[ViewVC] Diff of: cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.18 by pcg, Wed Mar 26 02:15:38 2003 UTC vs.
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC

…		…
58		58
59	static time_t next_timecheck;	59	static time_t next_timecheck;
60		60
61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62		62
		63	static u8
		64	best_protocol (u8 protset)
		65	{
		66	if (protset & PROT_IPv4)
		67	return PROT_IPv4;
		68
		69	return PROT_UDPv4;
		70	}
		71
63	struct crypto_ctx	72	struct crypto_ctx
64	{	73	{
65	EVP_CIPHER_CTX cctx;	74	EVP_CIPHER_CTX cctx;
66	HMAC_CTX hctx;	75	HMAC_CTX hctx;
67		76
…		…
82	EVP_CIPHER_CTX_cleanup (&cctx);	91	EVP_CIPHER_CTX_cleanup (&cctx);
83	HMAC_CTX_cleanup (&hctx);	92	HMAC_CTX_cleanup (&hctx);
84	}	93	}
85		94
86	static void	95	static void
87	rsa_hash (const rsachallenge &chg, rsaresponse &h)	96	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88	{	97	{
89	EVP_MD_CTX ctx;	98	EVP_MD_CTX ctx;
90		99
91	EVP_MD_CTX_init (&ctx);	100	EVP_MD_CTX_init (&ctx);
92	EVP_DigestInit (&ctx, RSA_HASH);	101	EVP_DigestInit (&ctx, RSA_HASH);
93	EVP_DigestUpdate(&ctx, &chg, sizeof chg);	102	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
		103	EVP_DigestUpdate(&ctx, &id, sizeof id);
94	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);	104	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
95	EVP_MD_CTX_cleanup (&ctx);	105	EVP_MD_CTX_cleanup (&ctx);
96	}	106	}
97		107
98	struct rsa_entry {	108	struct rsa_entry {
…		…
236	};	246	};
237		247
238	// only do action once every x seconds per host whole allowing bursts.	248	// only do action once every x seconds per host whole allowing bursts.
239	// this implementation ("splay list" ;) is inefficient,	249	// this implementation ("splay list" ;) is inefficient,
240	// but low on resources.	250	// but low on resources.
241	struct net_rate_limiter : private list<net_rateinfo>	251	struct net_rate_limiter : list<net_rateinfo>
242	{	252	{
243	static const double ALPHA = 1. - 1. / 90.; // allow bursts	253	static const double ALPHA = 1. - 1. / 90.; // allow bursts
244	static const double CUTOFF = 20.; // one event every CUTOFF seconds	254	static const double CUTOFF = 20.; // one event every CUTOFF seconds
245	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	255	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
246		256
		257	bool can (const sockinfo &si) { return can((u32)si.host); }
247	bool can (u32 host);	258	bool can (u32 host);
248	bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
249	bool can (sockinfo &si) { return can((u32)si.host); }
250	};	259	};
251		260
252	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	261	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253		262
254	bool net_rate_limiter::can (u32 host)	263	bool net_rate_limiter::can (u32 host)
…		…
361	u8 type;	370	u8 type;
362	u8 srcdst, src1, dst1;	371	u8 srcdst, src1, dst1;
363		372
364	void set_hdr (ptype type, unsigned int dst);	373	void set_hdr (ptype type, unsigned int dst);
365		374
366	unsigned int src ()	375	unsigned int src () const
367	{	376	{
368	return src1 \| ((srcdst >> 4) << 8);	377	return src1 \| ((srcdst >> 4) << 8);
369	}	378	}
370		379
371	unsigned int dst ()	380	unsigned int dst () const
372	{	381	{
373	return dst1 \| ((srcdst & 0xf) << 8);	382	return dst1 \| ((srcdst & 0xf) << 8);
374	}	383	}
375		384
376	ptype typ ()	385	ptype typ () const
377	{	386	{
378	return (ptype) type;	387	return (ptype) type;
379	}	388	}
380	};	389	};
381		390
…		…
500		509
501	#if ENABLE_COMPRESSION	510	#if ENABLE_COMPRESSION
502	if (type == PT_DATA_COMPRESSED)	511	if (type == PT_DATA_COMPRESSED)
503	{	512	{
504	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];	513	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];
		514
505	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;	515	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
		516	&(*p)[6 + 6], MAX_MTU)
		517	+ 6 + 6;
506	}	518	}
507	else	519	else
508	p->len = outl + (6 + 6 - DATAHDR);	520	p->len = outl + (6 + 6 - DATAHDR);
509	#endif	521	#endif
510		522
…		…
533	{	545	{
534	return 0x80	546	return 0x80
535	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);	547	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);
536	}	548	}
537		549
538	void setup (ptype type, int dst)	550	void setup (ptype type, int dst);
539	{
540	prot_major = PROTOCOL_MAJOR;
541	prot_minor = PROTOCOL_MINOR;
542	randsize = RAND_SIZE;
543	hmaclen = HMACLENGTH;
544	flags = curflags ();
545	challengelen = sizeof (rsachallenge);
546
547	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
548	digest_nid = htonl (EVP_MD_type (RSA_HASH));
549	hmac_nid = htonl (EVP_MD_type (DIGEST));
550
551	len = sizeof (*this) - sizeof (net_packet);
552	set_hdr (type, dst);
553	}
554
555	bool chk_config ()	551	bool chk_config () const;
556	{
557	return prot_major == PROTOCOL_MAJOR
558	&& randsize == RAND_SIZE
559	&& hmaclen == HMACLENGTH
560	&& flags == curflags ()
561	&& challengelen == sizeof (rsachallenge)
562	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
563	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
564	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
565	}
566	};	552	};
567		553
		554	void config_packet::setup (ptype type, int dst)
		555	{
		556	prot_major = PROTOCOL_MAJOR;
		557	prot_minor = PROTOCOL_MINOR;
		558	randsize = RAND_SIZE;
		559	hmaclen = HMACLENGTH;
		560	flags = curflags ();
		561	challengelen = sizeof (rsachallenge);
		562
		563	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
		564	digest_nid = htonl (EVP_MD_type (RSA_HASH));
		565	hmac_nid = htonl (EVP_MD_type (DIGEST));
		566
		567	len = sizeof (*this) - sizeof (net_packet);
		568	set_hdr (type, dst);
		569	}
		570
		571	bool config_packet::chk_config () const
		572	{
		573	return prot_major == PROTOCOL_MAJOR
		574	&& randsize == RAND_SIZE
		575	&& hmaclen == HMACLENGTH
		576	&& flags == curflags ()
		577	&& challengelen == sizeof (rsachallenge)
		578	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
		579	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
		580	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
		581	}
		582
568	struct auth_req_packet : config_packet	583	struct auth_req_packet : config_packet
569	{	584	{
570	char magic[8];	585	char magic[8];
571	u8 initiate; // false if this is just an automatic reply	586	u8 initiate, can_recv; // false if this is just an automatic reply
572	u8 pad1, pad2, pad3;	587	u8 pad2, pad3;
573	rsaid id;	588	rsaid id;
574	rsaencrdata encr;	589	rsaencrdata encr;
575		590
576	auth_req_packet (int dst, bool initiate_)	591	auth_req_packet (int dst, bool initiate_, u8 can_recv_)
577	{	592	{
578	config_packet::setup (PT_AUTH_REQ, dst);	593	config_packet::setup (PT_AUTH_REQ, dst);
		594	strncpy (magic, MAGIC, 8);
579	initiate = !!initiate_;	595	initiate = !!initiate_;
580	strncpy (magic, MAGIC, 8);	596	can_recv = can_recv_;
		597
581	len = sizeof (*this) - sizeof (net_packet);	598	len = sizeof (*this) - sizeof (net_packet);
582	}	599	}
583	};	600	};
584		601
585	struct auth_res_packet : config_packet	602	struct auth_res_packet : config_packet
586	{	603	{
587	rsaid id;	604	rsaid id;
		605	u8 pad1, pad2, pad3;
		606	u8 response_len; // encrypted length
588	rsaresponse response;	607	rsaresponse response;
589		608
590	auth_res_packet (int dst)	609	auth_res_packet (int dst)
591	{	610	{
592	config_packet::setup (PT_AUTH_RES, dst);	611	config_packet::setup (PT_AUTH_RES, dst);
		612
593	len = sizeof (*this) - sizeof (net_packet);	613	len = sizeof (*this) - sizeof (net_packet);
594	}	614	}
595	};	615	};
596		616
597	struct connect_req_packet : vpn_packet	617	struct connect_req_packet : vpn_packet
…		…
607	}	627	}
608	};	628	};
609		629
610	struct connect_info_packet : vpn_packet	630	struct connect_info_packet : vpn_packet
611	{	631	{
612	u8 id;	632	u8 id, can_recv;
613	u8 pad1, pad2, pad3;	633	u8 pad1, pad2;
614	sockinfo si;	634	sockinfo si;
615		635
616	connect_info_packet (int dst, int id_, sockinfo &si_)	636	connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
617	{	637	{
618	id = id_;	638	id = id_;
		639	can_recv = can_recv_;
619	si = si_;	640	si = si_;
620	set_hdr (PT_CONNECT_INFO, dst);	641	set_hdr (PT_CONNECT_INFO, dst);
		642
621	len = sizeof (*this) - sizeof (net_packet);	643	len = sizeof (*this) - sizeof (net_packet);
622	}	644	}
623	};	645	};
624		646
625	/////////////////////////////////////////////////////////////////////////////	647	/////////////////////////////////////////////////////////////////////////////
626		648
627	void	649	void
628	fill_sa (SOCKADDR sa, conf_node conf)
629	{
630	sa->sin_family = AF_INET;
631	sa->sin_port = htons (conf->port);
632	sa->sin_addr.s_addr = 0;
633
634	if (conf->hostname)
635	{
636	struct hostent *he = gethostbyname (conf->hostname);
637
638	if (he
639	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
640	{
641	//sa->sin_family = he->h_addrtype;
642	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
643	}
644	else
645	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
646	}
647	}
648
649	void
650	connection::reset_dstaddr ()	650	connection::reset_dstaddr ()
651	{	651	{
652	fill_sa (&sa, conf);	652	si.set (conf);
653	}	653	}
654		654
655	void	655	void
656	connection::send_ping (SOCKADDR *dsa, u8 pong)	656	connection::send_ping (const sockinfo &si, u8 pong)
657	{	657	{
658	ping_packet *pkt = new ping_packet;	658	ping_packet *pkt = new ping_packet;
659		659
660	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);	660	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
661	vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);	661	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
662		662
663	delete pkt;	663	delete pkt;
664	}	664	}
665		665
666	void	666	void
667	connection::send_reset (SOCKADDR *dsa)	667	connection::send_reset (const sockinfo &si)
668	{	668	{
669	if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED)	669	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
670	{	670	{
671	config_packet *pkt = new config_packet;	671	config_packet *pkt = new config_packet;
672		672
673	pkt->setup (vpn_packet::PT_RESET, conf->id);	673	pkt->setup (vpn_packet::PT_RESET, conf->id);
674	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);	674	send_vpn_packet (pkt, si, IPTOS_MINCOST);
675		675
676	delete pkt;	676	delete pkt;
677	}	677	}
678	}	678	}
679		679
680	void	680	void
681	connection::send_auth_request (SOCKADDR *sa, bool initiate)	681	connection::send_auth_request (const sockinfo &si, bool initiate)
682	{	682	{
683	if (auth_rate_limiter.can (sa))
684	{
685	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate);	683	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
686		684
		685	// the next line is very conservative
		686	prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
		687
687	rsachallenge chg;	688	rsachallenge chg;
688		689
689	rsa_cache.gen (pkt->id, chg);	690	rsa_cache.gen (pkt->id, chg);
690		691
691	if (0 > RSA_public_encrypt (sizeof chg,	692	if (0 > RSA_public_encrypt (sizeof chg,
692	(unsigned char )&chg, (unsigned char )&pkt->encr,	693	(unsigned char )&chg, (unsigned char )&pkt->encr,
693	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))	694	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
694	fatal ("RSA_public_encrypt error");	695	fatal ("RSA_public_encrypt error");
695		696
696	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)sockinfo (sa));	697	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
697		698
698	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly	699	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
699		700
700	delete pkt;	701	delete pkt;
701	}
702	}	702	}
703		703
704	void	704	void
705	connection::send_auth_response (SOCKADDR *sa, const rsaid &id, const rsachallenge &chg)	705	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706	{	706	{
707	if (auth_rate_limiter.can (sa))
708	{
709	auth_res_packet *pkt = new auth_res_packet (conf->id);	707	auth_res_packet *pkt = new auth_res_packet (conf->id);
710		708
711	pkt->id = id;	709	pkt->id = id;
		710
712	rsa_hash (chg, pkt->response);	711	rsa_hash (id, chg, pkt->response);
713		712
		713	pkt->hmac_set (octx);
		714
714	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)sockinfo (sa));	715	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
715		716
716	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); // rsa is very very costly	717	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
717		718
718	delete pkt;	719	delete pkt;
719	}
720	}	720	}
721		721
722	void	722	void
723	connection::establish_connection_cb (tstamp &ts)	723	connection::establish_connection_cb (tstamp &ts)
724	{	724	{
…		…
736	ts = NOW + retry_int;	736	ts = NOW + retry_int;
737		737
738	if (conf->hostname)	738	if (conf->hostname)
739	{	739	{
740	reset_dstaddr ();	740	reset_dstaddr ();
741	if (sa.sin_addr.s_addr)	741	if (si.host && auth_rate_limiter.can (si))
		742	{
742	if (retry_cnt < 4)	743	if (retry_cnt < 4)
743	send_auth_request (&sa, true);	744	send_auth_request (si, true);
744	else if (auth_rate_limiter.can (&sa))	745	else
745	send_ping (&sa, 0);	746	send_ping (si, 0);
		747	}
746	}	748	}
747	else	749	else
748	vpn->connect_request (conf->id);	750	vpn->connect_request (conf->id);
749	}	751	}
750	}	752	}
…		…
752	void	754	void
753	connection::reset_connection ()	755	connection::reset_connection ()
754	{	756	{
755	if (ictx && octx)	757	if (ictx && octx)
756	{	758	{
757	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);	759	slog (L_INFO, _("%s(%s): connection lost"),
		760	conf->nodename, (const char *)si);
758		761
759	if (::conf.script_node_down)	762	if (::conf.script_node_down)
760	run_script (run_script_cb (this, &connection::script_node_down), false);	763	run_script (run_script_cb (this, &connection::script_node_down), false);
761	}	764	}
762		765
763	delete ictx; ictx = 0;	766	delete ictx; ictx = 0;
764	delete octx; octx = 0;	767	delete octx; octx = 0;
765		768
766	sa.sin_port = 0;	769	si.host= 0;
767	sa.sin_addr.s_addr = 0;
768		770
769	last_activity = 0;	771	last_activity = 0;
		772	retry_cnt = 0;
770		773
771	rekey.reset ();	774	rekey.reset ();
772	keepalive.reset ();	775	keepalive.reset ();
773	establish_connection.reset ();	776	establish_connection.reset ();
774	}	777	}
775		778
776	void	779	void
777	connection::shutdown ()	780	connection::shutdown ()
778	{	781	{
779	if (ictx && octx)	782	if (ictx && octx)
780	send_reset (&sa);	783	send_reset (si);
781		784
782	reset_connection ();	785	reset_connection ();
783	}	786	}
784		787
785	void	788	void
…		…
790	reset_connection ();	793	reset_connection ();
791	establish_connection ();	794	establish_connection ();
792	}	795	}
793		796
794	void	797	void
795	connection::send_data_packet (tap_packet * pkt, bool broadcast)	798	connection::send_data_packet (tap_packet *pkt, bool broadcast)
796	{	799	{
797	vpndata_packet *p = new vpndata_packet;	800	vpndata_packet *p = new vpndata_packet;
798	int tos = 0;	801	int tos = 0;
799		802
800	if (conf->inherit_tos	803	if (conf->inherit_tos
801	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP	804	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP
802	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4	805	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
803	tos = (*pkt)[15] & IPTOS_TOS_MASK;	806	tos = (*pkt)[15] & IPTOS_TOS_MASK;
804		807
805	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	808	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
806	vpn->send_vpn_packet (p, &sa, tos);	809	send_vpn_packet (p, si, tos);
807		810
808	delete p;	811	delete p;
809		812
810	if (oseqno > MAX_SEQNO)	813	if (oseqno > MAX_SEQNO)
811	rekey ();	814	rekey ();
…		…
824	establish_connection ();	827	establish_connection ();
825	}	828	}
826	}	829	}
827		830
828	void	831	void
829	connection::recv_vpn_packet (vpn_packet pkt, SOCKADDR ssa)	832	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
830	{	833	{
831	last_activity = NOW;	834	last_activity = NOW;
832		835
833	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	836	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
834	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	837	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
835		838
836	switch (pkt->typ ())	839	switch (pkt->typ ())
837	{	840	{
838	case vpn_packet::PT_PING:	841	case vpn_packet::PT_PING:
839	// we send pings instead of auth packets after some retries,	842	// we send pings instead of auth packets after some retries,
840	// so reset the retry counter and establish a conenction	843	// so reset the retry counter and establish a connection
841	// when we receive a pong.	844	// when we receive a ping.
842	if (!ictx && !octx)	845	if (!ictx)
843	{	846	{
844	retry_cnt = 0;	847	if (auth_rate_limiter.can (rsi))
845	establish_connection.at = 0;	848	send_auth_request (rsi, true);
846	establish_connection ();
847	}	849	}
848	else	850	else
849	send_ping (ssa, 1); // pong	851	send_ping (rsi, 1); // pong
850		852
851	break;	853	break;
852		854
853	case vpn_packet::PT_PONG:	855	case vpn_packet::PT_PONG:
854	break;	856	break;
…		…
859		861
860	config_packet p = (config_packet ) pkt;	862	config_packet p = (config_packet ) pkt;
861		863
862	if (!p->chk_config ())	864	if (!p->chk_config ())
863	{	865	{
864	slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);	866	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
		867	conf->nodename, (const char *)rsi);
865	connectmode = conf_node::C_DISABLED;	868	connectmode = conf_node::C_DISABLED;
866	}	869	}
867	else if (connectmode == conf_node::C_ALWAYS)	870	else if (connectmode == conf_node::C_ALWAYS)
868	establish_connection ();	871	establish_connection ();
869	}	872	}
870	break;	873	break;
871		874
872	case vpn_packet::PT_AUTH_REQ:	875	case vpn_packet::PT_AUTH_REQ:
		876	if (auth_rate_limiter.can (rsi))
		877	{
		878	auth_req_packet p = (auth_req_packet ) pkt;
		879
		880	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
		881
		882	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
		883	{
		884	if (p->prot_minor != PROTOCOL_MINOR)
		885	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		886	conf->nodename, (const char *)rsi,
		887	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
		888
		889	if (p->initiate)
		890	send_auth_request (rsi, false);
		891
		892	rsachallenge k;
		893
		894	if (0 > RSA_private_decrypt (sizeof (p->encr),
		895	(unsigned char )&p->encr, (unsigned char )&k,
		896	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		897	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
		898	conf->nodename, (const char *)rsi);
		899	else
		900	{
		901	retry_cnt = 0;
		902	establish_connection.set (NOW + 8); //? ;)
		903	keepalive.reset ();
		904	rekey.reset ();
		905
		906	delete ictx;
		907	ictx = 0;
		908
		909	delete octx;
		910
		911	octx = new crypto_ctx (k, 1);
		912	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
		913
		914	conf->can_recv = p->can_recv;
		915	send_auth_response (rsi, p->id, k);
		916
		917	break;
		918	}
		919	}
		920
		921	send_reset (rsi);
		922	}
		923
		924	break;
		925
		926	case vpn_packet::PT_AUTH_RES:
873	{	927	{
874	auth_req_packet p = (auth_req_packet ) pkt;	928	auth_res_packet p = (auth_res_packet ) pkt;
875		929
876	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);	930	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
877		931
878	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))	932	if (p->chk_config ())
879	{	933	{
880	if (p->prot_minor != PROTOCOL_MINOR)	934	if (p->prot_minor != PROTOCOL_MINOR)
881	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),	935	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		936	conf->nodename, (const char *)rsi,
882	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	937	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
883		938
884	if (p->initiate)
885	send_auth_request (ssa, false);
886
887	rsachallenge k;	939	rsachallenge chg;
888		940
889	if (0 > RSA_private_decrypt (sizeof (p->encr),	941	if (!rsa_cache.find (p->id, chg))
890	(unsigned char )&p->encr, (unsigned char )&k,	942	slog (L_ERR, _("%s(%s): unrequested auth response"),
891	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
892	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
893	conf->nodename, (const char *)sockinfo (ssa));	943	conf->nodename, (const char *)rsi);
894	else	944	else
895	{	945	{
896	retry_cnt = 0;	946	crypto_ctx *cctx = new crypto_ctx (chg, 0);
897	establish_connection.set (NOW + 8); //? ;)
898	keepalive.reset ();
899	rekey.reset ();
900		947
		948	if (!p->hmac_chk (cctx))
		949	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
		950	"could be an attack, or just corruption or an synchronization error"),
		951	conf->nodename, (const char *)rsi);
		952	else
		953	{
		954	rsaresponse h;
		955
		956	rsa_hash (p->id, chg, h);
		957
		958	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
		959	{
		960	prot_minor = p->prot_minor;
		961
		962	delete ictx; ictx = cctx;
		963
		964	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
		965
		966	si = rsi;
		967
		968	rekey.set (NOW + ::conf.rekey);
		969	keepalive.set (NOW + ::conf.keepalive);
		970
		971	// send queued packets
		972	while (tap_packet *p = queue.get ())
		973	{
		974	send_data_packet (p);
		975	delete p;
		976	}
		977
		978	connectmode = conf->connectmode;
		979
		980	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
		981	conf->nodename, (const char *)rsi,
		982	p->prot_major, p->prot_minor);
		983
		984	if (::conf.script_node_up)
		985	run_script (run_script_cb (this, &connection::script_node_up), false);
		986
		987	break;
		988	}
		989	else
		990	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
		991	conf->nodename, (const char *)rsi);
		992	}
		993
901	delete ictx;	994	delete cctx;
902	ictx = 0;
903
904	delete octx;
905
906	octx = new crypto_ctx (k, 1);
907	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
908
909	send_auth_response (ssa, p->id, k);
910
911	break;
912	}	995	}
913	}	996	}
914	}	997	}
915		998
916	send_reset (ssa);	999	send_reset (rsi);
917	break;
918
919	case vpn_packet::PT_AUTH_RES:
920	{
921	auth_res_packet p = (auth_res_packet ) pkt;
922
923	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
924
925	if (p->chk_config ())
926	{
927	if (p->prot_minor != PROTOCOL_MINOR)
928	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
929	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
930
931	rsachallenge chg;
932
933	if (!rsa_cache.find (p->id, chg))
934	slog (L_ERR, _("unrequested auth response from %s (%s)"),
935	conf->nodename, (const char *)sockinfo (ssa));
936	else
937	{
938	rsaresponse h;
939
940	rsa_hash (chg, h);
941
942	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
943	{
944	delete ictx;
945
946	ictx = new crypto_ctx (chg, 0);
947	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
948
949	sa = *ssa;
950
951	rekey.set (NOW + ::conf.rekey);
952	keepalive.set (NOW + ::conf.keepalive);
953
954	// send queued packets
955	while (tap_packet *p = queue.get ())
956	{
957	send_data_packet (p);
958	delete p;
959	}
960
961	connectmode = conf->connectmode;
962
963	slog (L_INFO, _("connection to %d (%s %s) established"),
964	conf->id, conf->nodename, (const char *)sockinfo (ssa));
965
966	if (::conf.script_node_up)
967	run_script (run_script_cb (this, &connection::script_node_up), false);
968
969	break;
970	}
971	else
972	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
973	conf->nodename, (const char *)sockinfo (ssa));
974	}
975	}
976	}
977
978	send_reset (ssa);
979	break;	1000	break;
980		1001
981	case vpn_packet::PT_DATA_COMPRESSED:	1002	case vpn_packet::PT_DATA_COMPRESSED:
982	#if !ENABLE_COMPRESSION	1003	#if !ENABLE_COMPRESSION
983	send_reset (ssa);	1004	send_reset (rsi);
984	break;	1005	break;
985	#endif	1006	#endif
986		1007
987	case vpn_packet::PT_DATA_UNCOMPRESSED:	1008	case vpn_packet::PT_DATA_UNCOMPRESSED:
988		1009
989	if (ictx && octx)	1010	if (ictx && octx)
990	{	1011	{
991	vpndata_packet p = (vpndata_packet )pkt;	1012	vpndata_packet p = (vpndata_packet )pkt;
992		1013
993	if (*ssa == sa)	1014	if (rsi == si)
994	{	1015	{
995	if (!p->hmac_chk (ictx))	1016	if (!p->hmac_chk (ictx))
996	slog (L_ERR, _("hmac authentication error, received invalid packet\n"	1017	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
997	"could be an attack, or just corruption or an synchronization error"));	1018	"could be an attack, or just corruption or an synchronization error"),
		1019	conf->nodename, (const char *)rsi);
998	else	1020	else
999	{	1021	{
1000	u32 seqno;	1022	u32 seqno;
1001	tap_packet *d = p->unpack (this, seqno);	1023	tap_packet *d = p->unpack (this, seqno);
1002		1024
…		…
1018	break;	1040	break;
1019	}	1041	}
1020	}	1042	}
1021	}	1043	}
1022	else	1044	else
1023	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D	1045	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1024	}	1046	}
1025		1047
1026	send_reset (ssa);	1048	send_reset (rsi);
1027	break;	1049	break;
1028		1050
1029	case vpn_packet::PT_CONNECT_REQ:	1051	case vpn_packet::PT_CONNECT_REQ:
1030	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1052	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1031	{	1053	{
1032	connect_req_packet p = (connect_req_packet ) pkt;	1054	connect_req_packet p = (connect_req_packet ) pkt;
1033		1055
1034	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1056	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1035		1057
…		…
1041	if (c->ictx && c->octx)	1063	if (c->ictx && c->octx)
1042	{	1064	{
1043	// send connect_info packets to both sides, in case one is	1065	// send connect_info packets to both sides, in case one is
1044	// behind a nat firewall (or both ;)	1066	// behind a nat firewall (or both ;)
1045	{	1067	{
1046	sockinfo si(sa);
1047
1048	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",	1068	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1049	c->conf->id, conf->id, (const char *)si);	1069	c->conf->id, conf->id, (const char *)si);
1050		1070
1051	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);	1071	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
1052		1072
1053	r->hmac_set (c->octx);	1073	r->hmac_set (c->octx);
1054	vpn->send_vpn_packet (r, &c->sa);	1074	send_vpn_packet (r, c->si);
1055		1075
1056	delete r;	1076	delete r;
1057	}	1077	}
1058		1078
1059	{	1079	{
1060	sockinfo si(c->sa);
1061
1062	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",	1080	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1063	conf->id, c->conf->id, (const char *)si);	1081	conf->id, c->conf->id, (const char *)c->si);
1064		1082
1065	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);	1083	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
1066		1084
1067	r->hmac_set (octx);	1085	r->hmac_set (octx);
1068	vpn->send_vpn_packet (r, &sa);	1086	send_vpn_packet (r, si);
1069		1087
1070	delete r;	1088	delete r;
1071	}	1089	}
1072	}	1090	}
1073	}	1091	}
1074		1092
1075	break;	1093	break;
1076		1094
1077	case vpn_packet::PT_CONNECT_INFO:	1095	case vpn_packet::PT_CONNECT_INFO:
1078	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1096	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1079	{	1097	{
1080	connect_info_packet p = (connect_info_packet ) pkt;	1098	connect_info_packet p = (connect_info_packet ) pkt;
1081		1099
1082	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1100	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1083		1101
1084	connection *c = vpn->conns[p->id - 1];	1102	connection *c = vpn->conns[p->id - 1];
1085		1103
1086	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1104	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1087	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1105	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1088		1106
		1107	c->conf->can_recv = p->can_recv;
1089	c->send_auth_request (p->si.sa (), true);	1108	c->send_auth_request (p->si, true);
1090	}	1109	}
1091		1110
1092	break;	1111	break;
1093		1112
1094	default:	1113	default:
1095	send_reset (ssa);	1114	send_reset (rsi);
1096	break;	1115	break;
1097		1116
1098	}	1117	}
1099	}	1118	}
1100		1119
…		…
1106	establish_connection ();	1125	establish_connection ();
1107	}	1126	}
1108	else if (NOW < last_activity + ::conf.keepalive)	1127	else if (NOW < last_activity + ::conf.keepalive)
1109	ts = last_activity + ::conf.keepalive;	1128	ts = last_activity + ::conf.keepalive;
1110	else if (conf->connectmode != conf_node::C_ONDEMAND	1129	else if (conf->connectmode != conf_node::C_ONDEMAND
1111	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1130	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1112	{	1131	{
1113	send_ping (&sa);	1132	send_ping (si);
1114	ts = NOW + 5;	1133	ts = NOW + 5;
1115	}	1134	}
1116	else	1135	else
1117	reset_connection ();	1136	reset_connection ();
1118
1119	}	1137	}
1120		1138
1121	void connection::connect_request (int id)	1139	void connection::connect_request (int id)
1122	{	1140	{
1123	connect_req_packet *p = new connect_req_packet (conf->id, id);	1141	connect_req_packet *p = new connect_req_packet (conf->id, id);
1124		1142
1125	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);	1143	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1126	p->hmac_set (octx);	1144	p->hmac_set (octx);
1127	vpn->send_vpn_packet (p, &sa);	1145	send_vpn_packet (p, si);
1128		1146
1129	delete p;	1147	delete p;
1130	}	1148	}
1131		1149
1132	void connection::script_node ()	1150	void connection::script_node ()
1133	{	1151	{
1134	vpn->script_if_up (0);	1152	vpn->script_if_up (0);
1135		1153
1136	char *env;	1154	char *env;
1137	asprintf (&env, "DESTID=%d", conf->id);	1155	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1138	putenv (env);
1139	asprintf (&env, "DESTNODE=%s", conf->nodename);	1156	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1140	putenv (env);	1157	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1141	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1142	putenv (env);
1143	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));	1158	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1144	putenv (env);
1145	}	1159	}
1146		1160
1147	const char *connection::script_node_up (int)	1161	const char *connection::script_node_up (int)
1148	{	1162	{
1149	script_node ();	1163	script_node ();
…		…
1158	script_node ();	1172	script_node ();
1159		1173
1160	putenv ("STATE=down");	1174	putenv ("STATE=down");
1161		1175
1162	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1176	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
		1177	}
		1178
		1179	// send a vpn packet out to other hosts
		1180	void
		1181	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		1182	{
		1183	if (prot_send & PROT_IPv4)
		1184	vpn->send_ipv4_packet (pkt, si, tos);
		1185	else
		1186	vpn->send_udpv4_packet (pkt, si, tos);
1163	}	1187	}
1164		1188
1165	connection::connection(struct vpn *vpn_)	1189	connection::connection(struct vpn *vpn_)
1166	: vpn(vpn_)	1190	: vpn(vpn_)
1167	, rekey (this, &connection::rekey_cb)	1191	, rekey (this, &connection::rekey_cb)
…		…
1209		1233
1210	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	1234	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1211	}	1235	}
1212		1236
1213	int	1237	int
1214	vpn::setup (void)	1238	vpn::setup ()
1215	{	1239	{
1216	struct sockaddr_in sa;	1240	u8 prots = 0;
1217		1241
		1242	for (configuration::node_vector::iterator i = conf.nodes.begin ();
		1243	i != conf.nodes.end (); ++i)
		1244	prots \|= (i)->can_send \| (i)->can_recv;
		1245
		1246	sockinfo si;
		1247
		1248	si.set (THISNODE);
		1249
		1250	udpv4_fd = -1;
		1251
		1252	if (prots & PROT_UDPv4)
		1253	{
1218	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	1254	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1219	if (socket_fd < 0)	1255
		1256	if (udpv4_fd < 0)
1220	return -1;	1257	return -1;
1221		1258
1222	fill_sa (&sa, THISNODE);	1259	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1223		1260	{
1224	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1225	{
1226	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	1261	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1227	exit (1);	1262	exit (1);
1228	}	1263	}
1229		1264
1230	#ifdef IP_MTU_DISCOVER	1265	#ifdef IP_MTU_DISCOVER
1231	// this I really consider a linux bug. I am neither connected	1266	// this I really consider a linux bug. I am neither connected
1232	// nor do I fragment myself. Linux still sets DF and doesn't	1267	// nor do I fragment myself. Linux still sets DF and doesn't
1233	// fragment for me sometimes.	1268	// fragment for me sometimes.
1234	{	1269	{
1235	int oval = IP_PMTUDISC_DONT;	1270	int oval = IP_PMTUDISC_DONT;
1236	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	1271	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1237	}	1272	}
1238	#endif	1273	#endif
1239	{	1274
		1275	// standard daemon practise...
		1276	{
1240	int oval = 1;	1277	int oval = 1;
1241	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	1278	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1242	}	1279	}
1243		1280
1244	udp_ev_watcher.start (socket_fd, POLLIN);	1281	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
		1282	}
		1283
		1284	ipv4_fd = -1;
		1285	if (prots & PROT_IPv4)
		1286	{
		1287	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		1288
		1289	if (ipv4_fd < 0)
		1290	return -1;
		1291
		1292	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		1293	{
		1294	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		1295	exit (1);
		1296	}
		1297
		1298	#ifdef IP_MTU_DISCOVER
		1299	// this I really consider a linux bug. I am neither connected
		1300	// nor do I fragment myself. Linux still sets DF and doesn't
		1301	// fragment for me sometimes.
		1302	{
		1303	int oval = IP_PMTUDISC_DONT;
		1304	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		1305	}
		1306	#endif
		1307
		1308	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		1309	}
1245		1310
1246	tap = new tap_device ();	1311	tap = new tap_device ();
1247	if (!tap) //D this, of course, never catches	1312	if (!tap) //D this, of course, never catches
1248	{	1313	{
1249	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	1314	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1250	exit (1);	1315	exit (1);
1251	}	1316	}
1252		1317
1253	run_script (run_script_cb (this, &vpn::script_if_up), true);	1318	run_script (run_script_cb (this, &vpn::script_if_up), true);
1254		1319
1255	vpn_ev_watcher.start (tap->fd, POLLIN);	1320	tap_ev_watcher.start (tap->fd, POLLIN);
1256		1321
1257	reconnect_all ();	1322	reconnect_all ();
1258		1323
1259	return 0;	1324	return 0;
1260	}	1325	}
1261		1326
1262	void	1327	void
1263	vpn::send_vpn_packet (vpn_packet pkt, SOCKADDR sa, int tos)	1328	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1264	{	1329	{
1265	setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);	1330	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1266	sendto (socket_fd, &((pkt)[0]), pkt->len, 0, (sockaddr )sa, sizeof (*sa));	1331	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1267	}	1332	}
1268		1333
1269	void	1334	void
1270	vpn::shutdown_all ()	1335	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1271	{	1336	{
1272	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1337	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1273	(*c)->shutdown ();	1338	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1274	}	1339	}
1275		1340
1276	void	1341	void
1277	vpn::reconnect_all ()	1342	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1278	{	1343	{
1279	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1344	unsigned int src = pkt->src ();
1280	delete *c;	1345	unsigned int dst = pkt->dst ();
1281		1346
1282	conns.clear ();	1347	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		1348	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1283		1349
1284	for (configuration::node_vector::iterator i = conf.nodes.begin ();	1350	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
1285	i != conf.nodes.end (); ++i)	1351	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1286	{	1352	pkt->typ (), pkt->src (), pkt->dst ());
1287	connection *conn = new connection (this);	1353	else if (dst == 0 && !THISNODE->routerprio)
1288		1354	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1289	conn->conf = *i;	1355	else if (dst != 0 && dst != THISNODE->id)
1290	conns.push_back (conn);	1356	slog (L_WARN,
1291		1357	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1292	conn->establish_connection ();	1358	dst, conns[dst - 1]->conf->nodename,
1293	}	1359	(const char *)rsi,
		1360	THISNODE->id, THISNODE->nodename);
		1361	else if (src == 0 \|\| src > conns.size ())
		1362	slog (L_WARN, _("received frame from unknown node %d (%s)"),
		1363	src, (const char *)rsi);
		1364	else
		1365	conns[src - 1]->recv_vpn_packet (pkt, rsi);
1294	}	1366	}
1295		1367
1296	connection *vpn::find_router ()
1297	{
1298	u32 prio = 0;
1299	connection *router = 0;
1300
1301	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1302	{
1303	connection c = i;
1304
1305	if (c->conf->routerprio > prio
1306	&& c->connectmode == conf_node::C_ALWAYS
1307	&& c->conf != THISNODE
1308	&& c->ictx && c->octx)
1309	{
1310	prio = c->conf->routerprio;
1311	router = c;
1312	}
1313	}
1314
1315	return router;
1316	}
1317
1318	void vpn::connect_request (int id)
1319	{
1320	connection *c = find_router ();
1321
1322	if (c)
1323	c->connect_request (id);
1324	//else // does not work, because all others must connect to the same router
1325	// // no router found, aggressively connect to all routers
1326	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1327	// if ((*i)->conf->routerprio)
1328	// (*i)->establish_connection ();
1329	}
1330
1331	void	1368	void
1332	vpn::udp_ev (short revents)	1369	vpn::udpv4_ev (short revents)
1333	{	1370	{
1334	if (revents & (POLLIN \| POLLERR))	1371	if (revents & (POLLIN \| POLLERR))
1335	{	1372	{
1336	vpn_packet *pkt = new vpn_packet;	1373	vpn_packet *pkt = new vpn_packet;
1337	struct sockaddr_in sa;	1374	struct sockaddr_in sa;
1338	socklen_t sa_len = sizeof (sa);	1375	socklen_t sa_len = sizeof (sa);
1339	int len;	1376	int len;
1340		1377
1341	len = recvfrom (socket_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);	1378	len = recvfrom (udpv4_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
		1379
		1380	sockinfo si(sa);
1342		1381
1343	if (len > 0)	1382	if (len > 0)
1344	{	1383	{
1345	pkt->len = len;	1384	pkt->len = len;
1346		1385
1347	unsigned int src = pkt->src ();
1348	unsigned int dst = pkt->dst ();
1349
1350	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1351	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1352
1353	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
1354	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1355	pkt->typ (), pkt->src (), pkt->dst ());
1356	else if (dst == 0 && !THISNODE->routerprio)
1357	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1358	else if (dst != 0 && dst != THISNODE->id)
1359	slog (L_WARN,
1360	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1361	dst, conns[dst - 1]->conf->nodename,
1362	(const char *)sockinfo (sa),
1363	THISNODE->id, THISNODE->nodename);
1364	else if (src == 0 \|\| src > conns.size ())
1365	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1366	else
1367	conns[src - 1]->recv_vpn_packet (pkt, &sa);	1386	recv_vpn_packet (pkt, si);
1368	}	1387	}
1369	else	1388	else
1370	{	1389	{
1371	// probably ECONNRESET or somesuch	1390	// probably ECONNRESET or somesuch
1372	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));	1391	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1373	}	1392	}
1374		1393
1375	delete pkt;	1394	delete pkt;
1376	}	1395	}
1377	else if (revents & POLLHUP)	1396	else if (revents & POLLHUP)
1378	{	1397	{
1379	// this cannot ;) happen on udp sockets	1398	// this cannot ;) happen on udp sockets
1380	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));	1399	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1381	exit (1);	1400	exit (1);
1382	}	1401	}
1383	else	1402	else
1384	{	1403	{
1385	slog (L_ERR,	1404	slog (L_ERR,
…		…
1388	exit (1);	1407	exit (1);
1389	}	1408	}
1390	}	1409	}
1391		1410
1392	void	1411	void
		1412	vpn::ipv4_ev (short revents)
		1413	{
		1414	if (revents & (POLLIN \| POLLERR))
		1415	{
		1416	vpn_packet *pkt = new vpn_packet;
		1417	struct sockaddr_in sa;
		1418	socklen_t sa_len = sizeof (sa);
		1419	int len;
		1420
		1421	len = recvfrom (ipv4_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
		1422
		1423	sockinfo si(sa, PROT_IPv4);
		1424
		1425	if (len > 0)
		1426	{
		1427	pkt->len = len;
		1428
		1429	// raw sockets deliver the ipv4, but don't expect it on sends
		1430	// this is slow, but...
		1431	pkt->skip_hdr (IP_OVERHEAD);
		1432
		1433	recv_vpn_packet (pkt, si);
		1434	}
		1435	else
		1436	{
		1437	// probably ECONNRESET or somesuch
		1438	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		1439	}
		1440
		1441	delete pkt;
		1442	}
		1443	else if (revents & POLLHUP)
		1444	{
		1445	// this cannot ;) happen on udp sockets
		1446	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		1447	exit (1);
		1448	}
		1449	else
		1450	{
		1451	slog (L_ERR,
		1452	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1453	revents);
		1454	exit (1);
		1455	}
		1456	}
		1457
		1458	void
1393	vpn::vpn_ev (short revents)	1459	vpn::tap_ev (short revents)
1394	{	1460	{
1395	if (revents & POLLIN)	1461	if (revents & POLLIN)
1396	{	1462	{
1397	/* process data */	1463	/* process data */
1398	tap_packet *pkt;	1464	tap_packet *pkt;
…		…
1454	{	1520	{
1455	if (events)	1521	if (events)
1456	{	1522	{
1457	if (events & EVENT_SHUTDOWN)	1523	if (events & EVENT_SHUTDOWN)
1458	{	1524	{
		1525	slog (L_INFO, _("preparing shutdown..."));
		1526
1459	shutdown_all ();	1527	shutdown_all ();
1460		1528
1461	remove_pid (pidfilename);	1529	remove_pid (pidfilename);
1462		1530
1463	slog (L_INFO, _("vped terminating"));	1531	slog (L_INFO, _("terminating"));
1464		1532
1465	exit (0);	1533	exit (0);
1466	}	1534	}
1467		1535
1468	if (events & EVENT_RECONNECT)	1536	if (events & EVENT_RECONNECT)
		1537	{
		1538	slog (L_INFO, _("forced reconnect"));
		1539
1469	reconnect_all ();	1540	reconnect_all ();
		1541	}
1470		1542
1471	events = 0;	1543	events = 0;
1472	}	1544	}
1473		1545
1474	ts = TSTAMP_CANCEL;	1546	ts = TSTAMP_CANCEL;
1475	}	1547	}
1476		1548
		1549	void
		1550	vpn::shutdown_all ()
		1551	{
		1552	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1553	(*c)->shutdown ();
		1554	}
		1555
		1556	void
		1557	vpn::reconnect_all ()
		1558	{
		1559	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1560	delete *c;
		1561
		1562	conns.clear ();
		1563
		1564	auth_rate_limiter.clear ();
		1565	reset_rate_limiter.clear ();
		1566
		1567	for (configuration::node_vector::iterator i = conf.nodes.begin ();
		1568	i != conf.nodes.end (); ++i)
		1569	{
		1570	connection *conn = new connection (this);
		1571
		1572	conn->conf = *i;
		1573	conns.push_back (conn);
		1574
		1575	conn->establish_connection ();
		1576	}
		1577	}
		1578
		1579	connection *vpn::find_router ()
		1580	{
		1581	u32 prio = 0;
		1582	connection *router = 0;
		1583
		1584	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1585	{
		1586	connection c = i;
		1587
		1588	if (c->conf->routerprio > prio
		1589	&& c->connectmode == conf_node::C_ALWAYS
		1590	&& c->conf != THISNODE
		1591	&& c->ictx && c->octx)
		1592	{
		1593	prio = c->conf->routerprio;
		1594	router = c;
		1595	}
		1596	}
		1597
		1598	return router;
		1599	}
		1600
		1601	void vpn::connect_request (int id)
		1602	{
		1603	connection *c = find_router ();
		1604
		1605	if (c)
		1606	c->connect_request (id);
		1607	//else // does not work, because all others must connect to the same router
		1608	// // no router found, aggressively connect to all routers
		1609	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1610	// if ((*i)->conf->routerprio)
		1611	// (*i)->establish_connection ();
		1612	}
		1613
		1614	void
		1615	connection::dump_status ()
		1616	{
		1617	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		1618	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		1619	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		1620	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		1621	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		1622	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		1623	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		1624	}
		1625
		1626	void
		1627	vpn::dump_status ()
		1628	{
		1629	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
		1630
		1631	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1632	(*c)->dump_status ();
		1633
		1634	slog (L_NOTICE, _("END status dump"));
		1635	}
		1636
1477	vpn::vpn (void)	1637	vpn::vpn (void)
1478	: udp_ev_watcher (this, &vpn::udp_ev)	1638	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
		1639	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1479	, vpn_ev_watcher (this, &vpn::vpn_ev)	1640	, tap_ev_watcher(this, &vpn::tap_ev)
1480	, event (this, &vpn::event_cb)	1641	, event(this, &vpn::event_cb)
1481	{	1642	{
1482	}	1643	}
1483		1644
1484	vpn::~vpn ()	1645	vpn::~vpn ()
1485	{	1646	{

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/protocol.C (file contents): Revision 1.18 by pcg, Wed Mar 26 02:15:38 2003 UTC vs. Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC

Diff Legend

Comparing gvpe/src/protocol.C (file contents):
Revision 1.18 by pcg, Wed Mar 26 02:15:38 2003 UTC vs.
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC