ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.9 by pcg, Fri Mar 21 23:17:01 2003 UTC vs.
Revision 1.21 by pcg, Fri Mar 28 04:05:10 2003 UTC

16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17*/ 17*/
18 18
19#include "config.h" 19#include "config.h"
20 20
21#include <list>
22
21#include <cstdlib> 23#include <cstdlib>
22#include <cstring> 24#include <cstring>
23#include <cstdio> 25#include <cstdio>
24 26
25#include <sys/types.h> 27#include <sys/types.h>
56 58
57static time_t next_timecheck; 59static time_t next_timecheck;
58 60
59#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60 62
61static const rsachallenge & 63static u8
62challenge_bytes () 64best_protocol (u8 protset)
63{ 65{
64 static rsachallenge challenge; 66 if (protset & PROT_IPv4)
65 static double challenge_ttl; // time this challenge needs to be recreated 67 return PROT_IPv4;
66 68
67 if (NOW > challenge_ttl) 69 return PROT_UDPv4;
68 {
69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70 challenge_ttl = NOW + CHALLENGE_TTL;
71 }
72
73 return challenge;
74}
75
76// run a script. yes, it's a template function. yes, c++
77// is not a functional language. yes, this suxx.
78template<class owner>
79static void
80run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81{
82 int pid;
83
84 if ((pid = fork ()) == 0)
85 {
86 char *filename;
87 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88 execl (filename, filename, (char *) 0);
89 exit (255);
90 }
91 else if (pid > 0)
92 {
93 if (wait)
94 {
95 waitpid (pid, 0, 0);
96 /* TODO: check status */
97 }
98 }
99}
100
101// xor the socket address into the challenge to ensure different challenges
102// per host. we could rely on the OAEP padding, but this doesn't hurt.
103void
104xor_sa (rsachallenge &k, SOCKADDR *sa)
105{
106 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110} 70}
111 71
112struct crypto_ctx 72struct crypto_ctx
113 { 73 {
114 EVP_CIPHER_CTX cctx; 74 EVP_CIPHER_CTX cctx;
115 HMAC_CTX hctx; 75 HMAC_CTX hctx;
116 76
117 crypto_ctx (rsachallenge &challenge, int enc); 77 crypto_ctx (const rsachallenge &challenge, int enc);
118 ~crypto_ctx (); 78 ~crypto_ctx ();
119 }; 79 };
120 80
121crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) 81crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122{ 82{
123 EVP_CIPHER_CTX_init (&cctx); 83 EVP_CIPHER_CTX_init (&cctx);
124 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 84 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125 HMAC_CTX_init (&hctx); 85 HMAC_CTX_init (&hctx);
126 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 86 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
130{ 90{
131 EVP_CIPHER_CTX_cleanup (&cctx); 91 EVP_CIPHER_CTX_cleanup (&cctx);
132 HMAC_CTX_cleanup (&hctx); 92 HMAC_CTX_cleanup (&hctx);
133} 93}
134 94
95static void
96rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97{
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106}
107
108struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112};
113
114struct rsa_cache : list<rsa_entry>
115{
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158} rsa_cache;
159
160void rsa_cache::cleaner_cb (tstamp &ts)
161{
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174}
175
176typedef callback<const char *, int> run_script_cb;
177
178// run a shell script (or actually an external program).
179static void
180run_script (const run_script_cb &cb, bool wait)
181{
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199}
200
135////////////////////////////////////////////////////////////////////////////// 201//////////////////////////////////////////////////////////////////////////////
136 202
137void pkt_queue::put (tap_packet *p) 203void pkt_queue::put (tap_packet *p)
138{ 204{
139 if (queue[i]) 205 if (queue[i])
171{ 237{
172 for (i = QUEUEDEPTH; --i > 0; ) 238 for (i = QUEUEDEPTH; --i > 0; )
173 delete queue[i]; 239 delete queue[i];
174} 240}
175 241
242struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246};
247
176// only do action once every x seconds per host. 248// only do action once every x seconds per host whole allowing bursts.
177// currently this is quite a slow implementation, 249// this implementation ("splay list" ;) is inefficient,
178// but suffices for normal operation. 250// but low on resources.
179struct u32_rate_limiter : private map<u32, tstamp> 251struct net_rate_limiter : list<net_rateinfo>
180 { 252{
181 tstamp every; 253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
182 256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
183 bool can (u32 host); 258 bool can (u32 host);
184
185 u32_rate_limiter (tstamp every = 1)
186 {
187 this->every = every;
188 }
189 }; 259};
190 260
191struct net_rate_limiter : u32_rate_limiter 261net_rate_limiter auth_rate_limiter, reset_rate_limiter;
192 {
193 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
194 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
195 262
196 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
197 };
198
199bool u32_rate_limiter::can (u32 host) 263bool net_rate_limiter::can (u32 host)
200{ 264{
201 iterator i; 265 iterator i;
202 266
203 for (i = begin (); i != end (); ) 267 for (i = begin (); i != end (); )
204 if (i->second <= NOW) 268 if (i->host == host)
205 { 269 break;
270 else if (i->last < NOW - EXPIRE)
206 erase (i); 271 i = erase (i);
207 i = begin ();
208 }
209 else 272 else
210 ++i; 273 i++;
211 274
212 i = find (host);
213
214 if (i != end ()) 275 if (i == end ())
215 return false; 276 {
277 net_rateinfo ri;
216 278
217 insert (value_type (host, NOW + every)); 279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
218 283
284 push_front (ri);
285
219 return true; 286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
220} 307}
221 308
222///////////////////////////////////////////////////////////////////////////// 309/////////////////////////////////////////////////////////////////////////////
223 310
224static void next_wakeup (time_t next) 311static void next_wakeup (time_t next)
228} 315}
229 316
230static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 317static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
231 318
232struct hmac_packet:net_packet 319struct hmac_packet:net_packet
320{
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326private:
327 void hmac_gen (crypto_ctx * ctx)
233 { 328 {
234 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
235
236 void hmac_set (crypto_ctx * ctx);
237 bool hmac_chk (crypto_ctx * ctx);
238
239private:
240 void hmac_gen (crypto_ctx * ctx)
241 {
242 unsigned int xlen; 329 unsigned int xlen;
243 HMAC_CTX *hctx = &ctx->hctx; 330 HMAC_CTX *hctx = &ctx->hctx;
244 331
245 HMAC_Init_ex (hctx, 0, 0, 0, 0); 332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
246 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
247 len - sizeof (hmac_packet)); 334 len - sizeof (hmac_packet));
248 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
249 }
250 }; 336 }
337};
251 338
252void 339void
253hmac_packet::hmac_set (crypto_ctx * ctx) 340hmac_packet::hmac_set (crypto_ctx * ctx)
254{ 341{
255 hmac_gen (ctx); 342 hmac_gen (ctx);
271 { 358 {
272 PT_RESET = 0, 359 PT_RESET = 0,
273 PT_DATA_UNCOMPRESSED, 360 PT_DATA_UNCOMPRESSED,
274 PT_DATA_COMPRESSED, 361 PT_DATA_COMPRESSED,
275 PT_PING, PT_PONG, // wasting namespace space? ;) 362 PT_PING, PT_PONG, // wasting namespace space? ;)
276 PT_AUTH, // authentification 363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
277 PT_CONNECT_REQ, // want other host to contact me 365 PT_CONNECT_REQ, // want other host to contact me
278 PT_CONNECT_INFO, // request connection to some node 366 PT_CONNECT_INFO, // request connection to some node
279 PT_REKEY, // rekeying (not yet implemented)
280 PT_MAX 367 PT_MAX
281 }; 368 };
282 369
283 u8 type; 370 u8 type;
284 u8 srcdst, src1, dst1; 371 u8 srcdst, src1, dst1;
285 372
286 void set_hdr (ptype type, unsigned int dst); 373 void set_hdr (ptype type, unsigned int dst);
287 374
288 unsigned int src () 375 unsigned int src () const
289 { 376 {
290 return src1 | ((srcdst >> 4) << 8); 377 return src1 | ((srcdst >> 4) << 8);
291 } 378 }
292 379
293 unsigned int dst () 380 unsigned int dst () const
294 { 381 {
295 return dst1 | ((srcdst & 0xf) << 8); 382 return dst1 | ((srcdst & 0xf) << 8);
296 } 383 }
297 384
298 ptype typ () 385 ptype typ () const
299 { 386 {
300 return (ptype) type; 387 return (ptype) type;
301 } 388 }
302 }; 389 };
303 390
352 } 439 }
353#endif 440#endif
354 441
355 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 442 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
356 443
444 struct {
357#if RAND_SIZE 445#if RAND_SIZE
358 struct {
359 u8 rnd[RAND_SIZE]; 446 u8 rnd[RAND_SIZE];
447#endif
360 u32 seqno; 448 u32 seqno;
361 } datahdr; 449 } datahdr;
362 450
363 datahdr.seqno = seqno; 451 datahdr.seqno = ntohl (seqno);
452#if RAND_SIZE
364 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 453 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454#endif
365 455
366 EVP_EncryptUpdate (cctx, 456 EVP_EncryptUpdate (cctx,
367 (unsigned char *) data + outl, &outl2, 457 (unsigned char *) data + outl, &outl2,
368 (unsigned char *) &datahdr, DATAHDR); 458 (unsigned char *) &datahdr, DATAHDR);
369 outl += outl2; 459 outl += outl2;
370#else
371 EVP_EncryptUpdate (cctx,
372 (unsigned char *) data + outl, &outl2,
373 (unsigned char *) &seqno, DATAHDR);
374 outl += outl2;
375#endif
376 460
377 EVP_EncryptUpdate (cctx, 461 EVP_EncryptUpdate (cctx,
378 (unsigned char *) data + outl, &outl2, 462 (unsigned char *) data + outl, &outl2,
379 (unsigned char *) d, l); 463 (unsigned char *) d, l);
380 outl += outl2; 464 outl += outl2;
416 outl += outl2; 500 outl += outl2;
417 501
418 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 502 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
419 outl += outl2; 503 outl += outl2;
420 504
421 seqno = *(u32 *)(d + RAND_SIZE); 505 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
422 506
423 id2mac (dst () ? dst() : THISNODE->id, p->dst); 507 id2mac (dst () ? dst() : THISNODE->id, p->dst);
424 id2mac (src (), p->src); 508 id2mac (src (), p->src);
425 509
426#if ENABLE_COMPRESSION 510#if ENABLE_COMPRESSION
427 if (type == PT_DATA_COMPRESSED) 511 if (type == PT_DATA_COMPRESSED)
428 { 512 {
429 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
430 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
431 } 518 }
432 else 519 else
433 p->len = outl + (6 + 6 - DATAHDR); 520 p->len = outl + (6 + 6 - DATAHDR);
434#endif 521#endif
435 522
436 return p; 523 return p;
437} 524}
438 525
439struct ping_packet : vpn_packet 526struct ping_packet : vpn_packet
527{
528 void setup (int dst, ptype type)
440 { 529 {
441 void setup (int dst, ptype type)
442 {
443 set_hdr (type, dst); 530 set_hdr (type, dst);
444 len = sizeof (*this) - sizeof (net_packet); 531 len = sizeof (*this) - sizeof (net_packet);
445 }
446 }; 532 }
533};
447 534
448struct config_packet : vpn_packet 535struct config_packet : vpn_packet
536{
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
449 { 545 {
450 // actually, hmaclen cannot be checked because the hmac
451 // field comes before this data, so peers with other
452 // hmacs simply will not work.
453 u8 prot_major, prot_minor, randsize, hmaclen;
454 u8 flags, challengelen, pad2, pad3;
455 u32 cipher_nid;
456 u32 digest_nid;
457
458 const u8 curflags () const
459 {
460 return 0x80 546 return 0x80
461 | 0x02
462#if PROTOCOL_MAJOR != 2
463#error hi
464#endif
465 | (ENABLE_COMPRESSION ? 0x01 : 0x00); 547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
466 } 548 }
467 549
468 void setup (ptype type, int dst) 550 void setup (ptype type, int dst);
469 { 551 bool chk_config () const;
552};
553
554void config_packet::setup (ptype type, int dst)
555{
470 prot_major = PROTOCOL_MAJOR; 556 prot_major = PROTOCOL_MAJOR;
471 prot_minor = PROTOCOL_MINOR; 557 prot_minor = PROTOCOL_MINOR;
472 randsize = RAND_SIZE; 558 randsize = RAND_SIZE;
473 hmaclen = HMACLENGTH; 559 hmaclen = HMACLENGTH;
474 flags = curflags (); 560 flags = curflags ();
475 challengelen = sizeof (rsachallenge); 561 challengelen = sizeof (rsachallenge);
476 562
477 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
478 digest_nid = htonl (EVP_MD_type (DIGEST)); 564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
479 566
480 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
481 set_hdr (type, dst); 568 set_hdr (type, dst);
482 } 569}
483 570
484 bool chk_config () 571bool config_packet::chk_config () const
485 { 572{
486 return prot_major == PROTOCOL_MAJOR 573 return prot_major == PROTOCOL_MAJOR
487 && randsize == RAND_SIZE 574 && randsize == RAND_SIZE
488 && hmaclen == HMACLENGTH 575 && hmaclen == HMACLENGTH
489 && flags == curflags () 576 && flags == curflags ()
490 && challengelen == sizeof (rsachallenge) 577 && challengelen == sizeof (rsachallenge)
491 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
492 && digest_nid == htonl (EVP_MD_type (DIGEST)); 580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
493 } 581}
494 };
495 582
496struct auth_packet : config_packet 583struct auth_req_packet : config_packet
584{
585 char magic[8];
586 u8 initiate, can_recv; // false if this is just an automatic reply
587 u8 pad2, pad3;
588 rsaid id;
589 rsaencrdata encr;
590
591 auth_req_packet (int dst, bool initiate_, u8 can_recv_)
497 { 592 {
498 char magic[8];
499 u8 subtype;
500 u8 pad1, pad2;
501 rsaencrdata challenge;
502
503 auth_packet (int dst, auth_subtype stype)
504 {
505 config_packet::setup (PT_AUTH, dst); 593 config_packet::setup (PT_AUTH_REQ, dst);
506 subtype = stype; 594 strncpy (magic, MAGIC, 8);
595 initiate = !!initiate_;
596 can_recv = can_recv_;
597
507 len = sizeof (*this) - sizeof (net_packet); 598 len = sizeof (*this) - sizeof (net_packet);
508 strncpy (magic, MAGIC, 8);
509 }
510 }; 599 }
600};
601
602struct auth_res_packet : config_packet
603{
604 rsaid id;
605 u8 pad1, pad2, pad3;
606 u8 response_len; // encrypted length
607 rsaresponse response;
608
609 auth_res_packet (int dst)
610 {
611 config_packet::setup (PT_AUTH_RES, dst);
612
613 len = sizeof (*this) - sizeof (net_packet);
614 }
615};
511 616
512struct connect_req_packet : vpn_packet 617struct connect_req_packet : vpn_packet
618{
619 u8 id;
620 u8 pad1, pad2, pad3;
621
622 connect_req_packet (int dst, int id_)
513 { 623 {
514 u8 id; 624 id = id_;
515 u8 pad1, pad2, pad3;
516
517 connect_req_packet (int dst, int id)
518 {
519 this->id = id;
520 set_hdr (PT_CONNECT_REQ, dst); 625 set_hdr (PT_CONNECT_REQ, dst);
521 len = sizeof (*this) - sizeof (net_packet); 626 len = sizeof (*this) - sizeof (net_packet);
522 }
523 }; 627 }
628};
524 629
525struct connect_info_packet : vpn_packet 630struct connect_info_packet : vpn_packet
631{
632 u8 id, can_recv;
633 u8 pad1, pad2;
634 sockinfo si;
635
636 connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
526 { 637 {
527 u8 id; 638 id = id_;
528 u8 pad1, pad2, pad3; 639 can_recv = can_recv_;
529 sockinfo si; 640 si = si_;
530
531 connect_info_packet (int dst, int id, sockinfo &si)
532 {
533 this->id = id;
534 this->si = si;
535 set_hdr (PT_CONNECT_INFO, dst); 641 set_hdr (PT_CONNECT_INFO, dst);
642
536 len = sizeof (*this) - sizeof (net_packet); 643 len = sizeof (*this) - sizeof (net_packet);
537 }
538 }; 644 }
645};
539 646
540///////////////////////////////////////////////////////////////////////////// 647/////////////////////////////////////////////////////////////////////////////
541 648
542void 649void
543fill_sa (SOCKADDR *sa, conf_node *conf)
544{
545 sa->sin_family = AF_INET;
546 sa->sin_port = htons (conf->port);
547 sa->sin_addr.s_addr = 0;
548
549 if (conf->hostname)
550 {
551 struct hostent *he = gethostbyname (conf->hostname);
552
553 if (he
554 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
555 {
556 //sa->sin_family = he->h_addrtype;
557 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
558 }
559 else
560 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
561 }
562}
563
564void
565connection::reset_dstaddr () 650connection::reset_dstaddr ()
566{ 651{
567 fill_sa (&sa, conf); 652 si.set (conf);
568} 653}
569 654
570void 655void
571connection::send_ping (SOCKADDR *dsa, u8 pong) 656connection::send_ping (const sockinfo &si, u8 pong)
572{ 657{
573 ping_packet *pkt = new ping_packet; 658 ping_packet *pkt = new ping_packet;
574 659
575 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 660 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
576 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); 661 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
577 662
578 delete pkt; 663 delete pkt;
579} 664}
580 665
581void 666void
582connection::send_reset (SOCKADDR *dsa) 667connection::send_reset (const sockinfo &si)
583{ 668{
584 static net_rate_limiter limiter(1); 669 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
585
586 if (limiter.can (dsa))
587 { 670 {
588 config_packet *pkt = new config_packet; 671 config_packet *pkt = new config_packet;
589 672
590 pkt->setup (vpn_packet::PT_RESET, conf->id); 673 pkt->setup (vpn_packet::PT_RESET, conf->id);
591 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 674 send_vpn_packet (pkt, si, IPTOS_MINCOST);
592 675
593 delete pkt; 676 delete pkt;
594 } 677 }
595} 678}
596 679
597static rsachallenge *
598gen_challenge (SOCKADDR *sa)
599{
600 static rsachallenge k;
601
602 memcpy (&k, &challenge_bytes (), sizeof (k));
603 RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
604 xor_sa (k, sa);
605
606 return &k;
607}
608
609void 680void
610connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k) 681connection::send_auth_request (const sockinfo &si, bool initiate)
611{ 682{
612 static net_rate_limiter limiter(2); 683 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
613 684
614 if (subtype != AUTH_INIT || limiter.can (sa)) 685 // the next line is very conservative
615 { 686 prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
616 auth_packet *pkt = new auth_packet (conf->id, subtype);
617 687
618 if (!k) 688 rsachallenge chg;
619 k = gen_challenge (sa);
620 689
690 rsa_cache.gen (pkt->id, chg);
691
621 if (0 > RSA_public_encrypt (sizeof (*k), 692 if (0 > RSA_public_encrypt (sizeof chg,
622 (unsigned char *)k, (unsigned char *)&pkt->challenge, 693 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
623 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 694 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
624 fatal ("RSA_public_encrypt error"); 695 fatal ("RSA_public_encrypt error");
625 696
626 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 697 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
627 698
628 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); 699 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
629 700
630 delete pkt; 701 delete pkt;
631 } 702}
703
704void
705connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706{
707 auth_res_packet *pkt = new auth_res_packet (conf->id);
708
709 pkt->id = id;
710
711 rsa_hash (id, chg, pkt->response);
712
713 pkt->hmac_set (octx);
714
715 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
716
717 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
718
719 delete pkt;
632} 720}
633 721
634void 722void
635connection::establish_connection_cb (tstamp &ts) 723connection::establish_connection_cb (tstamp &ts)
636{ 724{
637 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) 725 if (ictx || conf == THISNODE
726 || connectmode == conf_node::C_NEVER
727 || connectmode == conf_node::C_DISABLED)
638 ts = TSTAMP_CANCEL; 728 ts = TSTAMP_CANCEL;
639 else if (ts <= NOW) 729 else if (ts <= NOW)
640 { 730 {
641 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
642 732
643 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
644 retry_cnt++; 734 retry_cnt++;
645 735
646 if (connectmode == conf_node::C_ONDEMAND
647 && retry_int > ::conf.keepalive)
648 retry_int = ::conf.keepalive;
649
650 ts = NOW + retry_int; 736 ts = NOW + retry_int;
651 737
652 if (conf->hostname) 738 if (conf->hostname)
653 { 739 {
654 reset_dstaddr (); 740 reset_dstaddr ();
655 if (sa.sin_addr.s_addr) 741 if (si.host && auth_rate_limiter.can (si))
742 {
656 if (retry_cnt < 4) 743 if (retry_cnt < 4)
657 send_auth (AUTH_INIT, &sa); 744 send_auth_request (si, true);
658 else 745 else
659 send_ping (&sa, 0); 746 send_ping (si, 0);
747 }
660 } 748 }
661 else 749 else
662 vpn->connect_request (conf->id); 750 vpn->connect_request (conf->id);
663 } 751 }
664} 752}
666void 754void
667connection::reset_connection () 755connection::reset_connection ()
668{ 756{
669 if (ictx && octx) 757 if (ictx && octx)
670 { 758 {
671 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 759 slog (L_INFO, _("%s(%s): connection lost"),
760 conf->nodename, (const char *)si);
672 761
673 if (::conf.script_node_down) 762 if (::conf.script_node_down)
674 run_script (this, &connection::script_node_down, false); 763 run_script (run_script_cb (this, &connection::script_node_down), false);
675 } 764 }
676 765
677 delete ictx; 766 delete ictx; ictx = 0;
678 ictx = 0; 767 delete octx; octx = 0;
679 768
680 delete octx; 769 si.host= 0;
681 octx = 0;
682
683 sa.sin_port = 0;
684 sa.sin_addr.s_addr = 0;
685 770
686 last_activity = 0; 771 last_activity = 0;
772 retry_cnt = 0;
687 773
688 rekey.reset (); 774 rekey.reset ();
689 keepalive.reset (); 775 keepalive.reset ();
690 establish_connection.reset (); 776 establish_connection.reset ();
691} 777}
692 778
693void 779void
694connection::shutdown () 780connection::shutdown ()
695{ 781{
696 if (ictx && octx) 782 if (ictx && octx)
697 send_reset (&sa); 783 send_reset (si);
698 784
699 reset_connection (); 785 reset_connection ();
700} 786}
701 787
702void 788void
707 reset_connection (); 793 reset_connection ();
708 establish_connection (); 794 establish_connection ();
709} 795}
710 796
711void 797void
712connection::send_data_packet (tap_packet * pkt, bool broadcast) 798connection::send_data_packet (tap_packet *pkt, bool broadcast)
713{ 799{
714 vpndata_packet *p = new vpndata_packet; 800 vpndata_packet *p = new vpndata_packet;
715 int tos = 0; 801 int tos = 0;
716 802
717 if (conf->inherit_tos 803 if (conf->inherit_tos
718 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 804 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
719 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 805 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
720 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
721 807
722 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
723 vpn->send_vpn_packet (p, &sa, tos); 809 send_vpn_packet (p, si, tos);
724 810
725 delete p; 811 delete p;
726 812
727 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
728 rekey (); 814 rekey ();
741 establish_connection (); 827 establish_connection ();
742 } 828 }
743} 829}
744 830
745void 831void
746connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 832connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
747{ 833{
748 last_activity = NOW; 834 last_activity = NOW;
749 835
750 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 836 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
751 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 837 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
752 838
753 switch (pkt->typ ()) 839 switch (pkt->typ ())
754 { 840 {
755 case vpn_packet::PT_PING: 841 case vpn_packet::PT_PING:
842 // we send pings instead of auth packets after some retries,
843 // so reset the retry counter and establish a connection
844 // when we receive a ping.
845 if (!ictx && !octx)
846 {
847 if (auth_rate_limiter.can (rsi))
848 send_auth_request (rsi, true);
849 }
850 else
756 send_ping (ssa, 1); // pong 851 send_ping (rsi, 1); // pong
852
757 break; 853 break;
758 854
759 case vpn_packet::PT_PONG: 855 case vpn_packet::PT_PONG:
760 // we send pings instead of auth packets after some retries,
761 // so reset the retry counter and establish a conenction
762 // when we receive a pong.
763 if (!ictx && !octx)
764 {
765 retry_cnt = 0;
766 establish_connection.at = 0;
767 establish_connection ();
768 }
769
770 break; 856 break;
771 857
772 case vpn_packet::PT_RESET: 858 case vpn_packet::PT_RESET:
773 { 859 {
774 reset_connection (); 860 reset_connection ();
775 861
776 config_packet *p = (config_packet *) pkt; 862 config_packet *p = (config_packet *) pkt;
863
777 if (!p->chk_config ()) 864 if (!p->chk_config ())
778 { 865 {
779 slog (L_WARN, _("disabling node '%s' because of differing protocol"), conf->nodename); 866 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867 conf->nodename, (const char *)rsi);
780 connectmode = conf_node::C_NEVER; 868 connectmode = conf_node::C_DISABLED;
781 } 869 }
782 else if (connectmode == conf_node::C_ALWAYS) 870 else if (connectmode == conf_node::C_ALWAYS)
783 establish_connection (); 871 establish_connection ();
784 } 872 }
785 break; 873 break;
786 874
787 case vpn_packet::PT_AUTH: 875 case vpn_packet::PT_AUTH_REQ:
876 if (auth_rate_limiter.can (rsi))
877 {
878 auth_req_packet *p = (auth_req_packet *) pkt;
879
880 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
881
882 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
883 {
884 if (p->prot_minor != PROTOCOL_MINOR)
885 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888
889 if (p->initiate)
890 send_auth_request (rsi, false);
891
892 rsachallenge k;
893
894 if (0 > RSA_private_decrypt (sizeof (p->encr),
895 (unsigned char *)&p->encr, (unsigned char *)&k,
896 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
897 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
898 conf->nodename, (const char *)rsi);
899 else
900 {
901 retry_cnt = 0;
902 establish_connection.set (NOW + 8); //? ;)
903 keepalive.reset ();
904 rekey.reset ();
905
906 delete ictx;
907 ictx = 0;
908
909 delete octx;
910
911 octx = new crypto_ctx (k, 1);
912 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
913
914 conf->can_recv = p->can_recv;
915 send_auth_response (rsi, p->id, k);
916
917 break;
918 }
919 }
920
921 send_reset (rsi);
922 }
923
924 break;
925
926 case vpn_packet::PT_AUTH_RES:
788 { 927 {
789 auth_packet *p = (auth_packet *) pkt; 928 auth_res_packet *p = (auth_res_packet *) pkt;
790 929
791 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 930 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
792 931
793 if (p->chk_config () 932 if (p->chk_config ())
794 && !strncmp (p->magic, MAGIC, 8))
795 { 933 {
796 if (p->prot_minor != PROTOCOL_MINOR) 934 if (p->prot_minor != PROTOCOL_MINOR)
797 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 935 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936 conf->nodename, (const char *)rsi,
798 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 937 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
799 938
800 if (p->subtype == AUTH_INIT)
801 send_auth (AUTH_INITREPLY, ssa);
802
803 rsachallenge k; 939 rsachallenge chg;
804 940
805 if (0 > RSA_private_decrypt (sizeof (rsaencrdata), 941 if (!rsa_cache.find (p->id, chg))
806 (unsigned char *)&p->challenge, (unsigned char *)&k, 942 slog (L_ERR, _("%s(%s): unrequested auth response"),
807 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 943 conf->nodename, (const char *)rsi);
944 else
808 { 945 {
809 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 946 crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948 if (!p->hmac_chk (cctx))
949 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950 "could be an attack, or just corruption or an synchronization error"),
810 conf->nodename, (const char *)sockinfo (ssa)); 951 conf->nodename, (const char *)rsi);
811 break; 952 else
812 }
813
814 retry_cnt = 0;
815 establish_connection.set (NOW + 8); //? ;)
816 keepalive.reset ();
817 rekey.reset ();
818
819 switch (p->subtype)
820 {
821 case AUTH_INIT:
822 case AUTH_INITREPLY:
823 delete ictx;
824 ictx = 0;
825
826 delete octx;
827
828 octx = new crypto_ctx (k, 1);
829 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
830
831 send_auth (AUTH_REPLY, ssa, &k);
832 break;
833
834 case AUTH_REPLY:
835
836 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
837 sizeof (rsachallenge) - sizeof (u32)))
838 { 953 {
839 delete ictx;
840
841 ictx = new crypto_ctx (k, 0);
842 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
843
844 sa = *ssa; 954 rsaresponse h;
845 955
846 rekey.set (NOW + ::conf.rekey); 956 rsa_hash (p->id, chg, h);
847 keepalive.set (NOW + ::conf.keepalive);
848 957
849 // send queued packets 958 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
850 while (tap_packet *p = queue.get ())
851 { 959 {
960 prot_minor = p->prot_minor;
961
962 delete ictx; ictx = cctx;
963
964 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966 si = rsi;
967
968 rekey.set (NOW + ::conf.rekey);
969 keepalive.set (NOW + ::conf.keepalive);
970
971 // send queued packets
972 while (tap_packet *p = queue.get ())
973 {
852 send_data_packet (p); 974 send_data_packet (p);
853 delete p; 975 delete p;
976 }
977
978 connectmode = conf->connectmode;
979
980 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981 conf->nodename, (const char *)rsi,
982 p->prot_major, p->prot_minor);
983
984 if (::conf.script_node_up)
985 run_script (run_script_cb (this, &connection::script_node_up), false);
986
987 break;
854 } 988 }
855 989 else
856 connectmode = conf->connectmode; 990 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
857
858 slog (L_INFO, _("connection to %d (%s %s) established"),
859 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 991 conf->nodename, (const char *)rsi);
860
861 if (::conf.script_node_up)
862 run_script (this, &connection::script_node_up, false);
863 } 992 }
993
864 else 994 delete cctx;
865 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
866 conf->nodename, (const char *)sockinfo (ssa));
867
868 break;
869 default:
870 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
871 conf->nodename, (const char *)sockinfo (ssa));
872 break;
873 } 995 }
874 } 996 }
875 else
876 send_reset (ssa);
877
878 break;
879 } 997 }
998
999 send_reset (rsi);
1000 break;
880 1001
881 case vpn_packet::PT_DATA_COMPRESSED: 1002 case vpn_packet::PT_DATA_COMPRESSED:
882#if !ENABLE_COMPRESSION 1003#if !ENABLE_COMPRESSION
883 send_reset (ssa); 1004 send_reset (rsi);
884 break; 1005 break;
885#endif 1006#endif
1007
886 case vpn_packet::PT_DATA_UNCOMPRESSED: 1008 case vpn_packet::PT_DATA_UNCOMPRESSED:
887 1009
888 if (ictx && octx) 1010 if (ictx && octx)
889 { 1011 {
890 vpndata_packet *p = (vpndata_packet *)pkt; 1012 vpndata_packet *p = (vpndata_packet *)pkt;
891 1013
892 if (*ssa == sa) 1014 if (rsi == si)
893 { 1015 {
894 if (!p->hmac_chk (ictx)) 1016 if (!p->hmac_chk (ictx))
895 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1017 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
896 "could be an attack, or just corruption or an synchronization error")); 1018 "could be an attack, or just corruption or an synchronization error"),
1019 conf->nodename, (const char *)rsi);
897 else 1020 else
898 { 1021 {
899 u32 seqno; 1022 u32 seqno;
900 tap_packet *d = p->unpack (this, seqno); 1023 tap_packet *d = p->unpack (this, seqno);
901 1024
917 break; 1040 break;
918 } 1041 }
919 } 1042 }
920 } 1043 }
921 else 1044 else
922 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1045 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
923 } 1046 }
924 1047
925 send_reset (ssa); 1048 send_reset (rsi);
926 break; 1049 break;
927 1050
928 case vpn_packet::PT_CONNECT_REQ: 1051 case vpn_packet::PT_CONNECT_REQ:
929 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1052 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
930 { 1053 {
931 connect_req_packet *p = (connect_req_packet *) pkt; 1054 connect_req_packet *p = (connect_req_packet *) pkt;
932 1055
933 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1056 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
934 1057
940 if (c->ictx && c->octx) 1063 if (c->ictx && c->octx)
941 { 1064 {
942 // send connect_info packets to both sides, in case one is 1065 // send connect_info packets to both sides, in case one is
943 // behind a nat firewall (or both ;) 1066 // behind a nat firewall (or both ;)
944 { 1067 {
945 sockinfo si(sa);
946
947 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1068 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
948 c->conf->id, conf->id, (const char *)si); 1069 c->conf->id, conf->id, (const char *)si);
949 1070
950 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 1071 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
951 1072
952 r->hmac_set (c->octx); 1073 r->hmac_set (c->octx);
953 vpn->send_vpn_packet (r, &c->sa); 1074 send_vpn_packet (r, c->si);
954 1075
955 delete r; 1076 delete r;
956 } 1077 }
957 1078
958 { 1079 {
959 sockinfo si(c->sa);
960
961 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1080 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
962 conf->id, c->conf->id, (const char *)si); 1081 conf->id, c->conf->id, (const char *)c->si);
963 1082
964 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); 1083 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
965 1084
966 r->hmac_set (octx); 1085 r->hmac_set (octx);
967 vpn->send_vpn_packet (r, &sa); 1086 send_vpn_packet (r, si);
968 1087
969 delete r; 1088 delete r;
970 } 1089 }
971 } 1090 }
972 } 1091 }
973 1092
974 break; 1093 break;
975 1094
976 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
977 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
978 { 1097 {
979 connect_info_packet *p = (connect_info_packet *) pkt; 1098 connect_info_packet *p = (connect_info_packet *) pkt;
980 1099
981 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
982 1101
983 connection *c = vpn->conns[p->id - 1]; 1102 connection *c = vpn->conns[p->id - 1];
984 1103
985 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1104 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
986 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1105 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
987 1106
988 c->send_auth (AUTH_INIT, p->si.sa ()); 1107 c->conf->can_recv = p->can_recv;
1108 c->send_auth_request (p->si, true);
989 } 1109 }
1110
990 break; 1111 break;
991 1112
992 default: 1113 default:
993 send_reset (ssa); 1114 send_reset (rsi);
994 break; 1115 break;
1116
995 } 1117 }
996} 1118}
997 1119
998void connection::keepalive_cb (tstamp &ts) 1120void connection::keepalive_cb (tstamp &ts)
999{ 1121{
1005 else if (NOW < last_activity + ::conf.keepalive) 1127 else if (NOW < last_activity + ::conf.keepalive)
1006 ts = last_activity + ::conf.keepalive; 1128 ts = last_activity + ::conf.keepalive;
1007 else if (conf->connectmode != conf_node::C_ONDEMAND 1129 else if (conf->connectmode != conf_node::C_ONDEMAND
1008 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1130 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1009 { 1131 {
1010 send_ping (&sa); 1132 send_ping (si);
1011 ts = NOW + 5; 1133 ts = NOW + 5;
1012 } 1134 }
1013 else 1135 else
1014 reset_connection (); 1136 reset_connection ();
1015 1137
1019{ 1141{
1020 connect_req_packet *p = new connect_req_packet (conf->id, id); 1142 connect_req_packet *p = new connect_req_packet (conf->id, id);
1021 1143
1022 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1144 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1023 p->hmac_set (octx); 1145 p->hmac_set (octx);
1024 vpn->send_vpn_packet (p, &sa); 1146 send_vpn_packet (p, si);
1025 1147
1026 delete p; 1148 delete p;
1027} 1149}
1028 1150
1029void connection::script_node () 1151void connection::script_node ()
1030{ 1152{
1031 vpn->script_if_up (); 1153 vpn->script_if_up (0);
1032 1154
1033 char *env; 1155 char *env;
1034 asprintf (&env, "DESTID=%d", conf->id); 1156 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1035 putenv (env);
1036 asprintf (&env, "DESTNODE=%s", conf->nodename); 1157 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1037 putenv (env); 1158 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1038 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1039 putenv (env);
1040 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1159 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1041 putenv (env);
1042} 1160}
1043 1161
1044const char *connection::script_node_up () 1162const char *connection::script_node_up (int)
1045{ 1163{
1046 script_node (); 1164 script_node ();
1047 1165
1048 putenv ("STATE=up"); 1166 putenv ("STATE=up");
1049 1167
1050 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1168 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1051} 1169}
1052 1170
1053const char *connection::script_node_down () 1171const char *connection::script_node_down (int)
1054{ 1172{
1055 script_node (); 1173 script_node ();
1056 1174
1057 putenv ("STATE=down"); 1175 putenv ("STATE=down");
1058 1176
1059 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1177 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1178}
1179
1180// send a vpn packet out to other hosts
1181void
1182connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1183{
1184 if (prot_send & PROT_IPv4)
1185 vpn->send_ipv4_packet (pkt, si, tos);
1186 else
1187 vpn->send_udpv4_packet (pkt, si, tos);
1060} 1188}
1061 1189
1062connection::connection(struct vpn *vpn_) 1190connection::connection(struct vpn *vpn_)
1063: vpn(vpn_) 1191: vpn(vpn_)
1064, rekey (this, &connection::rekey_cb) 1192, rekey (this, &connection::rekey_cb)
1077 shutdown (); 1205 shutdown ();
1078} 1206}
1079 1207
1080///////////////////////////////////////////////////////////////////////////// 1208/////////////////////////////////////////////////////////////////////////////
1081 1209
1082const char *vpn::script_if_up () 1210const char *vpn::script_if_up (int)
1083{ 1211{
1084 // the tunnel device mtu should be the physical mtu - overhead 1212 // the tunnel device mtu should be the physical mtu - overhead
1085 // the tricky part is rounding to the cipher key blocksize 1213 // the tricky part is rounding to the cipher key blocksize
1086 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1214 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1087 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1215 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1088 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1216 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1089 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1217 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1090 1218
1091 char *env; 1219 char *env;
1106 1234
1107 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1235 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1108} 1236}
1109 1237
1110int 1238int
1111vpn::setup (void) 1239vpn::setup ()
1112{ 1240{
1113 struct sockaddr_in sa; 1241 u8 prots = 0;
1114 1242
1243 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1244 i != conf.nodes.end (); ++i)
1245 prots |= (*i)->can_send | (*i)->can_recv;
1246
1247 sockinfo si;
1248
1249 si.set (THISNODE);
1250
1251 udpv4_fd = -1;
1252
1253 if (prots & PROT_UDPv4)
1254 {
1115 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1255 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1116 if (socket_fd < 0) 1256
1257 if (udpv4_fd < 0)
1117 return -1; 1258 return -1;
1118 1259
1119 fill_sa (&sa, THISNODE); 1260 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1120 1261 {
1121 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1122 {
1123 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1262 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1124 exit (1); 1263 exit (1);
1125 } 1264 }
1126 1265
1127#ifdef IP_MTU_DISCOVER 1266#ifdef IP_MTU_DISCOVER
1128 // this I really consider a linux bug. I am neither connected 1267 // this I really consider a linux bug. I am neither connected
1129 // nor do I fragment myself. Linux still sets DF and doesn't 1268 // nor do I fragment myself. Linux still sets DF and doesn't
1130 // fragment for me sometimes. 1269 // fragment for me sometimes.
1131 { 1270 {
1132 int oval = IP_PMTUDISC_DONT; 1271 int oval = IP_PMTUDISC_DONT;
1133 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1272 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1134 } 1273 }
1135#endif 1274#endif
1136 { 1275
1276 // standard daemon practise...
1277 {
1137 int oval = 1; 1278 int oval = 1;
1138 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1279 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1139 } 1280 }
1140 1281
1141 udp_ev_watcher.start (socket_fd, POLLIN); 1282 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1283 }
1284
1285 ipv4_fd = -1;
1286 if (prots & PROT_IPv4)
1287 {
1288 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1289
1290 if (ipv4_fd < 0)
1291 return -1;
1292
1293 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1294 {
1295 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1296 exit (1);
1297 }
1298
1299#ifdef IP_MTU_DISCOVER
1300 // this I really consider a linux bug. I am neither connected
1301 // nor do I fragment myself. Linux still sets DF and doesn't
1302 // fragment for me sometimes.
1303 {
1304 int oval = IP_PMTUDISC_DONT;
1305 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1306 }
1307#endif
1308
1309 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1310 }
1142 1311
1143 tap = new tap_device (); 1312 tap = new tap_device ();
1144 if (!tap) //D this, of course, never catches 1313 if (!tap) //D this, of course, never catches
1145 { 1314 {
1146 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1315 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1147 exit (1); 1316 exit (1);
1148 } 1317 }
1149 1318
1150 run_script (this, &vpn::script_if_up, true); 1319 run_script (run_script_cb (this, &vpn::script_if_up), true);
1151 1320
1152 vpn_ev_watcher.start (tap->fd, POLLIN); 1321 tap_ev_watcher.start (tap->fd, POLLIN);
1153 1322
1154 reconnect_all (); 1323 reconnect_all ();
1155 1324
1156 return 0; 1325 return 0;
1157} 1326}
1158 1327
1159void 1328void
1160vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1329vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1161{ 1330{
1162 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1331 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1163 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1332 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1164} 1333}
1165 1334
1166void 1335void
1167vpn::shutdown_all () 1336vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1168{ 1337{
1169 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1338 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1170 (*c)->shutdown (); 1339 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1171} 1340}
1172 1341
1173void 1342void
1174vpn::reconnect_all () 1343vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1175{ 1344{
1176 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1345 unsigned int src = pkt->src ();
1177 delete *c; 1346 unsigned int dst = pkt->dst ();
1178 1347
1179 conns.clear (); 1348 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1349 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1180 1350
1181 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1351 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1182 i != conf.nodes.end (); ++i) 1352 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1183 { 1353 pkt->typ (), pkt->src (), pkt->dst ());
1184 connection *conn = new connection (this); 1354 else if (dst == 0 && !THISNODE->routerprio)
1185 1355 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1186 conn->conf = *i; 1356 else if (dst != 0 && dst != THISNODE->id)
1187 conns.push_back (conn); 1357 slog (L_WARN,
1188 1358 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1189 conn->establish_connection (); 1359 dst, conns[dst - 1]->conf->nodename,
1190 } 1360 (const char *)rsi,
1361 THISNODE->id, THISNODE->nodename);
1362 else if (src == 0 || src > conns.size ())
1363 slog (L_WARN, _("received frame from unknown node %d (%s)"),
1364 src, (const char *)rsi);
1365 else
1366 conns[src - 1]->recv_vpn_packet (pkt, rsi);
1191} 1367}
1192 1368
1193connection *vpn::find_router ()
1194{
1195 u32 prio = 0;
1196 connection *router = 0;
1197
1198 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1199 {
1200 connection *c = *i;
1201
1202 if (c->conf->routerprio > prio
1203 && c->connectmode == conf_node::C_ALWAYS
1204 && c->conf != THISNODE
1205 && c->ictx && c->octx)
1206 {
1207 prio = c->conf->routerprio;
1208 router = c;
1209 }
1210 }
1211
1212 return router;
1213}
1214
1215void vpn::connect_request (int id)
1216{
1217 connection *c = find_router ();
1218
1219 if (c)
1220 c->connect_request (id);
1221 //else // does not work, because all others must connect to the same router
1222 // // no router found, aggressively connect to all routers
1223 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1224 // if ((*i)->conf->routerprio)
1225 // (*i)->establish_connection ();
1226}
1227
1228void 1369void
1229vpn::udp_ev (short revents) 1370vpn::udpv4_ev (short revents)
1230{ 1371{
1231 if (revents & (POLLIN | POLLERR)) 1372 if (revents & (POLLIN | POLLERR))
1232 { 1373 {
1233 vpn_packet *pkt = new vpn_packet; 1374 vpn_packet *pkt = new vpn_packet;
1234 struct sockaddr_in sa; 1375 struct sockaddr_in sa;
1235 socklen_t sa_len = sizeof (sa); 1376 socklen_t sa_len = sizeof (sa);
1236 int len; 1377 int len;
1237 1378
1238 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 1379 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1380
1381 sockinfo si(sa);
1239 1382
1240 if (len > 0) 1383 if (len > 0)
1241 { 1384 {
1242 pkt->len = len; 1385 pkt->len = len;
1243 1386
1244 unsigned int src = pkt->src ();
1245 unsigned int dst = pkt->dst ();
1246
1247 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1248 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1249
1250 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1251 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1252 pkt->typ (), pkt->src (), pkt->dst ());
1253 else if (dst == 0 && !THISNODE->routerprio)
1254 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1255 else if (dst != 0 && dst != THISNODE->id)
1256 slog (L_WARN,
1257 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1258 dst, conns[dst - 1]->conf->nodename,
1259 (const char *)sockinfo (sa),
1260 THISNODE->id, THISNODE->nodename);
1261 else if (src == 0 || src > conns.size ())
1262 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1263 else
1264 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1387 recv_vpn_packet (pkt, si);
1265 } 1388 }
1266 else 1389 else
1267 { 1390 {
1268 // probably ECONNRESET or somesuch 1391 // probably ECONNRESET or somesuch
1269 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1392 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1270 } 1393 }
1271 1394
1272 delete pkt; 1395 delete pkt;
1273 } 1396 }
1274 else if (revents & POLLHUP) 1397 else if (revents & POLLHUP)
1275 { 1398 {
1276 // this cannot ;) happen on udp sockets 1399 // this cannot ;) happen on udp sockets
1277 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1400 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1278 exit (1); 1401 exit (1);
1279 } 1402 }
1280 else 1403 else
1281 { 1404 {
1282 slog (L_ERR, 1405 slog (L_ERR,
1285 exit (1); 1408 exit (1);
1286 } 1409 }
1287} 1410}
1288 1411
1289void 1412void
1413vpn::ipv4_ev (short revents)
1414{
1415 if (revents & (POLLIN | POLLERR))
1416 {
1417 vpn_packet *pkt = new vpn_packet;
1418 struct sockaddr_in sa;
1419 socklen_t sa_len = sizeof (sa);
1420 int len;
1421
1422 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1423
1424 sockinfo si(sa, PROT_IPv4);
1425
1426 if (len > 0)
1427 {
1428 pkt->len = len;
1429
1430 // raw sockets deliver the ipv4, but don't expect it on sends
1431 // this is slow, but...
1432 pkt->skip_hdr (IP_OVERHEAD);
1433
1434 recv_vpn_packet (pkt, si);
1435 }
1436 else
1437 {
1438 // probably ECONNRESET or somesuch
1439 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1440 }
1441
1442 delete pkt;
1443 }
1444 else if (revents & POLLHUP)
1445 {
1446 // this cannot ;) happen on udp sockets
1447 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1448 exit (1);
1449 }
1450 else
1451 {
1452 slog (L_ERR,
1453 _("FATAL: unknown revents %08x in socket, terminating\n"),
1454 revents);
1455 exit (1);
1456 }
1457}
1458
1459void
1290vpn::vpn_ev (short revents) 1460vpn::tap_ev (short revents)
1291{ 1461{
1292 if (revents & POLLIN) 1462 if (revents & POLLIN)
1293 { 1463 {
1294 /* process data */ 1464 /* process data */
1295 tap_packet *pkt; 1465 tap_packet *pkt;
1351{ 1521{
1352 if (events) 1522 if (events)
1353 { 1523 {
1354 if (events & EVENT_SHUTDOWN) 1524 if (events & EVENT_SHUTDOWN)
1355 { 1525 {
1526 slog (L_INFO, _("preparing shutdown..."));
1527
1356 shutdown_all (); 1528 shutdown_all ();
1357 1529
1358 remove_pid (pidfilename); 1530 remove_pid (pidfilename);
1359 1531
1360 slog (L_INFO, _("vped terminating")); 1532 slog (L_INFO, _("terminating"));
1361 1533
1362 exit (0); 1534 exit (0);
1363 } 1535 }
1364 1536
1365 if (events & EVENT_RECONNECT) 1537 if (events & EVENT_RECONNECT)
1538 {
1539 slog (L_INFO, _("forced reconnect"));
1540
1366 reconnect_all (); 1541 reconnect_all ();
1542 }
1367 1543
1368 events = 0; 1544 events = 0;
1369 } 1545 }
1370 1546
1371 ts = TSTAMP_CANCEL; 1547 ts = TSTAMP_CANCEL;
1372} 1548}
1373 1549
1550void
1551vpn::shutdown_all ()
1552{
1553 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1554 (*c)->shutdown ();
1555}
1556
1557void
1558vpn::reconnect_all ()
1559{
1560 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1561 delete *c;
1562
1563 conns.clear ();
1564
1565 auth_rate_limiter.clear ();
1566 reset_rate_limiter.clear ();
1567
1568 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1569 i != conf.nodes.end (); ++i)
1570 {
1571 connection *conn = new connection (this);
1572
1573 conn->conf = *i;
1574 conns.push_back (conn);
1575
1576 conn->establish_connection ();
1577 }
1578}
1579
1580connection *vpn::find_router ()
1581{
1582 u32 prio = 0;
1583 connection *router = 0;
1584
1585 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1586 {
1587 connection *c = *i;
1588
1589 if (c->conf->routerprio > prio
1590 && c->connectmode == conf_node::C_ALWAYS
1591 && c->conf != THISNODE
1592 && c->ictx && c->octx)
1593 {
1594 prio = c->conf->routerprio;
1595 router = c;
1596 }
1597 }
1598
1599 return router;
1600}
1601
1602void vpn::connect_request (int id)
1603{
1604 connection *c = find_router ();
1605
1606 if (c)
1607 c->connect_request (id);
1608 //else // does not work, because all others must connect to the same router
1609 // // no router found, aggressively connect to all routers
1610 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1611 // if ((*i)->conf->routerprio)
1612 // (*i)->establish_connection ();
1613}
1614
1615void
1616connection::dump_status ()
1617{
1618 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1619 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1620 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1621 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1622 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1623 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1624 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1625}
1626
1627void
1628vpn::dump_status ()
1629{
1630 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1631
1632 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1633 (*c)->dump_status ();
1634
1635 slog (L_NOTICE, _("END status dump"));
1636}
1637
1374vpn::vpn (void) 1638vpn::vpn (void)
1375: udp_ev_watcher (this, &vpn::udp_ev) 1639: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1640, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1376, vpn_ev_watcher (this, &vpn::vpn_ev) 1641, tap_ev_watcher(this, &vpn::tap_ev)
1377, event (this, &vpn::event_cb) 1642, event(this, &vpn::event_cb)
1378{ 1643{
1379} 1644}
1380 1645
1381vpn::~vpn () 1646vpn::~vpn ()
1382{ 1647{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines