkt, bool broadcast)	804	connection::send_data_packet (tap_packet *pkt, bool broadcast)
811	{	805	{
812	vpndata_packet *p = new vpndata_packet;	806	vpndata_packet *p = new vpndata_packet;
813	int tos = 0;	807	int tos = 0;
814		808
815	if (conf->inherit_tos	809	if (conf->inherit_tos
816	&& (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP	810	&& (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
817	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4	811	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
818	tos = (*pkt)[15] & IPTOS_TOS_MASK;	812	tos = (*pkt)[15] & IPTOS_TOS_MASK;
819		813
820	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	814	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
821	vpn->send_vpn_packet (p, &sa, tos);	815	send_vpn_packet (p, si, tos);
822		816
823	delete p;	817	delete p;
824		818
825	if (oseqno > MAX_SEQNO)	819	if (oseqno > MAX_SEQNO)
826	rekey ();	820	rekey ();
…		…
839	establish_connection ();	833	establish_connection ();
840	}	834	}
841	}	835	}
842		836
843	void	837	void
844	connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)	838	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
845	{	839	{
846	last_activity = NOW;	840	last_activity = NOW;
847		841
848	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	842	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
849	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	843	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
850		844
851	switch (pkt->typ ())	845	switch (pkt->typ ())
852	{	846	{
853	case vpn_packet::PT_PING:	847	case vpn_packet::PT_PING:
854	// we send pings instead of auth packets after some retries,	848	// we send pings instead of auth packets after some retries,
855	// so reset the retry counter and establish a conenction	849	// so reset the retry counter and establish a connection
856	// when we receive a pong.	850	// when we receive a ping.
857	if (!ictx && !octx)	851	if (!ictx)
858	{	852	{
859	retry_cnt = 0;	853	if (auth_rate_limiter.can (rsi))
860	establish_connection.at = 0;	854	send_auth_request (rsi, true);
861	establish_connection ();
862	}	855	}
863	else	856	else
864	send_ping (ssa, 1); // pong	857	send_ping (rsi, 1); // pong
865		858
866	break;	859	break;
867		860
868	case vpn_packet::PT_PONG:	861	case vpn_packet::PT_PONG:
869	break;	862	break;
…		…
871	case vpn_packet::PT_RESET:	864	case vpn_packet::PT_RESET:
872	{	865	{
873	reset_connection ();	866	reset_connection ();
874		867
875	config_packet *p = (config_packet *) pkt;	868	config_packet *p = (config_packet *) pkt;
		869
876	if (!p->chk_config ())	870	if (!p->chk_config ())
877	{	871	{
878	slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);	872	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
		873	conf->nodename, (const char *)rsi);
879	connectmode = conf_node::C_DISABLED;	874	connectmode = conf_node::C_DISABLED;
880	}	875	}
881	else if (connectmode == conf_node::C_ALWAYS)	876	else if (connectmode == conf_node::C_ALWAYS)
882	establish_connection ();	877	establish_connection ();
883	}	878	}
884	break;	879	break;
885		880
886	case vpn_packet::PT_AUTH:	881	case vpn_packet::PT_AUTH_REQ:
		882	if (auth_rate_limiter.can (rsi))
		883	{
		884	auth_req_packet *p = (auth_req_packet *) pkt;
		885
		886	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
		887
		888	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
		889	{
		890	if (p->prot_minor != PROTOCOL_MINOR)
		891	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		892	conf->nodename, (const char *)rsi,
		893	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
		894
		895	if (p->initiate)
		896	send_auth_request (rsi, false);
		897
		898	rsachallenge k;
		899
		900	if (0 > RSA_private_decrypt (sizeof (p->encr),
		901	(unsigned char *)&p->encr, (unsigned char *)&k,
		902	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		903	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
		904	conf->nodename, (const char *)rsi);
		905	else
		906	{
		907	retry_cnt = 0;
		908	establish_connection.set (NOW + 8); //? ;)
		909	keepalive.reset ();
		910	rekey.reset ();
		911
		912	delete ictx;
		913	ictx = 0;
		914
		915	delete octx;
		916
		917	octx = new crypto_ctx (k, 1);
		918	oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
		919
		920	conf->protocols = p->protocols;
		921	send_auth_response (rsi, p->id, k);
		922
		923	break;
		924	}
		925	}
		926
		927	send_reset (rsi);
		928	}
		929
		930	break;
		931
		932	case vpn_packet::PT_AUTH_RES:
887	{	933	{
888	auth_packet *p = (auth_packet *) pkt;	934	auth_res_packet *p = (auth_res_packet *) pkt;
889		935
890	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);	936	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
891		937
892	if (p->chk_config ()	938	if (p->chk_config ())
893	&& !strncmp (p->magic, MAGIC, 8))
894	{	939	{
895	if (p->prot_minor != PROTOCOL_MINOR)	940	if (p->prot_minor != PROTOCOL_MINOR)
896	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),	941	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		942	conf->nodename, (const char *)rsi,
897	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	943	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
898		944
899	if (p->subtype == AUTH_INIT)	945	rsachallenge chg;
900	send_auth (AUTH_INITREPLY, ssa);
901		946
902	const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge);	947	if (!rsa_cache.find (p->id, chg))
903		948	slog (L_ERR, _("%s(%s): unrequested auth response"),
904	if (!k)	949	conf->nodename, (const char *)rsi);
		950	else
905	{	951	{
906	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),	952	crypto_ctx *cctx = new crypto_ctx (chg, 0);
		953
		954	if (!p->hmac_chk (cctx))
		955	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
		956	"could be an attack, or just corruption or an synchronization error"),
907	conf->nodename, (const char *)sockinfo (ssa));	957	conf->nodename, (const char *)rsi);
908	send_reset (ssa);
909	break;	958	else
910	}
911
912	retry_cnt = 0;
913	establish_connection.set (NOW + 8); //? ;)
914	keepalive.reset ();
915	rekey.reset ();
916
917	switch (p->subtype)
918	{
919	case AUTH_INIT:
920	case AUTH_INITREPLY:
921	delete ictx;
922	ictx = 0;
923
924	delete octx;
925
926	octx = new crypto_ctx (*k, 1);
927	oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
928
929	send_auth (AUTH_REPLY, ssa, k);
930	break;
931
932	case AUTH_REPLY:
933
934	if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
935	{	959	{
936	delete ictx;
937
938	ictx = new crypto_ctx (*k, 0);
939	iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
940
941	sa = *ssa;	960	rsaresponse h;
942		961
943	rekey.set (NOW + ::conf.rekey);	962	rsa_hash (p->id, chg, h);
944	keepalive.set (NOW + ::conf.keepalive);
945		963
946	// send queued packets	964	if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
947	while (tap_packet *p = queue.get ())
948	{	965	{
		966	prot_minor = p->prot_minor;
		967
		968	delete ictx; ictx = cctx;
		969
		970	iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
		971
		972	si = rsi;
		973
		974	rekey.set (NOW + ::conf.rekey);
		975	keepalive.set (NOW + ::conf.keepalive);
		976
		977	// send queued packets
		978	while (tap_packet *p = queue.get ())
		979	{
949	send_data_packet (p);	980	send_data_packet (p);
950	delete p;	981	delete p;
		982	}
		983
		984	connectmode = conf->connectmode;
		985
		986	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
		987	conf->nodename, (const char *)rsi,
		988	strprotocol (protocol),
		989	p->prot_major, p->prot_minor);
		990
		991	if (::conf.script_node_up)
		992	run_script (run_script_cb (this, &connection::script_node_up), false);
		993
		994	break;
951	}	995	}
952		996	else
953	connectmode = conf->connectmode;	997	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
954
955	slog (L_INFO, _("connection to %d (%s %s) established"),
956	conf->id, conf->nodename, (const char *)sockinfo (ssa));	998	conf->nodename, (const char *)rsi);
957
958	if (::conf.script_node_up)
959	run_script (this, &connection::script_node_up, false);
960	}	999	}
		1000
961	else	1001	delete cctx;
962	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
963	conf->nodename, (const char *)sockinfo (ssa));
964
965	break;
966	default:
967	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
968	conf->nodename, (const char *)sockinfo (ssa));
969	break;
970	}	1002	}
971	}	1003	}
972	else
973	send_reset (ssa);
974
975	break;
976	}	1004	}
		1005
		1006	send_reset (rsi);
		1007	break;
977		1008
978	case vpn_packet::PT_DATA_COMPRESSED:	1009	case vpn_packet::PT_DATA_COMPRESSED:
979	#if !ENABLE_COMPRESSION	1010	#if !ENABLE_COMPRESSION
980	send_reset (ssa);	1011	send_reset (rsi);
981	break;	1012	break;
982	#endif	1013	#endif
		1014
983	case vpn_packet::PT_DATA_UNCOMPRESSED:	1015	case vpn_packet::PT_DATA_UNCOMPRESSED:
984		1016
985	if (ictx && octx)	1017	if (ictx && octx)
986	{	1018	{
987	vpndata_packet *p = (vpndata_packet *)pkt;	1019	vpndata_packet *p = (vpndata_packet *)pkt;
988		1020
989	if (*ssa == sa)	1021	if (rsi == si)
990	{	1022	{
991	if (!p->hmac_chk (ictx))	1023	if (!p->hmac_chk (ictx))
992	slog (L_ERR, _("hmac authentication error, received invalid packet\n"	1024	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
993	"could be an attack, or just corruption or an synchronization error"));	1025	"could be an attack, or just corruption or an synchronization error"),
		1026	conf->nodename, (const char *)rsi);
994	else	1027	else
995	{	1028	{
996	u32 seqno;	1029	u32 seqno;
997	tap_packet *d = p->unpack (this, seqno);	1030	tap_packet *d = p->unpack (this, seqno);
998		1031
…		…
1014	break;	1047	break;
1015	}	1048	}
1016	}	1049	}
1017	}	1050	}
1018	else	1051	else
1019	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D	1052	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1020	}	1053	}
1021		1054
1022	send_reset (ssa);	1055	send_reset (rsi);
1023	break;	1056	break;
1024		1057
1025	case vpn_packet::PT_CONNECT_REQ:	1058	case vpn_packet::PT_CONNECT_REQ:
1026	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1059	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1027	{	1060	{
1028	connect_req_packet *p = (connect_req_packet *) pkt;	1061	connect_req_packet *p = (connect_req_packet *) pkt;
1029		1062
1030	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1063	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1031		1064	conf->protocols = p->protocols;
1032	connection *c = vpn->conns[p->id - 1];	1065	connection *c = vpn->conns[p->id - 1];
1033		1066
1034	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1067	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1035	conf->id, p->id, c->ictx && c->octx);	1068	conf->id, p->id, c->ictx && c->octx);
1036		1069
1037	if (c->ictx && c->octx)	1070	if (c->ictx && c->octx)
1038	{	1071	{
1039	// send connect_info packets to both sides, in case one is	1072	// send connect_info packets to both sides, in case one is
1040	// behind a nat firewall (or both ;)	1073	// behind a nat firewall (or both ;)
1041	{	1074	c->send_connect_info (conf->id, si, conf->protocols);
1042	sockinfo si(sa);	1075	send_connect_info (c->conf->id, c->si, c->conf->protocols);
1043
1044	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1045	c->conf->id, conf->id, (const char *)si);
1046
1047	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1048
1049	r->hmac_set (c->octx);
1050	vpn->send_vpn_packet (r, &c->sa);
1051
1052	delete r;
1053	}
1054
1055	{
1056	sockinfo si(c->sa);
1057
1058	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1059	conf->id, c->conf->id, (const char *)si);
1060
1061	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1062
1063	r->hmac_set (octx);
1064	vpn->send_vpn_packet (r, &sa);
1065
1066	delete r;
1067	}
1068	}	1076	}
1069	}	1077	}
1070		1078
1071	break;	1079	break;
1072		1080
1073	case vpn_packet::PT_CONNECT_INFO:	1081	case vpn_packet::PT_CONNECT_INFO:
1074	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1082	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1075	{	1083	{
1076	connect_info_packet *p = (connect_info_packet *) pkt;	1084	connect_info_packet *p = (connect_info_packet *) pkt;
1077		1085
1078	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1086	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1079		1087	conf->protocols = p->protocols;
1080	connection *c = vpn->conns[p->id - 1];	1088	connection *c = vpn->conns[p->id - 1];
1081		1089
1082	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1090	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1083	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1091	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1084		1092
1085	c->send_auth (AUTH_INIT, p->si.sa ());	1093	c->send_auth_request (p->si, true);
1086	}	1094	}
		1095
1087	break;	1096	break;
1088		1097
1089	default:	1098	default:
1090	send_reset (ssa);	1099	send_reset (rsi);
1091	break;	1100	break;
		1101
1092	}	1102	}
1093	}	1103	}
1094		1104
1095	void connection::keepalive_cb (tstamp &ts)	1105	void connection::keepalive_cb (tstamp &ts)
1096	{	1106	{
…		…
1100	establish_connection ();	1110	establish_connection ();
1101	}	1111	}
1102	else if (NOW < last_activity + ::conf.keepalive)	1112	else if (NOW < last_activity + ::conf.keepalive)
1103	ts = last_activity + ::conf.keepalive;	1113	ts = last_activity + ::conf.keepalive;
1104	else if (conf->connectmode != conf_node::C_ONDEMAND	1114	else if (conf->connectmode != conf_node::C_ONDEMAND
1105	|| THISNODE->connectmode != conf_node::C_ONDEMAND)	1115	|| THISNODE->connectmode != conf_node::C_ONDEMAND)
1106	{	1116	{
1107	send_ping (&sa);	1117	send_ping (si);
1108	ts = NOW + 5;	1118	ts = NOW + 5;
1109	}	1119	}
1110	else	1120	else
1111	reset_connection ();	1121	reset_connection ();
1112
1113	}	1122	}
1114		1123
1115	void connection::connect_request (int id)	1124	void connection::connect_request (int id)
1116	{	1125	{
1117	connect_req_packet *p = new connect_req_packet (conf->id, id);	1126	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1118		1127
1119	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);	1128	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1120	p->hmac_set (octx);	1129	p->hmac_set (octx);
1121	vpn->send_vpn_packet (p, &sa);	1130	send_vpn_packet (p, si);
1122		1131
1123	delete p;	1132	delete p;
1124	}	1133	}
1125		1134
1126	void connection::script_node ()	1135	void connection::script_node ()
1127	{	1136	{
1128	vpn->script_if_up ();	1137	vpn->script_if_up (0);
1129		1138
1130	char *env;	1139	char *env;
1131	asprintf (&env, "DESTID=%d", conf->id);	1140	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1132	putenv (env);
1133	asprintf (&env, "DESTNODE=%s", conf->nodename);	1141	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1134	putenv (env);	1142	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1135	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1136	putenv (env);
1137	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));	1143	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1138	putenv (env);
1139	}	1144	}
1140		1145
1141	const char *connection::script_node_up ()	1146	const char *connection::script_node_up (int)
1142	{	1147	{
1143	script_node ();	1148	script_node ();
1144		1149
1145	putenv ("STATE=up");	1150	putenv ("STATE=up");
1146		1151
1147	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";	1152	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1148	}	1153	}
1149		1154
1150	const char *connection::script_node_down ()	1155	const char *connection::script_node_down (int)
1151	{	1156	{
1152	script_node ();	1157	script_node ();
1153		1158
1154	putenv ("STATE=down");	1159	putenv ("STATE=down");
1155		1160
1156	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1161	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
		1162	}
		1163
		1164	// send a vpn packet out to other hosts
		1165	void
		1166	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		1167	{
		1168	if (protocol & PROT_IPv4)
		1169	vpn->send_ipv4_packet (pkt, si, tos);
		1170	else
		1171	vpn->send_udpv4_packet (pkt, si, tos);
1157	}	1172	}
1158		1173
1159	connection::connection(struct vpn *vpn_)	1174	connection::connection(struct vpn *vpn_)
1160	: vpn(vpn_)	1175	: vpn(vpn_)
1161	, rekey (this, &connection::rekey_cb)	1176	, rekey (this, &connection::rekey_cb)
…		…
1174	shutdown ();	1189	shutdown ();
1175	}	1190	}
1176		1191
1177	/////////////////////////////////////////////////////////////////////////////	1192	/////////////////////////////////////////////////////////////////////////////
1178		1193
1179	const char *vpn::script_if_up ()	1194	const char *vpn::script_if_up (int)
1180	{	1195	{
1181	// the tunnel device mtu should be the physical mtu - overhead	1196	// the tunnel device mtu should be the physical mtu - overhead
1182	// the tricky part is rounding to the cipher key blocksize	1197	// the tricky part is rounding to the cipher key blocksize
1183	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	1198	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1184	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	1199	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1185	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	1200	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1186	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	1201	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1187		1202
1188	char *env;	1203	char *env;
…		…
1203		1218
1204	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	1219	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1205	}	1220	}
1206		1221
1207	int	1222	int
1208	vpn::setup (void)	1223	vpn::setup ()
1209	{	1224	{
1210	struct sockaddr_in sa;	1225	sockinfo si;
1211		1226
		1227	si.set (THISNODE);
		1228
		1229	udpv4_fd = -1;
		1230
		1231	if (THISNODE->protocols & PROT_UDPv4)
		1232	{
1212	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	1233	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1213	if (socket_fd < 0)	1234
		1235	if (udpv4_fd < 0)
1214	return -1;	1236	return -1;
1215		1237
1216	fill_sa (&sa, THISNODE);	1238	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1217		1239	{
1218	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1219	{
1220	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	1240	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1221	exit (1);	1241	exit (1);
1222	}	1242	}
1223		1243
1224	#ifdef IP_MTU_DISCOVER	1244	#ifdef IP_MTU_DISCOVER
1225	// this I really consider a linux bug. I am neither connected	1245	// this I really consider a linux bug. I am neither connected
1226	// nor do I fragment myself. Linux still sets DF and doesn't	1246	// nor do I fragment myself. Linux still sets DF and doesn't
1227	// fragment for me sometimes.	1247	// fragment for me sometimes.
1228	{	1248	{
1229	int oval = IP_PMTUDISC_DONT;	1249	int oval = IP_PMTUDISC_DONT;
1230	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	1250	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1231	}	1251	}
1232	#endif	1252	#endif
1233	{	1253
		1254	// standard daemon practise...
		1255	{
1234	int oval = 1;	1256	int oval = 1;
1235	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	1257	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1236	}	1258	}
1237		1259
1238	udp_ev_watcher.start (socket_fd, POLLIN);	1260	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
		1261	}
		1262
		1263	ipv4_fd = -1;
		1264	if (THISNODE->protocols & PROT_IPv4)
		1265	{
		1266	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		1267
		1268	if (ipv4_fd < 0)
		1269	return -1;
		1270
		1271	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		1272	{
		1273	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		1274	exit (1);
		1275	}
		1276
		1277	#ifdef IP_MTU_DISCOVER
		1278	// this I really consider a linux bug. I am neither connected
		1279	// nor do I fragment myself. Linux still sets DF and doesn't
		1280	// fragment for me sometimes.
		1281	{
		1282	int oval = IP_PMTUDISC_DONT;
		1283	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		1284	}
		1285	#endif
		1286
		1287	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		1288	}
1239		1289
1240	tap = new tap_device ();	1290	tap = new tap_device ();
1241	if (!tap) //D this, of course, never catches	1291	if (!tap) //D this, of course, never catches
1242	{	1292	{
1243	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	1293	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1244	exit (1);	1294	exit (1);
1245	}	1295	}
1246		1296
1247	run_script (this, &vpn::script_if_up, true);	1297	run_script (run_script_cb (this, &vpn::script_if_up), true);
1248		1298
1249	vpn_ev_watcher.start (tap->fd, POLLIN);	1299	tap_ev_watcher.start (tap->fd, POLLIN);
1250		1300
1251	reconnect_all ();	1301	reconnect_all ();
1252		1302
1253	return 0;	1303	return 0;
1254	}	1304	}
1255		1305
1256	void	1306	void
1257	vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos)	1307	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1258	{	1308	{
1259	setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);	1309	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1260	sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));	1310	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1261	}	1311	}
1262		1312
1263	void	1313	void
1264	vpn::shutdown_all ()	1314	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1265	{	1315	{
1266	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1316	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1267	(*c)->shutdown ();	1317	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1268	}	1318	}
1269		1319
1270	void	1320	void
1271	vpn::reconnect_all ()	1321	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1272	{	1322	{
1273	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1323	unsigned int src = pkt->src ();
1274	delete *c;	1324	unsigned int dst = pkt->dst ();
1275		1325
1276	conns.clear ();	1326	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		1327	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1277		1328
1278	for (configuration::node_vector::iterator i = conf.nodes.begin ();	1329	if (src == 0 || src > conns.size ()
1279	i != conf.nodes.end (); ++i)	1330	|| dst > conns.size ()
1280	{	1331	|| pkt->typ () >= vpn_packet::PT_MAX)
1281	connection *conn = new connection (this);	1332	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1282		1333	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1283	conn->conf = *i;	1334	else
1284	conns.push_back (conn);
1285
1286	conn->establish_connection ();
1287	}	1335	{
1288	}	1336	connection *c = conns[src - 1];
1289		1337
1290	connection *vpn::find_router ()	1338	if (dst == 0 && !THISNODE->routerprio)
1291	{	1339	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1292	u32 prio = 0;	1340	c->conf->nodename, (const char *)rsi);
1293	connection *router = 0;	1341	else if (dst != 0 && dst != THISNODE->id)
1294		1342	// FORWARDING NEEDED ;)
1295	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)	1343	slog (L_WARN,
		1344	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		1345	dst, conns[dst - 1]->conf->nodename,
		1346	(const char *)rsi,
		1347	THISNODE->id, THISNODE->nodename);
		1348	else
		1349	c->recv_vpn_packet (pkt, rsi);
1296	{	1350	}
1297	connection *c = *i;
1298
1299	if (c->conf->routerprio > prio
1300	&& c->connectmode == conf_node::C_ALWAYS
1301	&& c->conf != THISNODE
1302	&& c->ictx && c->octx)
1303	{
1304	prio = c->conf->routerprio;
1305	router = c;
1306	}
1307	}
1308
1309	return router;
1310	}	1351	}
1311		1352
1312	void vpn::connect_request (int id)
1313	{
1314	connection *c = find_router ();
1315
1316	if (c)
1317	c->connect_request (id);
1318	//else // does not work, because all others must connect to the same router
1319	// // no router found, aggressively connect to all routers
1320	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1321	// if ((*i)->conf->routerprio)
1322	// (*i)->establish_connection ();
1323	}
1324
1325	void	1353	void
1326	vpn::udp_ev (short revents)	1354	vpn::udpv4_ev (short revents)
1327	{	1355	{
1328	if (revents & (POLLIN | POLLERR))	1356	if (revents & (POLLIN | POLLERR))
1329	{	1357	{
1330	vpn_packet *pkt = new vpn_packet;	1358	vpn_packet *pkt = new vpn_packet;
1331	struct sockaddr_in sa;	1359	struct sockaddr_in sa;
1332	socklen_t sa_len = sizeof (sa);	1360	socklen_t sa_len = sizeof (sa);
1333	int len;	1361	int len;
1334		1362
1335	len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);	1363	len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		1364
		1365	sockinfo si(sa);
1336		1366
1337	if (len > 0)	1367	if (len > 0)
1338	{	1368	{
1339	pkt->len = len;	1369	pkt->len = len;
1340		1370
1341	unsigned int src = pkt->src ();
1342	unsigned int dst = pkt->dst ();
1343
1344	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1345	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1346
1347	if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1348	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1349	pkt->typ (), pkt->src (), pkt->dst ());
1350	else if (dst == 0 && !THISNODE->routerprio)
1351	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1352	else if (dst != 0 && dst != THISNODE->id)
1353	slog (L_WARN,
1354	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1355	dst, conns[dst - 1]->conf->nodename,
1356	(const char *)sockinfo (sa),
1357	THISNODE->id, THISNODE->nodename);
1358	else if (src == 0 || src > conns.size ())
1359	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1360	else
1361	conns[src - 1]->recv_vpn_packet (pkt, &sa);	1371	recv_vpn_packet (pkt, si);
1362	}	1372	}
1363	else	1373	else
1364	{	1374	{
1365	// probably ECONNRESET or somesuch	1375	// probably ECONNRESET or somesuch
1366	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));	1376	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1367	}	1377	}
1368		1378
1369	delete pkt;	1379	delete pkt;
1370	}	1380	}
1371	else if (revents & POLLHUP)	1381	else if (revents & POLLHUP)
1372	{	1382	{
1373	// this cannot ;) happen on udp sockets	1383	// this cannot ;) happen on udp sockets
1374	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));	1384	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1375	exit (1);	1385	exit (1);
1376	}	1386	}
1377	else	1387	else
1378	{	1388	{
1379	slog (L_ERR,	1389	slog (L_ERR,
…		…
1382	exit (1);	1392	exit (1);
1383	}	1393	}
1384	}	1394	}
1385		1395
1386	void	1396	void
		1397	vpn::ipv4_ev (short revents)
		1398	{
		1399	if (revents & (POLLIN | POLLERR))
		1400	{
		1401	vpn_packet *pkt = new vpn_packet;
		1402	struct sockaddr_in sa;
		1403	socklen_t sa_len = sizeof (sa);
		1404	int len;
		1405
		1406	len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		1407
		1408	sockinfo si(sa, PROT_IPv4);
		1409
		1410	if (len > 0)
		1411	{
		1412	pkt->len = len;
		1413
		1414	// raw sockets deliver the ipv4, but don't expect it on sends
		1415	// this is slow, but...
		1416	pkt->skip_hdr (IP_OVERHEAD);
		1417
		1418	recv_vpn_packet (pkt, si);
		1419	}
		1420	else
		1421	{
		1422	// probably ECONNRESET or somesuch
		1423	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		1424	}
		1425
		1426	delete pkt;
		1427	}
		1428	else if (revents & POLLHUP)
		1429	{
		1430	// this cannot ;) happen on udp sockets
		1431	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		1432	exit (1);
		1433	}
		1434	else
		1435	{
		1436	slog (L_ERR,
		1437	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1438	revents);
		1439	exit (1);
		1440	}
		1441	}
		1442
		1443	void
1387	vpn::vpn_ev (short revents)	1444	vpn::tap_ev (short revents)
1388	{	1445	{
1389	if (revents & POLLIN)	1446	if (revents & POLLIN)
1390	{	1447	{
1391	/* process data */	1448	/* process data */
1392	tap_packet *pkt;	1449	tap_packet *pkt;
…		…
1448	{	1505	{
1449	if (events)	1506	if (events)
1450	{	1507	{
1451	if (events & EVENT_SHUTDOWN)	1508	if (events & EVENT_SHUTDOWN)
1452	{	1509	{
		1510	slog (L_INFO, _("preparing shutdown..."));
		1511
1453	shutdown_all ();	1512	shutdown_all ();
1454		1513
1455	remove_pid (pidfilename);	1514	remove_pid (pidfilename);
1456		1515
1457	slog (L_INFO, _("vped terminating"));	1516	slog (L_INFO, _("terminating"));
1458		1517
1459	exit (0);	1518	exit (0);
1460	}	1519	}
1461		1520
1462	if (events & EVENT_RECONNECT)	1521	if (events & EVENT_RECONNECT)
		1522	{
		1523	slog (L_INFO, _("forced reconnect"));
		1524
1463	reconnect_all ();	1525	reconnect_all ();
		1526	}
1464		1527
1465	events = 0;	1528	events = 0;
1466	}	1529	}
1467		1530
1468	ts = TSTAMP_CANCEL;	1531	ts = TSTAMP_CANCEL;
1469	}	1532	}
1470		1533
1471	#include <sys/time.h>//D	1534	void
		1535	vpn::shutdown_all ()
		1536	{
		1537	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1538	(*c)->shutdown ();
		1539	}
		1540
		1541	void
		1542	vpn::reconnect_all ()
		1543	{
		1544	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1545	delete *c;
		1546
		1547	conns.clear ();
		1548
		1549	auth_rate_limiter.clear ();
		1550	reset_rate_limiter.clear ();
		1551
		1552	for (configuration::node_vector::iterator i = conf.nodes.begin ();
		1553	i != conf.nodes.end (); ++i)
		1554	{
		1555	connection *conn = new connection (this);
		1556
		1557	conn->conf = *i;
		1558	conns.push_back (conn);
		1559
		1560	conn->establish_connection ();
		1561	}
		1562	}
		1563
		1564	connection *vpn::find_router ()
		1565	{
		1566	u32 prio = 0;
		1567	connection *router = 0;
		1568
		1569	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1570	{
		1571	connection *c = *i;
		1572
		1573	if (c->conf->routerprio > prio
		1574	&& c->connectmode == conf_node::C_ALWAYS
		1575	&& c->conf != THISNODE
		1576	&& c->ictx && c->octx)
		1577	{
		1578	prio = c->conf->routerprio;
		1579	router = c;
		1580	}
		1581	}
		1582
		1583	return router;
		1584	}
		1585
		1586	void vpn::connect_request (int id)
		1587	{
		1588	connection *c = find_router ();
		1589
		1590	if (c)
		1591	c->connect_request (id);
		1592	//else // does not work, because all others must connect to the same router
		1593	// // no router found, aggressively connect to all routers
		1594	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1595	// if ((*i)->conf->routerprio)
		1596	// (*i)->establish_connection ();
		1597	}
		1598
		1599	void
		1600	connection::dump_status ()
		1601	{
		1602	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		1603	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		1604	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		1605	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		1606	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		1607	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		1608	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		1609	}
		1610
		1611	void
		1612	vpn::dump_status ()
		1613	{
		1614	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
		1615
		1616	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1617	(*c)->dump_status ();
		1618
		1619	slog (L_NOTICE, _("END status dump"));
		1620	}
		1621
1472	vpn::vpn (void)	1622	vpn::vpn (void)
1473	: udp_ev_watcher (this, &vpn::udp_ev)	1623	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
		1624	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1474	, vpn_ev_watcher (this, &vpn::vpn_ev)	1625	, tap_ev_watcher(this, &vpn::tap_ev)
1475	, event (this, &vpn::event_cb)	1626	, event(this, &vpn::event_cb)
1476	{	1627	{
1477	}	1628	}
1478		1629
1479	vpn::~vpn ()	1630	vpn::~vpn ()
1480	{	1631	{

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines