--- gvpe/src/protocol.C 2003/03/09 12:48:22 1.7 +++ gvpe/src/protocol.C 2003/03/28 04:27:33 1.22 @@ -18,6 +18,8 @@ #include "config.h" +#include + #include #include #include @@ -58,33 +60,131 @@ #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic -static const rsachallenge & -challenge_bytes () +static u8 +best_protocol (u8 protset) +{ + if (protset & PROT_IPv4) + return PROT_IPv4; + + return PROT_UDPv4; +} + +struct crypto_ctx + { + EVP_CIPHER_CTX cctx; + HMAC_CTX hctx; + + crypto_ctx (const rsachallenge &challenge, int enc); + ~crypto_ctx (); + }; + +crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) +{ + EVP_CIPHER_CTX_init (&cctx); + EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); + HMAC_CTX_init (&hctx); + HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); +} + +crypto_ctx::~crypto_ctx () +{ + EVP_CIPHER_CTX_cleanup (&cctx); + HMAC_CTX_cleanup (&hctx); +} + +static void +rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) { - static rsachallenge challenge; - static time_t challenge_ttl; // time this challenge needs to be recreated + EVP_MD_CTX ctx; + + EVP_MD_CTX_init (&ctx); + EVP_DigestInit (&ctx, RSA_HASH); + EVP_DigestUpdate(&ctx, &chg, sizeof chg); + EVP_DigestUpdate(&ctx, &id, sizeof id); + EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); + EVP_MD_CTX_cleanup (&ctx); +} + +struct rsa_entry { + tstamp expire; + rsaid id; + rsachallenge chg; +}; - if (now > challenge_ttl) +struct rsa_cache : list +{ + void cleaner_cb (tstamp &ts); time_watcher cleaner; + + bool find (const rsaid &id, rsachallenge &chg) { - RAND_bytes ((unsigned char *)&challenge, sizeof (challenge)); - challenge_ttl = now + CHALLENGE_TTL; + for (iterator i = begin (); i != end (); ++i) + { + if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW) + { + memcpy (&chg, &i->chg, sizeof chg); + + erase (i); + return true; + } + } + + if (cleaner.at < NOW) + cleaner.start (NOW + RSA_TTL); + + return false; + } + + void gen (rsaid &id, rsachallenge &chg) + { + rsa_entry e; + + RAND_bytes ((unsigned char *)&id, sizeof id); + RAND_bytes ((unsigned char *)&chg, sizeof chg); + + e.expire = NOW + RSA_TTL; + e.id = id; + memcpy (&e.chg, &chg, sizeof chg); + + push_back (e); + + if (cleaner.at < NOW) + cleaner.start (NOW + RSA_TTL); } - return challenge; + rsa_cache () + : cleaner (this, &rsa_cache::cleaner_cb) + { } + +} rsa_cache; + +void rsa_cache::cleaner_cb (tstamp &ts) +{ + if (empty ()) + ts = TSTAMP_CANCEL; + else + { + ts = NOW + RSA_TTL; + + for (iterator i = begin (); i != end (); ) + if (i->expire <= NOW) + i = erase (i); + else + ++i; + } } -// run a script. yes, it's a template function. yes, c++ -// is not a functional language. yes, this suxx. -template +typedef callback run_script_cb; + +// run a shell script (or actually an external program). static void -run_script (owner *obj, const char *(owner::*setup)(), bool wait) +run_script (const run_script_cb &cb, bool wait) { int pid; if ((pid = fork ()) == 0) { char *filename; - asprintf (&filename, "%s/%s", confbase, (obj->*setup) ()); + asprintf (&filename, "%s/%s", confbase, cb(0)); execl (filename, filename, (char *) 0); exit (255); } @@ -98,38 +198,112 @@ } } -// xor the socket address into the challenge to ensure different challenges -// per host. we could rely on the OAEP padding, but this doesn't hurt. -void -xor_sa (rsachallenge &k, SOCKADDR *sa) +////////////////////////////////////////////////////////////////////////////// + +void pkt_queue::put (tap_packet *p) { - ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr; - ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port; - ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr; - ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port; + if (queue[i]) + { + delete queue[i]; + j = (j + 1) % QUEUEDEPTH; + } + + queue[i] = p; + + i = (i + 1) % QUEUEDEPTH; } -struct crypto_ctx - { - EVP_CIPHER_CTX cctx; - HMAC_CTX hctx; +tap_packet *pkt_queue::get () +{ + tap_packet *p = queue[j]; - crypto_ctx (rsachallenge &challenge, int enc); - ~crypto_ctx (); - }; + if (p) + { + queue[j] = 0; + j = (j + 1) % QUEUEDEPTH; + } + + return p; +} -crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) +pkt_queue::pkt_queue () { - EVP_CIPHER_CTX_init (&cctx); - EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); - HMAC_CTX_init (&hctx); - HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); + memset (queue, 0, sizeof (queue)); + i = 0; + j = 0; } -crypto_ctx::~crypto_ctx () +pkt_queue::~pkt_queue () { - EVP_CIPHER_CTX_cleanup (&cctx); - HMAC_CTX_cleanup (&hctx); + for (i = QUEUEDEPTH; --i > 0; ) + delete queue[i]; +} + +struct net_rateinfo { + u32 host; + double pcnt, diff; + tstamp last; +}; + +// only do action once every x seconds per host whole allowing bursts. +// this implementation ("splay list" ;) is inefficient, +// but low on resources. +struct net_rate_limiter : list +{ + static const double ALPHA = 1. - 1. / 90.; // allow bursts + static const double CUTOFF = 20.; // one event every CUTOFF seconds + static const double EXPIRE = CUTOFF * 30.; // expire entries after this time + + bool can (const sockinfo &si) { return can((u32)si.host); } + bool can (u32 host); +}; + +net_rate_limiter auth_rate_limiter, reset_rate_limiter; + +bool net_rate_limiter::can (u32 host) +{ + iterator i; + + for (i = begin (); i != end (); ) + if (i->host == host) + break; + else if (i->last < NOW - EXPIRE) + i = erase (i); + else + i++; + + if (i == end ()) + { + net_rateinfo ri; + + ri.host = host; + ri.pcnt = 1.; + ri.diff = CUTOFF * (1. / (1. - ALPHA)); + ri.last = NOW; + + push_front (ri); + + return true; + } + else + { + net_rateinfo ri (*i); + erase (i); + + ri.pcnt = ri.pcnt * ALPHA; + ri.diff = ri.diff * ALPHA + (NOW - ri.last); + + ri.last = NOW; + + bool send = ri.diff / ri.pcnt > CUTOFF; + + if (send) + ri.pcnt++; + + push_front (ri); + + return send; + } } ///////////////////////////////////////////////////////////////////////////// @@ -143,24 +317,24 @@ static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; struct hmac_packet:net_packet - { - u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere +{ + u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere - void hmac_set (crypto_ctx * ctx); - bool hmac_chk (crypto_ctx * ctx); + void hmac_set (crypto_ctx * ctx); + bool hmac_chk (crypto_ctx * ctx); private: - void hmac_gen (crypto_ctx * ctx) - { - unsigned int xlen; - HMAC_CTX *hctx = &ctx->hctx; + void hmac_gen (crypto_ctx * ctx) + { + unsigned int xlen; + HMAC_CTX *hctx = &ctx->hctx; - HMAC_Init_ex (hctx, 0, 0, 0, 0); - HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), - len - sizeof (hmac_packet)); - HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); - } - }; + HMAC_Init_ex (hctx, 0, 0, 0, 0); + HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), + len - sizeof (hmac_packet)); + HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); + } +}; void hmac_packet::hmac_set (crypto_ctx * ctx) @@ -186,10 +360,10 @@ PT_DATA_UNCOMPRESSED, PT_DATA_COMPRESSED, PT_PING, PT_PONG, // wasting namespace space? ;) - PT_AUTH, // authentification + PT_AUTH_REQ, // authentification request + PT_AUTH_RES, // authentification response PT_CONNECT_REQ, // want other host to contact me PT_CONNECT_INFO, // request connection to some node - PT_REKEY, // rekeying (not yet implemented) PT_MAX }; @@ -198,15 +372,17 @@ void set_hdr (ptype type, unsigned int dst); - unsigned int src () + unsigned int src () const { return src1 | ((srcdst >> 4) << 8); } - unsigned int dst () + + unsigned int dst () const { return dst1 | ((srcdst & 0xf) << 8); } - ptype typ () + + ptype typ () const { return (ptype) type; } @@ -254,7 +430,6 @@ cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); if (cl) { - //printf ("compressed packet, %d => %d\n", l, cl);//D type = PT_DATA_COMPRESSED; d = cdata; l = cl + 2; @@ -266,25 +441,22 @@ EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); -#if RAND_SIZE struct { +#if RAND_SIZE u8 rnd[RAND_SIZE]; +#endif u32 seqno; } datahdr; - datahdr.seqno = seqno; + datahdr.seqno = ntohl (seqno); +#if RAND_SIZE RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); +#endif EVP_EncryptUpdate (cctx, (unsigned char *) data + outl, &outl2, (unsigned char *) &datahdr, DATAHDR); outl += outl2; -#else - EVP_EncryptUpdate (cctx, - (unsigned char *) data + outl, &outl2, - (unsigned char *) &seqno, DATAHDR); - outl += outl2; -#endif EVP_EncryptUpdate (cctx, (unsigned char *) data + outl, &outl2, @@ -330,7 +502,7 @@ EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); outl += outl2; - seqno = *(u32 *)(d + RAND_SIZE); + seqno = ntohl (*(u32 *)(d + RAND_SIZE)); id2mac (dst () ? dst() : THISNODE->id, p->dst); id2mac (src (), p->src); @@ -339,8 +511,10 @@ if (type == PT_DATA_COMPRESSED) { u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; - p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; - //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D + + p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0, + &(*p)[6 + 6], MAX_MTU) + + 6 + 6; } else p->len = outl + (6 + 6 - DATAHDR); @@ -350,245 +524,230 @@ } struct ping_packet : vpn_packet +{ + void setup (int dst, ptype type) { - void setup (int dst, ptype type) - { - set_hdr (type, dst); - len = sizeof (*this) - sizeof (net_packet); - } - }; + set_hdr (type, dst); + len = sizeof (*this) - sizeof (net_packet); + } +}; struct config_packet : vpn_packet +{ + // actually, hmaclen cannot be checked because the hmac + // field comes before this data, so peers with other + // hmacs simply will not work. + u8 prot_major, prot_minor, randsize, hmaclen; + u8 flags, challengelen, pad2, pad3; + u32 cipher_nid, digest_nid, hmac_nid; + + const u8 curflags () const { - // actually, hmaclen cannot be checked because the hmac - // field comes before this data, so peers with other - // hmacs simply will not work. - u8 prot_major, prot_minor, randsize, hmaclen; - u8 flags, challengelen, pad2, pad3; - u32 cipher_nid; - u32 digest_nid; + return 0x80 + | (ENABLE_COMPRESSION ? 0x01 : 0x00); + } - const u8 curflags () const - { - return 0x80 - | (ENABLE_COMPRESSION ? 0x01 : 0x00) - | (ENABLE_TRUST ? 0x02 : 0x00); - } + void setup (ptype type, int dst); + bool chk_config () const; +}; + +void config_packet::setup (ptype type, int dst) +{ + prot_major = PROTOCOL_MAJOR; + prot_minor = PROTOCOL_MINOR; + randsize = RAND_SIZE; + hmaclen = HMACLENGTH; + flags = curflags (); + challengelen = sizeof (rsachallenge); + + cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); + digest_nid = htonl (EVP_MD_type (RSA_HASH)); + hmac_nid = htonl (EVP_MD_type (DIGEST)); - void setup (ptype type, int dst) - { - prot_major = PROTOCOL_MAJOR; - prot_minor = PROTOCOL_MINOR; - randsize = RAND_SIZE; - hmaclen = HMACLENGTH; - flags = curflags (); - challengelen = sizeof (rsachallenge); + len = sizeof (*this) - sizeof (net_packet); + set_hdr (type, dst); +} - cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); - digest_nid = htonl (EVP_MD_type (DIGEST)); +bool config_packet::chk_config () const +{ + return prot_major == PROTOCOL_MAJOR + && randsize == RAND_SIZE + && hmaclen == HMACLENGTH + && flags == curflags () + && challengelen == sizeof (rsachallenge) + && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) + && digest_nid == htonl (EVP_MD_type (RSA_HASH)) + && hmac_nid == htonl (EVP_MD_type (DIGEST)); +} + +struct auth_req_packet : config_packet +{ + char magic[8]; + u8 initiate, can_recv; // false if this is just an automatic reply + u8 pad2, pad3; + rsaid id; + rsaencrdata encr; - len = sizeof (*this) - sizeof (net_packet); - set_hdr (type, dst); - } + auth_req_packet (int dst, bool initiate_, u8 can_recv_) + { + config_packet::setup (PT_AUTH_REQ, dst); + strncpy (magic, MAGIC, 8); + initiate = !!initiate_; + can_recv = can_recv_; - bool chk_config () - { - return prot_major == PROTOCOL_MAJOR - && randsize == RAND_SIZE - && hmaclen == HMACLENGTH - && flags == curflags () - && challengelen == sizeof (rsachallenge) - && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) - && digest_nid == htonl (EVP_MD_type (DIGEST)); - } - }; + len = sizeof (*this) - sizeof (net_packet); + } +}; -struct auth_packet : config_packet - { - char magic[8]; - u8 subtype; - u8 pad1, pad2; - rsaencrdata challenge; - - auth_packet (int dst, auth_subtype stype) - { - config_packet::setup (PT_AUTH, dst); - subtype = stype; - len = sizeof (*this) - sizeof (net_packet); - strncpy (magic, MAGIC, 8); - } - }; +struct auth_res_packet : config_packet +{ + rsaid id; + u8 pad1, pad2, pad3; + u8 response_len; // encrypted length + rsaresponse response; -struct connect_req_packet : vpn_packet + auth_res_packet (int dst) { - u8 id; - u8 pad1, pad2, pad3; + config_packet::setup (PT_AUTH_RES, dst); - connect_req_packet (int dst, int id) - { - this->id = id; - set_hdr (PT_CONNECT_REQ, dst); - len = sizeof (*this) - sizeof (net_packet); - } - }; + len = sizeof (*this) - sizeof (net_packet); + } +}; -struct connect_info_packet : vpn_packet - { - u8 id; - u8 pad1, pad2, pad3; - sockinfo si; - - connect_info_packet (int dst, int id, sockinfo &si) - { - this->id = id; - this->si = si; - set_hdr (PT_CONNECT_INFO, dst); - len = sizeof (*this) - sizeof (net_packet); - } - }; +struct connect_req_packet : vpn_packet +{ + u8 id; + u8 pad1, pad2, pad3; -///////////////////////////////////////////////////////////////////////////// + connect_req_packet (int dst, int id_) + { + id = id_; + set_hdr (PT_CONNECT_REQ, dst); + len = sizeof (*this) - sizeof (net_packet); + } +}; -void -fill_sa (SOCKADDR *sa, conf_node *conf) +struct connect_info_packet : vpn_packet { - sa->sin_family = AF_INET; - sa->sin_port = htons (conf->port); - sa->sin_addr.s_addr = 0; + u8 id, can_recv; + u8 pad1, pad2; + sockinfo si; - if (conf->hostname) - { - struct hostent *he = gethostbyname (conf->hostname); + connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_) + { + id = id_; + can_recv = can_recv_; + si = si_; + set_hdr (PT_CONNECT_INFO, dst); - if (he - && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0]) - { - //sa->sin_family = he->h_addrtype; - memcpy (&sa->sin_addr, he->h_addr_list[0], 4); - } - else - slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname); - } -} + len = sizeof (*this) - sizeof (net_packet); + } +}; + +///////////////////////////////////////////////////////////////////////////// void connection::reset_dstaddr () { - fill_sa (&sa, conf); + si.set (conf); } void -connection::send_ping (SOCKADDR *dsa, u8 pong) +connection::send_ping (const sockinfo &si, u8 pong) { ping_packet *pkt = new ping_packet; pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); - vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); + send_vpn_packet (pkt, si, IPTOS_LOWDELAY); delete pkt; } void -connection::send_reset (SOCKADDR *dsa) +connection::send_reset (const sockinfo &si) { - static net_rate_limiter limiter(1); - - if (limiter.can (dsa)) + if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) { config_packet *pkt = new config_packet; pkt->setup (vpn_packet::PT_RESET, conf->id); - vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); + send_vpn_packet (pkt, si, IPTOS_MINCOST); delete pkt; } } -static rsachallenge * -gen_challenge (SOCKADDR *sa) +void +connection::send_auth_request (const sockinfo &si, bool initiate) { - static rsachallenge k; + auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv); - memcpy (&k, &challenge_bytes (), sizeof (k)); - RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32)); - xor_sa (k, sa); + // the next line is very conservative + prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv); - return &k; -} + rsachallenge chg; -void -connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k) -{ - static net_rate_limiter limiter(2); + rsa_cache.gen (pkt->id, chg); - if (subtype != AUTH_INIT || limiter.can (sa)) - { - auth_packet *pkt = new auth_packet (conf->id, subtype); + if (0 > RSA_public_encrypt (sizeof chg, + (unsigned char *)&chg, (unsigned char *)&pkt->encr, + conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) + fatal ("RSA_public_encrypt error"); - //printf ("send auth_packet subtype %d\n", subtype);//D + slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); - if (!k) - k = gen_challenge (sa); + send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly -#if ENABLE_TRUST - if (0 > RSA_public_encrypt (sizeof (*k), - (unsigned char *)k, (unsigned char *)&pkt->challenge, - conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) - fatal ("RSA_public_encrypt error"); -#else -# error untrusted mode not yet implemented: programemr does not know how to - rsaencrdata enc; + delete pkt; +} - if (0 > RSA_private_encrypt (sizeof (*k), - (unsigned char *)k, (unsigned char *)&enc, - ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) - fatal ("RSA_private_encrypt error"); +void +connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) +{ + auth_res_packet *pkt = new auth_res_packet (conf->id); - if (0 > RSA_public_encrypt (sizeof (enc), - (unsigned char *)enc, (unsigned char *)&pkt->challenge, - conf->rsa_key, RSA_NO_PADDING)) - fatal ("RSA_public_encrypt error"); -#endif + pkt->id = id; - slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); + rsa_hash (id, chg, pkt->response); - vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); + pkt->hmac_set (octx); - delete pkt; - } + slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); + + send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly + + delete pkt; } void -connection::establish_connection () +connection::establish_connection_cb (tstamp &ts) { - if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER) + if (ictx || conf == THISNODE + || connectmode == conf_node::C_NEVER + || connectmode == conf_node::C_DISABLED) + ts = TSTAMP_CANCEL; + else if (ts <= NOW) { - if (now >= next_retry) - { - int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2); + double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; - if (retry_cnt < (17 << 2) | 3) - retry_cnt++; + if (retry_int < 3600 * 8) + retry_cnt++; - if (connectmode == conf_node::C_ONDEMAND - && retry_int > ::conf.keepalive) - retry_int = ::conf.keepalive; + ts = NOW + retry_int; - next_retry = now + retry_int; - next_wakeup (next_retry); - - if (conf->hostname) - { - reset_dstaddr (); - if (sa.sin_addr.s_addr) - if (retry_cnt < 4) - send_auth (AUTH_INIT, &sa); - else - send_ping (&sa, 0); - } - else - vpn->connect_request (conf->id); + if (conf->hostname) + { + reset_dstaddr (); + if (si.host && auth_rate_limiter.can (si)) + { + if (retry_cnt < 4) + send_auth_request (si, true); + else + send_ping (si, 0); + } } + else + vpn->connect_request (conf->id); } } @@ -597,44 +756,46 @@ { if (ictx && octx) { - slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); + slog (L_INFO, _("%s(%s): connection lost"), + conf->nodename, (const char *)si); if (::conf.script_node_down) - run_script (this, &connection::script_node_down, false); + run_script (run_script_cb (this, &connection::script_node_down), false); } - delete ictx; - ictx = 0; + delete ictx; ictx = 0; + delete octx; octx = 0; - delete octx; - octx = 0; + si.host= 0; - sa.sin_port = 0; - sa.sin_addr.s_addr = 0; - - next_retry = 0; - next_rekey = 0; last_activity = 0; + retry_cnt = 0; + + rekey.reset (); + keepalive.reset (); + establish_connection.reset (); } void connection::shutdown () { if (ictx && octx) - send_reset (&sa); + send_reset (si); reset_connection (); } void -connection::rekey () +connection::rekey_cb (tstamp &ts) { + ts = TSTAMP_CANCEL; + reset_connection (); establish_connection (); } void -connection::send_data_packet (tap_packet * pkt, bool broadcast) +connection::send_data_packet (tap_packet *pkt, bool broadcast) { vpndata_packet *p = new vpndata_packet; int tos = 0; @@ -645,7 +806,7 @@ tos = (*pkt)[15] & IPTOS_TOS_MASK; p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs - vpn->send_vpn_packet (p, &sa, tos); + send_vpn_packet (p, si, tos); delete p; @@ -668,9 +829,9 @@ } void -connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) +connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) { - last_activity = now; + last_activity = NOW; slog (L_NOISE, "<<%d received packet type %d from %d to %d", conf->id, pkt->typ (), pkt->src (), pkt->dst ()); @@ -678,20 +839,20 @@ switch (pkt->typ ()) { case vpn_packet::PT_PING: - send_ping (ssa, 1); // pong - break; - - case vpn_packet::PT_PONG: // we send pings instead of auth packets after some retries, - // so reset the retry counter and establish a conenction - // when we receive a pong. - if (!ictx && !octx) + // so reset the retry counter and establish a connection + // when we receive a ping. + if (!ictx) { - retry_cnt = 0; - next_retry = 0; - establish_connection (); + if (auth_rate_limiter.can (rsi)) + send_auth_request (rsi, true); } + else + send_ping (rsi, 1); // pong + + break; + case vpn_packet::PT_PONG: break; case vpn_packet::PT_RESET: @@ -699,194 +860,196 @@ reset_connection (); config_packet *p = (config_packet *) pkt; - if (p->chk_config ()) - if (connectmode == conf_node::C_ALWAYS) - establish_connection (); - //D slog the protocol mismatch? + if (!p->chk_config ()) + { + slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), + conf->nodename, (const char *)rsi); + connectmode = conf_node::C_DISABLED; + } + else if (connectmode == conf_node::C_ALWAYS) + establish_connection (); } break; - case vpn_packet::PT_AUTH: + case vpn_packet::PT_AUTH_REQ: + if (auth_rate_limiter.can (rsi)) + { + auth_req_packet *p = (auth_req_packet *) pkt; + + slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); + + if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) + { + if (p->prot_minor != PROTOCOL_MINOR) + slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), + conf->nodename, (const char *)rsi, + PROTOCOL_MINOR, conf->nodename, p->prot_minor); + + if (p->initiate) + send_auth_request (rsi, false); + + rsachallenge k; + + if (0 > RSA_private_decrypt (sizeof (p->encr), + (unsigned char *)&p->encr, (unsigned char *)&k, + ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) + slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), + conf->nodename, (const char *)rsi); + else + { + retry_cnt = 0; + establish_connection.set (NOW + 8); //? ;) + keepalive.reset (); + rekey.reset (); + + delete ictx; + ictx = 0; + + delete octx; + + octx = new crypto_ctx (k, 1); + oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; + + conf->can_recv = p->can_recv; + send_auth_response (rsi, p->id, k); + + break; + } + } + + send_reset (rsi); + } + + break; + + case vpn_packet::PT_AUTH_RES: { - auth_packet *p = (auth_packet *) pkt; + auth_res_packet *p = (auth_res_packet *) pkt; - slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); + slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); - if (p->chk_config () - && !strncmp (p->magic, MAGIC, 8)) + if (p->chk_config ()) { if (p->prot_minor != PROTOCOL_MINOR) - slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), + slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), + conf->nodename, (const char *)rsi, PROTOCOL_MINOR, conf->nodename, p->prot_minor); - if (p->subtype == AUTH_INIT) - send_auth (AUTH_INITREPLY, ssa); - - rsachallenge k; + rsachallenge chg; -#if ENABLE_TRUST - if (0 > RSA_private_decrypt (sizeof (rsaencrdata), - (unsigned char *)&p->challenge, (unsigned char *)&k, - ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) - // continued below -#else - rsaencrdata j; - - if (0 > RSA_private_decrypt (sizeof (rsaencrdata), - (unsigned char *)&p->challenge, (unsigned char *)&j, - ::conf.rsa_key, RSA_NO_PADDING)) - fatal ("RSA_private_decrypt error"); - - if (0 > RSA_public_decrypt (sizeof (k), - (unsigned char *)&j, (unsigned char *)&k, - conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) - // continued below -#endif - { - slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), - conf->nodename, (const char *)sockinfo (ssa)); - break; - } - - retry_cnt = 0; - next_retry = now + 8; - - switch (p->subtype) + if (!rsa_cache.find (p->id, chg)) + slog (L_ERR, _("%s(%s): unrequested auth response"), + conf->nodename, (const char *)rsi); + else { - case AUTH_INIT: - case AUTH_INITREPLY: - delete ictx; - ictx = 0; + crypto_ctx *cctx = new crypto_ctx (chg, 0); - delete octx; + if (!p->hmac_chk (cctx)) + slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" + "could be an attack, or just corruption or an synchronization error"), + conf->nodename, (const char *)rsi); + else + { + rsaresponse h; - octx = new crypto_ctx (k, 1); - oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; + rsa_hash (p->id, chg, h); - send_auth (AUTH_REPLY, ssa, &k); - break; + if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h)) + { + prot_minor = p->prot_minor; - case AUTH_REPLY: + delete ictx; ictx = cctx; - if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), - sizeof (rsachallenge) - sizeof (u32))) - { - delete ictx; + iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid - ictx = new crypto_ctx (k, 0); - iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid - ismask = 0xffffffff; // initially, all lower sequence numbers are invalid + si = rsi; - sa = *ssa; + rekey.set (NOW + ::conf.rekey); + keepalive.set (NOW + ::conf.keepalive); - next_rekey = now + ::conf.rekey; - next_wakeup (next_rekey); + // send queued packets + while (tap_packet *p = queue.get ()) + { + send_data_packet (p); + delete p; + } - // send queued packets - while (tap_packet *p = queue.get ()) - { - send_data_packet (p); - delete p; - } + connectmode = conf->connectmode; - connectmode = conf->connectmode; + slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), + conf->nodename, (const char *)rsi, + p->prot_major, p->prot_minor); - slog (L_INFO, _("connection to %d (%s %s) established"), - conf->id, conf->nodename, (const char *)sockinfo (ssa)); + if (::conf.script_node_up) + run_script (run_script_cb (this, &connection::script_node_up), false); - if (::conf.script_node_up) - run_script (this, &connection::script_node_up, false); + break; + } + else + slog (L_ERR, _("%s(%s): sent and received challenge do not match"), + conf->nodename, (const char *)rsi); } - else - slog (L_ERR, _("sent and received challenge do not match with (%s %s))"), - conf->nodename, (const char *)sockinfo (ssa)); - break; - default: - slog (L_ERR, _("authentification illegal subtype error (%s %s)"), - conf->nodename, (const char *)sockinfo (ssa)); - break; + delete cctx; } } - else - send_reset (ssa); - - break; } + send_reset (rsi); + break; + case vpn_packet::PT_DATA_COMPRESSED: #if !ENABLE_COMPRESSION - send_reset (ssa); + send_reset (rsi); break; #endif + case vpn_packet::PT_DATA_UNCOMPRESSED: if (ictx && octx) { vpndata_packet *p = (vpndata_packet *)pkt; - if (*ssa == sa) + if (rsi == si) { if (!p->hmac_chk (ictx)) - slog (L_ERR, _("hmac authentication error, received invalid packet\n" - "could be an attack, or just corruption or an synchronization error")); + slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" + "could be an attack, or just corruption or an synchronization error"), + conf->nodename, (const char *)rsi); else { u32 seqno; tap_packet *d = p->unpack (this, seqno); - if (seqno <= iseqno - 32) - slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D - else if (seqno > iseqno + 32) - slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D - else + if (iseqno.recv_ok (seqno)) { - if (seqno > iseqno) - { - ismask <<= seqno - iseqno; - iseqno = seqno; - } - - u32 mask = 1 << (iseqno - seqno); - - //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); - if (ismask & mask) - slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" - "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D - else - { - ismask |= mask; - - vpn->tap->send (d); - - if (p->dst () == 0) // re-broadcast - for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) - { - connection *c = *i; - - if (c->conf != THISNODE && c->conf != conf) - c->inject_data_packet (d); - } + vpn->tap->send (d); + + if (p->dst () == 0) // re-broadcast + for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) + { + connection *c = *i; + + if (c->conf != THISNODE && c->conf != conf) + c->inject_data_packet (d); + } - delete d; + delete d; - break; - } + break; } } } else - slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D + slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi); } - send_reset (ssa); + send_reset (rsi); break; case vpn_packet::PT_CONNECT_REQ: - if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) + if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) { connect_req_packet *p = (connect_req_packet *) pkt; @@ -902,29 +1065,25 @@ // send connect_info packets to both sides, in case one is // behind a nat firewall (or both ;) { - sockinfo si(sa); - slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", c->conf->id, conf->id, (const char *)si); - connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); + connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv); r->hmac_set (c->octx); - vpn->send_vpn_packet (r, &c->sa); + send_vpn_packet (r, c->si); delete r; } { - sockinfo si(c->sa); - slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", - conf->id, c->conf->id, (const char *)si); + conf->id, c->conf->id, (const char *)c->si); - connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); + connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv); r->hmac_set (octx); - vpn->send_vpn_packet (r, &sa); + send_vpn_packet (r, si); delete r; } @@ -934,7 +1093,7 @@ break; case vpn_packet::PT_CONNECT_INFO: - if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) + if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) { connect_info_packet *p = (connect_info_packet *) pkt; @@ -945,41 +1104,37 @@ slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); - c->send_auth (AUTH_INIT, p->si.sa ()); + c->conf->can_recv = p->can_recv; + c->send_auth_request (p->si, true); } + break; default: - send_reset (ssa); + send_reset (rsi); break; + } } -void connection::timer () +void connection::keepalive_cb (tstamp &ts) { - if (conf != THISNODE) + if (NOW >= last_activity + ::conf.keepalive + 30) { - if (now >= next_retry && connectmode == conf_node::C_ALWAYS) - establish_connection (); - - if (ictx && octx) - { - if (now >= next_rekey) - rekey (); - else if (now >= last_activity + ::conf.keepalive + 30) - { - reset_connection (); - establish_connection (); - } - else if (now >= last_activity + ::conf.keepalive) - if (conf->connectmode != conf_node::C_ONDEMAND - || THISNODE->connectmode != conf_node::C_ONDEMAND) - send_ping (&sa); - else - reset_connection (); - - } + reset_connection (); + establish_connection (); + } + else if (NOW < last_activity + ::conf.keepalive) + ts = last_activity + ::conf.keepalive; + else if (conf->connectmode != conf_node::C_ONDEMAND + || THISNODE->connectmode != conf_node::C_ONDEMAND) + { + send_ping (si); + ts = NOW + 5; } + else + reset_connection (); + } void connection::connect_request (int id) @@ -988,27 +1143,23 @@ slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); p->hmac_set (octx); - vpn->send_vpn_packet (p, &sa); + send_vpn_packet (p, si); delete p; } void connection::script_node () { - vpn->script_if_up (); + vpn->script_if_up (0); char *env; - asprintf (&env, "DESTID=%d", conf->id); - putenv (env); - asprintf (&env, "DESTNODE=%s", conf->nodename); - putenv (env); - asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr)); - putenv (env); - asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); - putenv (env); + asprintf (&env, "DESTID=%d", conf->id); putenv (env); + asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); + asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); + asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); } -const char *connection::script_node_up () +const char *connection::script_node_up (int) { script_node (); @@ -1017,7 +1168,7 @@ return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; } -const char *connection::script_node_down () +const char *connection::script_node_down (int) { script_node (); @@ -1026,16 +1177,41 @@ return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; } -///////////////////////////////////////////////////////////////////////////// +// send a vpn packet out to other hosts +void +connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) +{ + if (prot_send & PROT_IPv4) + vpn->send_ipv4_packet (pkt, si, tos); + else + vpn->send_udpv4_packet (pkt, si, tos); +} -vpn::vpn (void) -{} +connection::connection(struct vpn *vpn_) +: vpn(vpn_) +, rekey (this, &connection::rekey_cb) +, keepalive (this, &connection::keepalive_cb) +, establish_connection (this, &connection::establish_connection_cb) +{ + octx = ictx = 0; + retry_cnt = 0; -const char *vpn::script_if_up () + connectmode = conf_node::C_ALWAYS; // initial setting + reset_connection (); +} + +connection::~connection () +{ + shutdown (); +} + +///////////////////////////////////////////////////////////////////////////// + +const char *vpn::script_if_up (int) { // the tunnel device mtu should be the physical mtu - overhead // the tricky part is rounding to the cipher key blocksize - int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; + int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD; mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again @@ -1060,35 +1236,78 @@ } int -vpn::setup (void) +vpn::setup () { - struct sockaddr_in sa; + u8 prots = 0; + + for (configuration::node_vector::iterator i = conf.nodes.begin (); + i != conf.nodes.end (); ++i) + prots |= (*i)->can_send | (*i)->can_recv; + + sockinfo si; - socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); - if (socket_fd < 0) - return -1; + si.set (THISNODE); - fill_sa (&sa, THISNODE); + udpv4_fd = -1; - if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa))) + if (prots & PROT_UDPv4) { - slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); - exit (1); + udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); + + if (udpv4_fd < 0) + return -1; + + if (bind (udpv4_fd, si.sav4 (), si.salenv4 ())) + { + slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno)); + exit (1); + } + +#ifdef IP_MTU_DISCOVER + // this I really consider a linux bug. I am neither connected + // nor do I fragment myself. Linux still sets DF and doesn't + // fragment for me sometimes. + { + int oval = IP_PMTUDISC_DONT; + setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); + } +#endif + + // standard daemon practise... + { + int oval = 1; + setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); + } + + udpv4_ev_watcher.start (udpv4_fd, POLLIN); } + ipv4_fd = -1; + if (prots & PROT_IPv4) + { + ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto); + + if (ipv4_fd < 0) + return -1; + + if (bind (ipv4_fd, si.sav4 (), si.salenv4 ())) + { + slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno)); + exit (1); + } + #ifdef IP_MTU_DISCOVER - // this I really consider a linux bug. I am neither connected - // nor do I fragment myself. Linux still sets DF and doesn't - // fragment for me sometimes. - { - int oval = IP_PMTUDISC_DONT; - setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); - } + // this I really consider a linux bug. I am neither connected + // nor do I fragment myself. Linux still sets DF and doesn't + // fragment for me sometimes. + { + int oval = IP_PMTUDISC_DONT; + setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); + } #endif - { - int oval = 1; - setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); - } + + ipv4_ev_watcher.start (ipv4_fd, POLLIN); + } tap = new tap_device (); if (!tap) //D this, of course, never catches @@ -1096,17 +1315,236 @@ slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); exit (1); } + + run_script (run_script_cb (this, &vpn::script_if_up), true); - run_script (this, &vpn::script_if_up, true); + tap_ev_watcher.start (tap->fd, POLLIN); + + reconnect_all (); return 0; } void -vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) +vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) +{ + setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); + sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ()); +} + +void +vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos) +{ + setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos); + sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ()); +} + +void +vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) +{ + unsigned int src = pkt->src (); + unsigned int dst = pkt->dst (); + + slog (L_NOISE, _("<typ (), pkt->src (), pkt->dst (), pkt->len); + + if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX) + slog (L_WARN, _("<typ (), pkt->src (), pkt->dst ()); + else if (dst == 0 && !THISNODE->routerprio) + slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst); + else if (dst != 0 && dst != THISNODE->id) + slog (L_WARN, + _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"), + dst, conns[dst - 1]->conf->nodename, + (const char *)rsi, + THISNODE->id, THISNODE->nodename); + else if (src == 0 || src > conns.size ()) + slog (L_WARN, _("received frame from unknown node %d (%s)"), + src, (const char *)rsi); + else + conns[src - 1]->recv_vpn_packet (pkt, rsi); +} + +void +vpn::udpv4_ev (short revents) +{ + if (revents & (POLLIN | POLLERR)) + { + vpn_packet *pkt = new vpn_packet; + struct sockaddr_in sa; + socklen_t sa_len = sizeof (sa); + int len; + + len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); + + sockinfo si(sa); + + if (len > 0) + { + pkt->len = len; + + recv_vpn_packet (pkt, si); + } + else + { + // probably ECONNRESET or somesuch + slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno)); + } + + delete pkt; + } + else if (revents & POLLHUP) + { + // this cannot ;) happen on udp sockets + slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating.")); + exit (1); + } + else + { + slog (L_ERR, + _("FATAL: unknown revents %08x in socket, terminating\n"), + revents); + exit (1); + } +} + +void +vpn::ipv4_ev (short revents) +{ + if (revents & (POLLIN | POLLERR)) + { + vpn_packet *pkt = new vpn_packet; + struct sockaddr_in sa; + socklen_t sa_len = sizeof (sa); + int len; + + len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); + + sockinfo si(sa, PROT_IPv4); + + if (len > 0) + { + pkt->len = len; + + // raw sockets deliver the ipv4, but don't expect it on sends + // this is slow, but... + pkt->skip_hdr (IP_OVERHEAD); + + recv_vpn_packet (pkt, si); + } + else + { + // probably ECONNRESET or somesuch + slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno)); + } + + delete pkt; + } + else if (revents & POLLHUP) + { + // this cannot ;) happen on udp sockets + slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating.")); + exit (1); + } + else + { + slog (L_ERR, + _("FATAL: unknown revents %08x in socket, terminating\n"), + revents); + exit (1); + } +} + +void +vpn::tap_ev (short revents) { - setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); - sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); + if (revents & POLLIN) + { + /* process data */ + tap_packet *pkt; + + pkt = tap->recv (); + + int dst = mac2id (pkt->dst); + int src = mac2id (pkt->src); + + if (src != THISNODE->id) + { + slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating.")); + exit (1); + } + + if (dst == THISNODE->id) + { + slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating.")); + exit (1); + } + + if (dst > conns.size ()) + slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); + else + { + if (dst) + { + // unicast + if (dst != THISNODE->id) + conns[dst - 1]->inject_data_packet (pkt); + } + else + { + // broadcast, first check router, then self, then english + connection *router = find_router (); + + if (router) + router->inject_data_packet (pkt, true); + else + for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) + if ((*c)->conf != THISNODE) + (*c)->inject_data_packet (pkt); + } + } + + delete pkt; + } + else if (revents & (POLLHUP | POLLERR)) + { + slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating.")); + exit (1); + } + else + abort (); +} + +void +vpn::event_cb (tstamp &ts) +{ + if (events) + { + if (events & EVENT_SHUTDOWN) + { + slog (L_INFO, _("preparing shutdown...")); + + shutdown_all (); + + remove_pid (pidfilename); + + slog (L_INFO, _("terminating")); + + exit (0); + } + + if (events & EVENT_RECONNECT) + { + slog (L_INFO, _("forced reconnect")); + + reconnect_all (); + } + + events = 0; + } + + ts = TSTAMP_CANCEL; } void @@ -1124,6 +1562,9 @@ conns.clear (); + auth_rate_limiter.clear (); + reset_rate_limiter.clear (); + for (configuration::node_vector::iterator i = conf.nodes.begin (); i != conf.nodes.end (); ++i) { @@ -1172,181 +1613,37 @@ } void -vpn::main_loop () +connection::dump_status () { - struct pollfd pollfd[2]; - - pollfd[0].fd = tap->fd; - pollfd[0].events = POLLIN; - pollfd[1].fd = socket_fd; - pollfd[1].events = POLLIN; - - events = 0; - now = time (0); - next_timecheck = now + 1; - - reconnect_all (); - - for (;;) - { - int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000); - - now = time (0); - - if (npoll > 0) - { - if (pollfd[1].revents) - { - if (pollfd[1].revents & (POLLIN | POLLERR)) - { - vpn_packet *pkt = new vpn_packet; - struct sockaddr_in sa; - socklen_t sa_len = sizeof (sa); - int len; - - len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); - - if (len > 0) - { - pkt->len = len; - - unsigned int src = pkt->src (); - unsigned int dst = pkt->dst (); - - slog (L_NOISE, _("<typ (), pkt->src (), pkt->dst (), pkt->len); - - if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX) - slog (L_WARN, _("<typ (), pkt->src (), pkt->dst ()); - else if (dst == 0 && !THISNODE->routerprio) - slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst); - else if (dst != 0 && dst != THISNODE->id) - slog (L_WARN, - _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"), - dst, conns[dst - 1]->conf->nodename, - (const char *)sockinfo (sa), - THISNODE->id, THISNODE->nodename); - else if (src == 0 || src > conns.size ()) - slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa)); - else - conns[src - 1]->recv_vpn_packet (pkt, &sa); - } - else - { - // probably ECONNRESET or somesuch - slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); - } - - delete pkt; - } - else if (pollfd[1].revents & POLLHUP) - { - // this cannot ;) happen on udp sockets - slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); - exit (1); - } - else - { - slog (L_ERR, - _("FATAL: unknown revents %08x in socket, terminating\n"), - pollfd[1].revents); - exit (1); - } - } - - // I use else here to give vpn_packets absolute priority - else if (pollfd[0].revents) - { - if (pollfd[0].revents & POLLIN) - { - /* process data */ - tap_packet *pkt; - - pkt = tap->recv (); - - int dst = mac2id (pkt->dst); - int src = mac2id (pkt->src); - - if (src != THISNODE->id) - { - slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating.")); - exit (1); - } - - if (dst == THISNODE->id) - { - slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating.")); - exit (1); - } - - if (dst > conns.size ()) - slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst); - else - { - if (dst) - { - // unicast - if (dst != THISNODE->id) - conns[dst - 1]->inject_data_packet (pkt); - } - else - { - // broadcast, first check router, then self, then english - connection *router = find_router (); - - if (router) - router->inject_data_packet (pkt, true); - else - for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) - if ((*c)->conf != THISNODE) - (*c)->inject_data_packet (pkt); - } - } - - delete pkt; - } - else if (pollfd[0].revents & (POLLHUP | POLLERR)) - { - slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating.")); - exit (1); - } - else - abort (); - } - } - - if (events) - { - if (events & EVENT_SHUTDOWN) - { - shutdown_all (); - - remove_pid (pidfilename); - - slog (L_INFO, _("vped terminating")); - - exit (0); - } + slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id); + slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"), + connectmode, conf->connectmode, (const char *)si, (int)prot_minor); + slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"), + (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt); + slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"), + (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at)); +} - if (events & EVENT_RECONNECT) - reconnect_all (); +void +vpn::dump_status () +{ + slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW); - events = 0; - } + for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) + (*c)->dump_status (); - // very very very dumb and crude and inefficient timer handling, or maybe not? - if (now >= next_timecheck) - { - next_timecheck = now + TIMER_GRANULARITY; + slog (L_NOTICE, _("END status dump")); +} - for (conns_vector::iterator c = conns.begin (); - c != conns.end (); ++c) - (*c)->timer (); - } - } +vpn::vpn (void) +: udpv4_ev_watcher(this, &vpn::udpv4_ev) +, ipv4_ev_watcher(this, &vpn::ipv4_ev) +, tap_ev_watcher(this, &vpn::tap_ev) +, event(this, &vpn::event_cb) +{ } vpn::~vpn () -{} +{ +}