ViewVC Help

View File | Revision Log | Show Annotations | Download File

/cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.2 by pcg, Sun Mar 2 23:04:02 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

…		…
16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA	16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	*/	17	*/
18		18
19	#include "config.h"	19	#include "config.h"
20		20
		21	#include <list>
		22
21	#include <cstdlib>	23	#include <cstdlib>
22	#include <cstring>	24	#include <cstring>
23	#include <cstdio>	25	#include <cstdio>
24		26
25	#include <sys/types.h>	27	#include <sys/types.h>
…		…
30	#include <arpa/inet.h>	32	#include <arpa/inet.h>
31	#include <errno.h>	33	#include <errno.h>
32	#include <time.h>	34	#include <time.h>
33	#include <unistd.h>	35	#include <unistd.h>
34		36
35	#include <openssl/rand.h>
36	#include <openssl/hmac.h>
37	#include <openssl/evp.h>
38	#include <openssl/rsa.h>
39	#include <openssl/err.h>
40
41	extern "C" {
42	# include "lzf/lzf.h"
43	}
44
45	#include "gettext.h"
46	#include "pidfile.h"	37	#include "pidfile.h"
47		38
48	#include "conf.h"	39	#include "connection.h"
49	#include "slog.h"	40	#include "util.h"
50	#include "device.h"
51	#include "protocol.h"	41	#include "protocol.h"
52		42
53	#if !HAVE_RAND_PSEUDO_BYTES
54	# define RAND_pseudo_bytes RAND_bytes
55	#endif
56
57	static time_t next_timecheck;
58
59	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60
61	static const rsachallenge &
62	challenge_bytes ()
63	{
64	static rsachallenge challenge;
65	static time_t challenge_ttl; // time this challenge needs to be recreated
66
67	if (now > challenge_ttl)
68	{
69	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70	challenge_ttl = now + CHALLENGE_TTL;
71	}
72
73	return challenge;
74	}
75
76	// run a script. yes, it's a template function. yes, c++
77	// is not a functional language. yes, this suxx.
78	template<class owner>
79	static void
80	run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81	{
82	int pid;
83
84	if ((pid = fork ()) == 0)
85	{
86	char *filename;
87	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88	execl (filename, filename, (char *) 0);
89	exit (255);
90	}
91	else if (pid > 0)
92	{
93	if (wait)
94	{
95	waitpid (pid, 0, 0);
96	/* TODO: check status */
97	}
98	}
99	}
100
101	// xor the socket address into the challenge to ensure different challenges
102	// per host. we could rely on the OAEP padding, but this doesn't hurt.
103	void
104	xor_sa (rsachallenge &k, SOCKADDR *sa)
105	{
106	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110	}
111
112	struct crypto_ctx
113	{
114	EVP_CIPHER_CTX cctx;
115	HMAC_CTX hctx;
116
117	crypto_ctx (rsachallenge &challenge, int enc);
118	~crypto_ctx ();
119	};
120
121	crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc)
122	{
123	EVP_CIPHER_CTX_init (&cctx);
124	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125	HMAC_CTX_init (&hctx);
126	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
127	}
128
129	crypto_ctx::~crypto_ctx ()
130	{
131	EVP_CIPHER_CTX_cleanup (&cctx);
132	HMAC_CTX_cleanup (&hctx);
133	}
134
135	/////////////////////////////////////////////////////////////////////////////	43	/////////////////////////////////////////////////////////////////////////////
136		44
137	static void next_wakeup (time_t next)
138	{
139	if (next_timecheck > next)
140	next_timecheck = next;
141	}
142
143	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144
145	struct hmac_packet:net_packet
146	{
147	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149	void hmac_set (crypto_ctx * ctx);
150	bool hmac_chk (crypto_ctx * ctx);
151
152	private:
153	void hmac_gen (crypto_ctx * ctx)
154	{
155	unsigned int xlen;
156	HMAC_CTX *hctx = &ctx->hctx;
157
158	HMAC_Init_ex (hctx, 0, 0, 0, 0);
159	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160	len - sizeof (hmac_packet));
161	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162	}
163	};
164
165	void
166	hmac_packet::hmac_set (crypto_ctx * ctx)
167	{
168	hmac_gen (ctx);
169
170	memcpy (hmac, hmac_digest, HMACLENGTH);
171	}
172
173	bool
174	hmac_packet::hmac_chk (crypto_ctx * ctx)
175	{
176	hmac_gen (ctx);
177
178	return !memcmp (hmac, hmac_digest, HMACLENGTH);
179	}
180
181	struct vpn_packet : hmac_packet
182	{
183	enum ptype
184	{
185	PT_RESET = 0,
186	PT_DATA_UNCOMPRESSED,
187	PT_DATA_COMPRESSED,
188	PT_PING, PT_PONG, // wasting namespace space? ;)
189	PT_AUTH, // authentification
190	PT_CONNECT_REQ, // want other host to contact me
191	PT_CONNECT_INFO, // request connection to some node
192	PT_REKEY, // rekeying (not yet implemented)
193	PT_MAX
194	};
195
196	u8 type;
197	u8 srcdst, src1, dst1;
198
199	void set_hdr (ptype type, unsigned int dst);
200
201	unsigned int src ()
202	{
203	return src1 | ((srcdst >> 4) << 8);
204	}
205	unsigned int dst ()
206	{
207	return dst1 | ((srcdst & 0xf) << 8);
208	}
209	ptype typ ()
210	{
211	return (ptype) type;
212	}
213	};
214
215	void vpn_packet::set_hdr (ptype type, unsigned int dst)
216	{
217	this->type = type;
218
219	int src = THISNODE->id;
220
221	src1 = src;
222	srcdst = ((src >> 8) << 4) | (dst >> 8);
223	dst1 = dst;
224	}
225
226	#define MAXVPNDATA (MAX_MTU - 6 - 6)
227	#define DATAHDR (sizeof (u32) + RAND_SIZE)
228
229	struct vpndata_packet:vpn_packet
230	{
231	u8 data[MAXVPNDATA + DATAHDR]; // seqno
232
233	void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
234	tap_packet *unpack (connection *conn, u32 &seqno);
235	private:
236
237	const u32 data_hdr_size () const
238	{
239	return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
240	}
241	};
242
243	void
244	vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
245	{
246	EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
247	int outl = 0, outl2;
248	ptype type = PT_DATA_UNCOMPRESSED;
249
250	#if ENABLE_COMPRESSION
251	u8 cdata[MAX_MTU];
252	u32 cl;
253
254	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255	if (cl)
256	{
257	//printf ("compressed packet, %d => %d\n", l, cl);//D
258	type = PT_DATA_COMPRESSED;
259	d = cdata;
260	l = cl + 2;
261
262	d[0] = cl >> 8;
263	d[1] = cl;
264	}
265	#endif
266
267	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268
269	#if RAND_SIZE
270	struct {
271	u8 rnd[RAND_SIZE];
272	u32 seqno;
273	} datahdr;
274
275	datahdr.seqno = seqno;
276	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
277
278	EVP_EncryptUpdate (cctx,
279	(unsigned char *) data + outl, &outl2,
280	(unsigned char *) &datahdr, DATAHDR);
281	outl += outl2;
282	#else
283	EVP_EncryptUpdate (cctx,
284	(unsigned char *) data + outl, &outl2,
285	(unsigned char *) &seqno, DATAHDR);
286	outl += outl2;
287	#endif
288
289	EVP_EncryptUpdate (cctx,
290	(unsigned char *) data + outl, &outl2,
291	(unsigned char *) d, l);
292	outl += outl2;
293
294	EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
295	outl += outl2;
296
297	len = outl + data_hdr_size ();
298
299	set_hdr (type, dst);
300
301	hmac_set (conn->octx);
302	}
303
304	tap_packet *
305	vpndata_packet::unpack (connection *conn, u32 &seqno)
306	{
307	EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
308	int outl = 0, outl2;
309	tap_packet *p = new tap_packet;
310	u8 *d;
311	u32 l = len - data_hdr_size ();
312
313	EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
314
315	#if ENABLE_COMPRESSION
316	u8 cdata[MAX_MTU];
317
318	if (type == PT_DATA_COMPRESSED)
319	d = cdata;
320	else
321	#endif
322	d = &(*p)[6 + 6 - DATAHDR];
323
324	/* this overwrites part of the src mac, but we fix that later */
325	EVP_DecryptUpdate (cctx,
326	d, &outl2,
327	(unsigned char *)&data, len - data_hdr_size ());
328	outl += outl2;
329
330	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331	outl += outl2;
332
333	seqno = *(u32 *)(d + RAND_SIZE);
334
335	id2mac (dst () ? dst() : THISNODE->id, p->dst);
336	id2mac (src (), p->src);
337
338	#if ENABLE_COMPRESSION
339	if (type == PT_DATA_COMPRESSED)
340	{
341	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
342	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343	//printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344	}
345	else
346	p->len = outl + (6 + 6 - DATAHDR);
347	#endif
348
349	return p;
350	}
351
352	struct ping_packet : vpn_packet
353	{
354	void setup (int dst, ptype type)
355	{
356	set_hdr (type, dst);
357	len = sizeof (*this) - sizeof (net_packet);
358	}
359	};
360
361	struct config_packet : vpn_packet
362	{
363	// actually, hmaclen cannot be checked because the hmac
364	// field comes before this data, so peers with other
365	// hmacs simply will not work.
366	u8 prot_major, prot_minor, randsize, hmaclen;
367	u8 flags, challengelen, pad2, pad3;
368	u32 cipher_nid;
369	u32 digest_nid;
370
371	const u8 curflags () const
372	{
373	return 0x80
374	| (ENABLE_COMPRESSION ? 0x01 : 0x00)
375	| (ENABLE_TRUST ? 0x02 : 0x00);
376	}
377
378	void setup (ptype type, int dst)
379	{
380	prot_major = PROTOCOL_MAJOR;
381	prot_minor = PROTOCOL_MINOR;
382	randsize = RAND_SIZE;
383	hmaclen = HMACLENGTH;
384	flags = curflags ();
385	challengelen = sizeof (rsachallenge);
386
387	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388	digest_nid = htonl (EVP_MD_type (DIGEST));
389
390	len = sizeof (*this) - sizeof (net_packet);
391	set_hdr (type, dst);
392	}
393
394	bool chk_config ()
395	{
396	return prot_major == PROTOCOL_MAJOR
397	&& randsize == RAND_SIZE
398	&& hmaclen == HMACLENGTH
399	&& flags == curflags ()
400	&& challengelen == sizeof (rsachallenge)
401	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
402	&& digest_nid == htonl (EVP_MD_type (DIGEST));
403	}
404	};
405
406	struct auth_packet : config_packet
407	{
408	char magic[8];
409	u8 subtype;
410	u8 pad1, pad2;
411	rsaencrdata challenge;
412
413	auth_packet (int dst, auth_subtype stype)
414	{
415	config_packet::setup (PT_AUTH, dst);
416	subtype = stype;
417	len = sizeof (*this) - sizeof (net_packet);
418	strncpy (magic, MAGIC, 8);
419	}
420	};
421
422	struct connect_req_packet : vpn_packet
423	{
424	u8 id;
425	u8 pad1, pad2, pad3;
426
427	connect_req_packet (int dst, int id)
428	{
429	this->id = id;
430	set_hdr (PT_CONNECT_REQ, dst);
431	len = sizeof (*this) - sizeof (net_packet);
432	}
433	};
434
435	struct connect_info_packet : vpn_packet
436	{
437	u8 id;
438	u8 pad1, pad2, pad3;
439	sockinfo si;
440
441	connect_info_packet (int dst, int id, sockinfo &si)
442	{
443	this->id = id;
444	this->si = si;
445	set_hdr (PT_CONNECT_INFO, dst);
446	len = sizeof (*this) - sizeof (net_packet);
447	}
448	};
449
450	/////////////////////////////////////////////////////////////////////////////
451
452	void
453	fill_sa (SOCKADDR *sa, conf_node *conf)
454	{
455	sa->sin_family = AF_INET;
456	sa->sin_port = htons (conf->port);
457	sa->sin_addr.s_addr = 0;
458
459	if (conf->hostname)
460	{
461	struct hostent *he = gethostbyname (conf->hostname);
462
463	if (he
464	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465	{
466	//sa->sin_family = he->h_addrtype;
467	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
468	}
469	else
470	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471	}
472	}
473
474	void
475	connection::reset_dstaddr ()
476	{
477	fill_sa (&sa, conf);
478	}
479
480	void
481	connection::send_ping (SOCKADDR *dsa, u8 pong)
482	{
483	ping_packet *pkt = new ping_packet;
484
485	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486	vpn->send_vpn_packet (pkt, dsa);
487
488	delete pkt;
489	}
490
491	void
492	connection::send_reset (SOCKADDR *dsa)
493	{
494	static net_rate_limiter limiter(1);
495
496	if (limiter.can (dsa))
497	{
498	config_packet *pkt = new config_packet;
499
500	pkt->setup (vpn_packet::PT_RESET, conf->id);
501	vpn->send_vpn_packet (pkt, dsa);
502
503	delete pkt;
504	}
505	}
506
507	static rsachallenge *
508	gen_challenge (SOCKADDR *sa)
509	{
510	static rsachallenge k;
511
512	memcpy (&k, &challenge_bytes (), sizeof (k));
513	RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514	xor_sa (k, sa);
515
516	return &k;
517	}
518
519	void
520	connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k)
521	{
522	static net_rate_limiter limiter(2);
523
524	if (subtype != AUTH_INIT || limiter.can (sa))
525	{
526	auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528	//printf ("send auth_packet subtype %d\n", subtype);//D
529
530	if (!k)
531	k = gen_challenge (sa);
532
533	#if ENABLE_TRUST
534	if (0 > RSA_public_encrypt (sizeof (*k),
535	(unsigned char *)k, (unsigned char *)&pkt->challenge,
536	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537	fatal ("RSA_public_encrypt error");
538	#else
539	# error untrusted mode not yet implemented: programemr does not know how to
540	rsaencrdata enc;
541
542	if (0 > RSA_private_encrypt (sizeof (*k),
543	(unsigned char *)k, (unsigned char *)&enc,
544	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545	fatal ("RSA_private_encrypt error");
546
547	if (0 > RSA_public_encrypt (sizeof (enc),
548	(unsigned char *)enc, (unsigned char *)&pkt->challenge,
549	conf->rsa_key, RSA_NO_PADDING))
550	fatal ("RSA_public_encrypt error");
551	#endif
552
553	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555	vpn->send_vpn_packet (pkt, sa);
556
557	delete pkt;
558	}
559	}
560
561	void
562	connection::establish_connection ()
563	{
564	if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER)
565	{
566	if (now >= next_retry)
567	{
568	int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570	if (retry_cnt < (17 << 2) | 3)
571	retry_cnt++;
572
573	if (conf->connectmode == conf_node::C_ONDEMAND
574	&& retry_int > ::conf.keepalive)
575	retry_int = ::conf.keepalive;
576
577	next_retry = now + retry_int;
578	next_wakeup (next_retry);
579
580	if (conf->hostname)
581	{
582	reset_dstaddr ();
583	if (sa.sin_addr.s_addr)
584	if (retry_cnt < 4)
585	send_auth (AUTH_INIT, &sa);
586	else
587	send_ping (&sa, 0);
588	}
589	else
590	vpn->connect_request (conf->id);
591	}
592	}
593	}
594
595	void
596	connection::reset_connection ()
597	{
598	if (ictx && octx)
599	{
600	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);
601
602	if (::conf.script_node_down)
603	run_script (this, &connection::script_node_down, false);
604	}
605
606	delete ictx;
607	ictx = 0;
608
609	delete octx;
610	octx = 0;
611
612	sa.sin_port = 0;
613	sa.sin_addr.s_addr = 0;
614
615	next_retry = 0;
616	next_rekey = 0;
617	last_activity = 0;
618	}
619
620	void
621	connection::shutdown ()
622	{
623	if (ictx && octx)
624	send_reset (&sa);
625
626	reset_connection ();
627	}
628
629	void
630	connection::rekey ()
631	{
632	reset_connection ();
633	establish_connection ();
634	}
635
636	void
637	connection::send_data_packet (tap_packet * pkt, bool broadcast)
638	{
639	vpndata_packet *p = new vpndata_packet;
640
641	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642	vpn->send_vpn_packet (p, &sa);
643
644	delete p;
645
646	if (oseqno > MAX_SEQNO)
647	rekey ();
648	}
649
650	void
651	connection::inject_data_packet (tap_packet *pkt, bool broadcast)
652	{
653	if (ictx && octx)
654	send_data_packet (pkt, broadcast);
655	else
656	{
657	if (!broadcast)//DDDD
658	queue.put (new tap_packet (*pkt));
659
660	establish_connection ();
661	}
662	}
663
664	void
665	connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
666	{
667	last_activity = now;
668
669	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
670	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
671
672	switch (pkt->typ ())
673	{
674	case vpn_packet::PT_PING:
675	send_ping (ssa, 1); // pong
676	break;
677
678	case vpn_packet::PT_PONG:
679	// we send pings instead of auth packets after some retries,
680	// so reset the retry counter and establish a conenction
681	// when we receive a pong.
682	if (!ictx && !octx)
683	{
684	retry_cnt = 0;
685	next_retry = 0;
686	establish_connection ();
687	}
688
689	break;
690
691	case vpn_packet::PT_RESET:
692	{
693	reset_connection ();
694
695	config_packet *p = (config_packet *) pkt;
696	if (p->chk_config ())
697	if (conf->connectmode == conf_node::C_ALWAYS)
698	establish_connection ();
699
700	//D slog the protocol mismatch?
701	}
702	break;
703
704	case vpn_packet::PT_AUTH:
705	{
706	auth_packet *p = (auth_packet *) pkt;
707
708	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);
709
710	if (p->chk_config ()
711	&& !strncmp (p->magic, MAGIC, 8))
712	{
713	if (p->prot_minor != PROTOCOL_MINOR)
714	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
715	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
716
717	if (p->subtype == AUTH_INIT)
718	send_auth (AUTH_INITREPLY, ssa);
719
720	rsachallenge k;
721
722	#if ENABLE_TRUST
723	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
724	(unsigned char *)&p->challenge, (unsigned char *)&k,
725	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
726	// continued below
727	#else
728	rsaencrdata j;
729
730	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731	(unsigned char *)&p->challenge, (unsigned char *)&j,
732	::conf.rsa_key, RSA_NO_PADDING))
733	fatal ("RSA_private_decrypt error");
734
735	if (0 > RSA_public_decrypt (sizeof (k),
736	(unsigned char *)&j, (unsigned char *)&k,
737	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
738	// continued below
739	#endif
740	{
741	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
742	conf->nodename, (const char *)sockinfo (ssa));
743	break;
744	}
745
746	retry_cnt = 0;
747	next_retry = now + 8;
748
749	switch (p->subtype)
750	{
751	case AUTH_INIT:
752	case AUTH_INITREPLY:
753	delete ictx;
754	ictx = 0;
755
756	delete octx;
757
758	octx = new crypto_ctx (k, 1);
759	oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
760
761	send_auth (AUTH_REPLY, ssa, &k);
762	break;
763
764	case AUTH_REPLY:
765
766	if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
767	sizeof (rsachallenge) - sizeof (u32)))
768	{
769	delete ictx;
770
771	ictx = new crypto_ctx (k, 0);
772	iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid
773	ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774
775	sa = *ssa;
776
777	next_rekey = now + ::conf.rekey;
778	next_wakeup (next_rekey);
779
780	// send queued packets
781	while (tap_packet *p = queue.get ())
782	{
783	send_data_packet (p);
784	delete p;
785	}
786
787	slog (L_INFO, _("connection to %d (%s %s) established"),
788	conf->id, conf->nodename, (const char *)sockinfo (ssa));
789
790	if (::conf.script_node_up)
791	run_script (this, &connection::script_node_up, false);
792	}
793	else
794	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
795	conf->nodename, (const char *)sockinfo (ssa));
796
797	break;
798	default:
799	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
800	conf->nodename, (const char *)sockinfo (ssa));
801	break;
802	}
803	}
804	else
805	send_reset (ssa);
806
807	break;
808	}
809
810	case vpn_packet::PT_DATA_COMPRESSED:
811	#if !ENABLE_COMPRESSION
812	send_reset (ssa);
813	break;
814	#endif
815	case vpn_packet::PT_DATA_UNCOMPRESSED:
816
817	if (ictx && octx)
818	{
819	vpndata_packet *p = (vpndata_packet *)pkt;
820
821	if (*ssa == sa)
822	{
823	if (!p->hmac_chk (ictx))
824	slog (L_ERR, _("hmac authentication error, received invalid packet\n"
825	"could be an attack, or just corruption or an synchronization error"));
826	else
827	{
828	u32 seqno;
829	tap_packet *d = p->unpack (this, seqno);
830
831	if (seqno <= iseqno - 32)
832	slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
833	"possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
834	else if (seqno > iseqno + 32)
835	slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
836	"possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
837	else
838	{
839	if (seqno > iseqno)
840	{
841	ismask <<= seqno - iseqno;
842	iseqno = seqno;
843	}
844
845	u32 mask = 1 << (iseqno - seqno);
846
847	//printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
848	if (ismask & mask)
849	slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
850	"possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
851	else
852	{
853	ismask |= mask;
854
855	vpn->tap->send (d);
856
857	if (p->dst () == 0) // re-broadcast
858	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
859	{
860	connection *c = *i;
861
862	if (c->conf != THISNODE && c->conf != conf)
863	c->inject_data_packet (d);
864	}
865
866	delete d;
867
868	break;
869	}
870	}
871	}
872	}
873	else
874	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
875	}
876
877	send_reset (ssa);
878	break;
879
880	case vpn_packet::PT_CONNECT_REQ:
881	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
882	{
883	connect_req_packet *p = (connect_req_packet *) pkt;
884
885	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
886
887	connection *c = vpn->conns[p->id - 1];
888
889	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
890	conf->id, p->id, c->ictx && c->octx);
891
892	if (c->ictx && c->octx)
893	{
894	sockinfo si(sa);
895
896	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
897	c->conf->id, p->id, (const char *)si);
898
899	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
900
901	r->hmac_set (c->octx);
902	vpn->send_vpn_packet (r, &c->sa);
903
904	delete r;
905	}
906	}
907
908	break;
909
910	case vpn_packet::PT_CONNECT_INFO:
911	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
912	{
913	connect_info_packet *p = (connect_info_packet *) pkt;
914
915	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
916
917	connection *c = vpn->conns[p->id - 1];
918
919	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
920	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
921
922	c->send_auth (AUTH_INIT, p->si.sa ());
923	}
924	break;
925
926	default:
927	send_reset (ssa);
928	break;
929	}
930	}
931
932	void connection::timer ()
933	{
934	if (conf != THISNODE)
935	{
936	if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS)
937	establish_connection ();
938
939	if (ictx && octx)
940	{
941	if (now >= next_rekey)
942	rekey ();
943	else if (now >= last_activity + ::conf.keepalive + 30)
944	{
945	reset_connection ();
946	establish_connection ();
947	}
948	else if (now >= last_activity + ::conf.keepalive)
949	if (conf->connectmode != conf_node::C_ONDEMAND
950	|| THISNODE->connectmode != conf_node::C_ONDEMAND)
951	send_ping (&sa);
952	else
953	reset_connection ();
954
955	}
956	}
957	}
958
959	void connection::connect_request (int id)
960	{
961	connect_req_packet *p = new connect_req_packet (conf->id, id);
962
963	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
964	p->hmac_set (octx);
965	vpn->send_vpn_packet (p, &sa);
966
967	delete p;
968	}
969
970	void connection::script_node ()
971	{
972	vpn->script_if_up ();
973
974	char *env;
975	asprintf (&env, "DESTID=%d", conf->id);
976	putenv (env);
977	asprintf (&env, "DESTNODE=%s", conf->nodename);
978	putenv (env);
979	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
980	putenv (env);
981	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));
982	putenv (env);
983	}
984
985	const char *connection::script_node_up ()
986	{
987	script_node ();
988
989	putenv ("STATE=up");
990
991	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
992	}
993
994	const char *connection::script_node_down ()
995	{
996	script_node ();
997
998	putenv ("STATE=down");
999
1000	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1001	}
1002
1003	/////////////////////////////////////////////////////////////////////////////
1004
1005	vpn::vpn (void)
1006	{}
1007
1008	const char *vpn::script_if_up ()	45	const char *vpn::script_if_up (int)
1009	{	46	{
1010	// the tunnel device mtu should be the physical mtu - overhead	47	// the tunnel device mtu should be the physical mtu - overhead
1011	// the tricky part is rounding to the cipher key blocksize	48	// the tricky part is rounding to the cipher key blocksize
1012	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	49	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1013	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	50	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1014	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	51	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1015	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	52	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1016		53
1017	char *env;	54	char *env;
…		…
1032		69
1033	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	70	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1034	}	71	}
1035		72
1036	int	73	int
1037	vpn::setup (void)	74	vpn::setup ()
1038	{	75	{
1039	struct sockaddr_in sa;	76	sockinfo si;
1040		77
		78	si.set (THISNODE);
		79
		80	udpv4_fd = -1;
		81
		82	if (THISNODE->protocols & PROT_UDPv4)
		83	{
1041	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	84	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1042	if (socket_fd < 0)	85
		86	if (udpv4_fd < 0)
1043	return -1;	87	return -1;
1044		88
1045	fill_sa (&sa, THISNODE);	89	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1046		90	{
1047	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1048	{
1049	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	91	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1050	exit (1);	92	exit (1);
1051	}	93	}
1052		94
1053	#ifdef IP_MTU_DISCOVER	95	#ifdef IP_MTU_DISCOVER
1054	// this I really consider a linux bug. I am neither connected	96	// this I really consider a linux bug. I am neither connected
1055	// nor do I fragment myself. Linux still sets DF and doesn't	97	// nor do I fragment myself. Linux still sets DF and doesn't
1056	// fragment for me sometimes.	98	// fragment for me sometimes.
1057	{	99	{
1058	int oval = IP_PMTUDISC_DONT;	100	int oval = IP_PMTUDISC_DONT;
1059	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	101	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1060	}	102	}
1061	#endif	103	#endif
1062	{	104
		105	// standard daemon practise...
		106	{
1063	int oval = 1;	107	int oval = 1;
1064	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	108	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
		109	}
		110
		111	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1065	}	112	}
		113
		114	ipv4_fd = -1;
		115	if (THISNODE->protocols & PROT_IPv4)
		116	{
		117	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		118
		119	if (ipv4_fd < 0)
		120	return -1;
		121
		122	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		123	{
		124	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		125	exit (1);
		126	}
		127
		128	#ifdef IP_MTU_DISCOVER
		129	// this I really consider a linux bug. I am neither connected
		130	// nor do I fragment myself. Linux still sets DF and doesn't
		131	// fragment for me sometimes.
		132	{
		133	int oval = IP_PMTUDISC_DONT;
		134	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		135	}
		136	#endif
		137
		138	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		139	}
1066		140
1067	tap = new tap_device ();	141	tap = new tap_device ();
1068	if (!tap) //D this, of course, never catches	142	if (!tap) //D this, of course, never catches
1069	{	143	{
1070	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	144	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1071	exit (1);	145	exit (1);
1072	}	146	}
1073		147
1074	run_script (this, &vpn::script_if_up, true);	148	run_script (run_script_cb (this, &vpn::script_if_up), true);
		149
		150	tap_ev_watcher.start (tap->fd, POLLIN);
		151
		152	reconnect_all ();
1075		153
1076	return 0;	154	return 0;
1077	}	155	}
1078		156
1079	void	157	void
1080	vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa)	158	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1081	{	159	{
1082	sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));	160	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		161	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		162	}
		163
		164	void
		165	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		166	{
		167	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		168	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		169	}
		170
		171	void
		172	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
		173	{
		174	unsigned int src = pkt->src ();
		175	unsigned int dst = pkt->dst ();
		176
		177	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		178	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
		179
		180	if (src == 0 || src > conns.size ()
		181	|| dst > conns.size ()
		182	|| pkt->typ () >= vpn_packet::PT_MAX)
		183	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
		184	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
		185	else
		186	{
		187	connection *c = conns[src - 1];
		188
		189	if (dst == 0 && !THISNODE->routerprio)
		190	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
		191	c->conf->nodename, (const char *)rsi);
		192	else if (dst != 0 && dst != THISNODE->id)
		193	// FORWARDING NEEDED ;)
		194	slog (L_WARN,
		195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		196	dst, conns[dst - 1]->conf->nodename,
		197	(const char *)rsi,
		198	THISNODE->id, THISNODE->nodename);
		199	else
		200	c->recv_vpn_packet (pkt, rsi);
		201	}
		202	}
		203
		204	void
		205	vpn::udpv4_ev (short revents)
		206	{
		207	if (revents & (POLLIN | POLLERR))
		208	{
		209	vpn_packet *pkt = new vpn_packet;
		210	struct sockaddr_in sa;
		211	socklen_t sa_len = sizeof (sa);
		212	int len;
		213
		214	len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		215
		216	sockinfo si(sa);
		217
		218	if (len > 0)
		219	{
		220	pkt->len = len;
		221
		222	recv_vpn_packet (pkt, si);
		223	}
		224	else
		225	{
		226	// probably ECONNRESET or somesuch
		227	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		228	}
		229
		230	delete pkt;
		231	}
		232	else if (revents & POLLHUP)
		233	{
		234	// this cannot ;) happen on udp sockets
		235	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
		236	exit (1);
		237	}
		238	else
		239	{
		240	slog (L_ERR,
		241	_("FATAL: unknown revents %08x in socket, terminating\n"),
		242	revents);
		243	exit (1);
		244	}
		245	}
		246
		247	void
		248	vpn::ipv4_ev (short revents)
		249	{
		250	if (revents & (POLLIN | POLLERR))
		251	{
		252	vpn_packet *pkt = new vpn_packet;
		253	struct sockaddr_in sa;
		254	socklen_t sa_len = sizeof (sa);
		255	int len;
		256
		257	len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		258
		259	sockinfo si(sa, PROT_IPv4);
		260
		261	if (len > 0)
		262	{
		263	pkt->len = len;
		264
		265	// raw sockets deliver the ipv4, but don't expect it on sends
		266	// this is slow, but...
		267	pkt->skip_hdr (IP_OVERHEAD);
		268
		269	recv_vpn_packet (pkt, si);
		270	}
		271	else
		272	{
		273	// probably ECONNRESET or somesuch
		274	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		275	}
		276
		277	delete pkt;
		278	}
		279	else if (revents & POLLHUP)
		280	{
		281	// this cannot ;) happen on udp sockets
		282	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		283	exit (1);
		284	}
		285	else
		286	{
		287	slog (L_ERR,
		288	_("FATAL: unknown revents %08x in socket, terminating\n"),
		289	revents);
		290	exit (1);
		291	}
		292	}
		293
		294	void
		295	vpn::tap_ev (short revents)
		296	{
		297	if (revents & POLLIN)
		298	{
		299	/* process data */
		300	tap_packet *pkt;
		301
		302	pkt = tap->recv ();
		303
		304	int dst = mac2id (pkt->dst);
		305	int src = mac2id (pkt->src);
		306
		307	if (src != THISNODE->id)
		308	{
		309	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
		310	exit (1);
		311	}
		312
		313	if (dst == THISNODE->id)
		314	{
		315	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
		316	exit (1);
		317	}
		318
		319	if (dst > conns.size ())
		320	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
		321	else
		322	{
		323	if (dst)
		324	{
		325	// unicast
		326	if (dst != THISNODE->id)
		327	conns[dst - 1]->inject_data_packet (pkt);
		328	}
		329	else
		330	{
		331	// broadcast, first check router, then self, then english
		332	connection *router = find_router ();
		333
		334	if (router)
		335	router->inject_data_packet (pkt, true);
		336	else
		337	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		338	if ((*c)->conf != THISNODE)
		339	(*c)->inject_data_packet (pkt);
		340	}
		341	}
		342
		343	delete pkt;
		344	}
		345	else if (revents & (POLLHUP | POLLERR))
		346	{
		347	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
		348	exit (1);
		349	}
		350	else
		351	abort ();
		352	}
		353
		354	void
		355	vpn::event_cb (tstamp &ts)
		356	{
		357	if (events)
		358	{
		359	if (events & EVENT_SHUTDOWN)
		360	{
		361	slog (L_INFO, _("preparing shutdown..."));
		362
		363	shutdown_all ();
		364
		365	remove_pid (pidfilename);
		366
		367	slog (L_INFO, _("terminating"));
		368
		369	exit (0);
		370	}
		371
		372	if (events & EVENT_RECONNECT)
		373	{
		374	slog (L_INFO, _("forced reconnect"));
		375
		376	reconnect_all ();
		377	}
		378
		379	events = 0;
		380	}
		381
		382	ts = TSTAMP_CANCEL;
1083	}	383	}
1084		384
1085	void	385	void
1086	vpn::shutdown_all ()	386	vpn::shutdown_all ()
1087	{	387	{
…		…
1095	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	395	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1096	delete *c;	396	delete *c;
1097		397
1098	conns.clear ();	398	conns.clear ();
1099		399
		400	connection_init ();
		401
1100	for (configuration::node_vector::iterator i = conf.nodes.begin ();	402	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1101	i != conf.nodes.end (); ++i)	403	i != conf.nodes.end (); ++i)
1102	{	404	{
1103	connection *conn = new connection (this);	405	connection *conn = new connection (this);
1104		406
1105	conn->conf = *i;	407	conn->conf = *i;
1106	conns.push_back (conn);	408	conns.push_back (conn);
1107		409
1108	if (conn->conf->connectmode == conf_node::C_ALWAYS)
1109	conn->establish_connection ();	410	conn->establish_connection ();
1110	}	411	}
1111	}	412	}
1112		413
1113	connection *vpn::find_router ()	414	connection *vpn::find_router ()
1114	{	415	{
…		…
1118	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)	419	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1119	{	420	{
1120	connection *c = *i;	421	connection *c = *i;
1121		422
1122	if (c->conf->routerprio > prio	423	if (c->conf->routerprio > prio
1123	&& c->conf->connectmode == conf_node::C_ALWAYS	424	&& c->connectmode == conf_node::C_ALWAYS
1124	&& c->conf != THISNODE	425	&& c->conf != THISNODE
1125	&& c->ictx && c->octx)	426	&& c->ictx && c->octx)
1126	{	427	{
1127	prio = c->conf->routerprio;	428	prio = c->conf->routerprio;
1128	router = c;	429	router = c;
…		…
1136	{	437	{
1137	connection *c = find_router ();	438	connection *c = find_router ();
1138		439
1139	if (c)	440	if (c)
1140	c->connect_request (id);	441	c->connect_request (id);
		442	//else // does not work, because all others must connect to the same router
		443	// // no router found, aggressively connect to all routers
		444	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		445	// if ((*i)->conf->routerprio)
		446	// (*i)->establish_connection ();
1141	}	447	}
1142		448
1143	void	449	void
1144	vpn::main_loop ()	450	connection::dump_status ()
1145	{	451	{
1146	struct pollfd pollfd[2];	452	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		453	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		454	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		455	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		456	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		457	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		458	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		459	}
1147		460
1148	pollfd[0].fd = tap->fd;	461	void
1149	pollfd[0].events = POLLIN;	462	vpn::dump_status ()
1150	pollfd[1].fd = socket_fd;	463	{
1151	pollfd[1].events = POLLIN;	464	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1152		465
1153	events = 0;
1154	now = time (0);
1155	next_timecheck = now + 1;
1156
1157	reconnect_all ();
1158
1159	for (;;)
1160	{
1161	int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1162
1163	now = time (0);
1164
1165	if (npoll > 0)
1166	{
1167	if (pollfd[1].revents)
1168	{
1169	if (pollfd[1].revents & (POLLIN | POLLERR))
1170	{
1171	vpn_packet *pkt = new vpn_packet;
1172	struct sockaddr_in sa;
1173	socklen_t sa_len = sizeof (sa);
1174	int len;
1175
1176	len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1177
1178	if (len > 0)
1179	{
1180	pkt->len = len;
1181
1182	unsigned int src = pkt->src ();
1183	unsigned int dst = pkt->dst ();
1184
1185	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1186	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1187
1188	if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1189	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1190	pkt->typ (), pkt->src (), pkt->dst ());
1191	else if (dst == 0 && !THISNODE->routerprio)
1192	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1193	else if (dst != 0 && dst != THISNODE->id)
1194	slog (L_WARN,
1195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1196	dst, conns[dst - 1]->conf->nodename,
1197	(const char *)sockinfo (sa),
1198	THISNODE->id, THISNODE->nodename);
1199	else if (src == 0 || src > conns.size ())
1200	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1201	else
1202	conns[src - 1]->recv_vpn_packet (pkt, &sa);
1203	}
1204	else
1205	{
1206	// probably ECONNRESET or somesuch
1207	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1208	}
1209
1210	delete pkt;
1211	}
1212	else if (pollfd[1].revents & POLLHUP)
1213	{
1214	// this cannot ;) happen on udp sockets
1215	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1216	exit (1);
1217	}
1218	else
1219	{
1220	slog (L_ERR,
1221	_("FATAL: unknown revents %08x in socket, terminating\n"),
1222	pollfd[1].revents);
1223	exit (1);
1224	}
1225	}
1226
1227	// I use else here to give vpn_packets absolute priority
1228	else if (pollfd[0].revents)
1229	{
1230	if (pollfd[0].revents & POLLIN)
1231	{
1232	/* process data */
1233	tap_packet *pkt;
1234
1235	pkt = tap->recv ();
1236
1237	int dst = mac2id (pkt->dst);
1238	int src = mac2id (pkt->src);
1239
1240	if (src != THISNODE->id)
1241	{
1242	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1243	exit (1);
1244	}
1245
1246	if (dst == THISNODE->id)
1247	{
1248	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1249	exit (1);
1250	}
1251
1252	if (dst > conns.size ())
1253	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1254	else
1255	{
1256	if (dst)
1257	{
1258	// unicast
1259	if (dst != THISNODE->id)
1260	conns[dst - 1]->inject_data_packet (pkt);
1261	}
1262	else
1263	{
1264	// broadcast, first check router, then self, then english
1265	connection *router = find_router ();
1266
1267	if (router)
1268	router->inject_data_packet (pkt, true);
1269	else
1270	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	466	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1271	if ((*c)->conf != THISNODE)	467	(*c)->dump_status ();
1272	(*c)->inject_data_packet (pkt);
1273	}
1274	}
1275		468
1276	delete pkt;	469	slog (L_NOTICE, _("END status dump"));
1277	}	470	}
1278	else if (pollfd[0].revents & (POLLHUP | POLLERR))
1279	{
1280	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1281	exit (1);
1282	}
1283	else
1284	abort ();
1285	}
1286	}
1287		471
1288	if (events)	472	vpn::vpn (void)
1289	{	473	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1290	if (events & EVENT_SHUTDOWN)	474	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1291	{	475	, tap_ev_watcher(this, &vpn::tap_ev)
1292	shutdown_all ();	476	, event(this, &vpn::event_cb)
1293		477	{
1294	remove_pid (pidfilename);
1295
1296	slog (L_INFO, _("vped terminating"));
1297
1298	exit (0);
1299	}
1300
1301	if (events & EVENT_RECONNECT)
1302	reconnect_all ();
1303
1304	events = 0;
1305	}
1306
1307	// very very very dumb and crude and inefficient timer handling, or maybe not?
1308	if (now >= next_timecheck)
1309	{
1310	next_timecheck = now + TIMER_GRANULARITY;
1311
1312	for (conns_vector::iterator c = conns.begin ();
1313	c != conns.end (); ++c)
1314	(*c)->timer ();
1315	}
1316	}
1317	}	478	}
1318		479
1319	vpn::~vpn ()	480	vpn::~vpn ()
1320	{}	481	{
		482	}
1321		483

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines