ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.11 by pcg, Sat Mar 22 21:35:07 2003 UTC vs.
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC

58 58
59static time_t next_timecheck; 59static time_t next_timecheck;
60 60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62 62
63static const rsachallenge & 63static u8
64challenge_bytes () 64best_protocol (u8 protset)
65{ 65{
66 static rsachallenge challenge; 66 if (protset & PROT_IPv4)
67 static double challenge_ttl; // time this challenge needs to be recreated 67 return PROT_IPv4;
68 68
69 if (NOW > challenge_ttl) 69 return PROT_UDPv4;
70 {
71 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
72 challenge_ttl = NOW + CHALLENGE_TTL;
73 }
74
75 return challenge;
76}
77
78// caching of rsa operations really helps slow computers
79struct rsa_entry {
80 tstamp expire;
81 rsachallenge chg;
82 RSA *key; // which key
83 rsaencrdata encr;
84
85 rsa_entry ()
86 {
87 expire = NOW + CHALLENGE_TTL;
88 }
89};
90
91struct rsa_cache : list<rsa_entry>
92{
93 void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95 const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96 {
97 for (iterator i = begin (); i != end (); ++i)
98 {
99 if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100 return &i->encr;
101 }
102
103 if (cleaner.at < NOW)
104 cleaner.start (NOW + CHALLENGE_TTL);
105
106 resize (size () + 1);
107 rsa_entry *e = &(*rbegin ());
108
109 e->key = key;
110 memcpy (&e->chg, &chg, sizeof chg);
111
112 if (0 > RSA_public_encrypt (sizeof chg,
113 (unsigned char *)&chg, (unsigned char *)&e->encr,
114 key, RSA_PKCS1_OAEP_PADDING))
115 fatal ("RSA_public_encrypt error");
116
117 return &e->encr;
118 }
119
120 const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121 {
122 for (iterator i = begin (); i != end (); ++i)
123 if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124 return &i->chg;
125
126 if (cleaner.at < NOW)
127 cleaner.start (NOW + CHALLENGE_TTL);
128
129 resize (size () + 1);
130 rsa_entry *e = &(*rbegin ());
131
132 e->key = key;
133 memcpy (&e->encr, &encr, sizeof encr);
134
135 if (0 > RSA_private_decrypt (sizeof encr,
136 (unsigned char *)&encr, (unsigned char *)&e->chg,
137 key, RSA_PKCS1_OAEP_PADDING))
138 {
139 pop_back ();
140 return 0;
141 }
142
143 return &e->chg;
144 }
145
146 rsa_cache ()
147 : cleaner (this, &rsa_cache::cleaner_cb)
148 { }
149
150} rsa_cache;
151
152void rsa_cache::cleaner_cb (tstamp &ts)
153{
154 if (empty ())
155 ts = TSTAMP_CANCEL;
156 else
157 {
158 ts = NOW + 3;
159 for (iterator i = begin (); i != end (); )
160 {
161 if (i->expire >= NOW)
162 i = erase (i);
163 else
164 ++i;
165 }
166 }
167}
168
169// run a script. yes, it's a template function. yes, c++
170// is not a functional language. yes, this suxx.
171template<class owner>
172static void
173run_script (owner *obj, const char *(owner::*setup)(), bool wait)
174{
175 int pid;
176
177 if ((pid = fork ()) == 0)
178 {
179 char *filename;
180 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
181 execl (filename, filename, (char *) 0);
182 exit (255);
183 }
184 else if (pid > 0)
185 {
186 if (wait)
187 {
188 waitpid (pid, 0, 0);
189 /* TODO: check status */
190 }
191 }
192}
193
194// xor the socket address into the challenge to ensure different challenges
195// per host. we could rely on the OAEP padding, but this doesn't hurt.
196void
197xor_sa (rsachallenge &k, SOCKADDR *sa)
198{
199 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
200 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
201 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
202 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
203} 70}
204 71
205struct crypto_ctx 72struct crypto_ctx
206 { 73 {
207 EVP_CIPHER_CTX cctx; 74 EVP_CIPHER_CTX cctx;
223{ 90{
224 EVP_CIPHER_CTX_cleanup (&cctx); 91 EVP_CIPHER_CTX_cleanup (&cctx);
225 HMAC_CTX_cleanup (&hctx); 92 HMAC_CTX_cleanup (&hctx);
226} 93}
227 94
95static void
96rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97{
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106}
107
108struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112};
113
114struct rsa_cache : list<rsa_entry>
115{
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158} rsa_cache;
159
160void rsa_cache::cleaner_cb (tstamp &ts)
161{
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174}
175
176typedef callback<const char *, int> run_script_cb;
177
178// run a shell script (or actually an external program).
179static void
180run_script (const run_script_cb &cb, bool wait)
181{
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199}
200
228////////////////////////////////////////////////////////////////////////////// 201//////////////////////////////////////////////////////////////////////////////
229 202
230void pkt_queue::put (tap_packet *p) 203void pkt_queue::put (tap_packet *p)
231{ 204{
232 if (queue[i]) 205 if (queue[i])
264{ 237{
265 for (i = QUEUEDEPTH; --i > 0; ) 238 for (i = QUEUEDEPTH; --i > 0; )
266 delete queue[i]; 239 delete queue[i];
267} 240}
268 241
242struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246};
247
269// only do action once every x seconds per host. 248// only do action once every x seconds per host whole allowing bursts.
270// currently this is quite a slow implementation, 249// this implementation ("splay list" ;) is inefficient,
271// but suffices for normal operation. 250// but low on resources.
272struct u32_rate_limiter : private map<u32, tstamp> 251struct net_rate_limiter : list<net_rateinfo>
273 { 252{
274 tstamp every; 253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
275 256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
276 bool can (u32 host); 258 bool can (u32 host);
277
278 u32_rate_limiter (tstamp every = 1)
279 {
280 this->every = every;
281 }
282 }; 259};
283 260
284struct net_rate_limiter : u32_rate_limiter 261net_rate_limiter auth_rate_limiter, reset_rate_limiter;
285 {
286 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
287 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
288 262
289 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
290 };
291
292bool u32_rate_limiter::can (u32 host) 263bool net_rate_limiter::can (u32 host)
293{ 264{
294 iterator i; 265 iterator i;
295 266
296 for (i = begin (); i != end (); ) 267 for (i = begin (); i != end (); )
297 if (i->second <= NOW) 268 if (i->host == host)
298 { 269 break;
270 else if (i->last < NOW - EXPIRE)
299 erase (i); 271 i = erase (i);
300 i = begin ();
301 }
302 else 272 else
303 ++i; 273 i++;
304 274
305 i = find (host);
306
307 if (i != end ()) 275 if (i == end ())
308 return false; 276 {
277 net_rateinfo ri;
309 278
310 insert (value_type (host, NOW + every)); 279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
311 283
284 push_front (ri);
285
312 return true; 286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
313} 307}
314 308
315///////////////////////////////////////////////////////////////////////////// 309/////////////////////////////////////////////////////////////////////////////
316 310
317static void next_wakeup (time_t next) 311static void next_wakeup (time_t next)
321} 315}
322 316
323static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 317static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
324 318
325struct hmac_packet:net_packet 319struct hmac_packet:net_packet
320{
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326private:
327 void hmac_gen (crypto_ctx * ctx)
326 { 328 {
327 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
328
329 void hmac_set (crypto_ctx * ctx);
330 bool hmac_chk (crypto_ctx * ctx);
331
332private:
333 void hmac_gen (crypto_ctx * ctx)
334 {
335 unsigned int xlen; 329 unsigned int xlen;
336 HMAC_CTX *hctx = &ctx->hctx; 330 HMAC_CTX *hctx = &ctx->hctx;
337 331
338 HMAC_Init_ex (hctx, 0, 0, 0, 0); 332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
339 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
340 len - sizeof (hmac_packet)); 334 len - sizeof (hmac_packet));
341 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
342 }
343 }; 336 }
337};
344 338
345void 339void
346hmac_packet::hmac_set (crypto_ctx * ctx) 340hmac_packet::hmac_set (crypto_ctx * ctx)
347{ 341{
348 hmac_gen (ctx); 342 hmac_gen (ctx);
364 { 358 {
365 PT_RESET = 0, 359 PT_RESET = 0,
366 PT_DATA_UNCOMPRESSED, 360 PT_DATA_UNCOMPRESSED,
367 PT_DATA_COMPRESSED, 361 PT_DATA_COMPRESSED,
368 PT_PING, PT_PONG, // wasting namespace space? ;) 362 PT_PING, PT_PONG, // wasting namespace space? ;)
369 PT_AUTH, // authentification 363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
370 PT_CONNECT_REQ, // want other host to contact me 365 PT_CONNECT_REQ, // want other host to contact me
371 PT_CONNECT_INFO, // request connection to some node 366 PT_CONNECT_INFO, // request connection to some node
372 PT_REKEY, // rekeying (not yet implemented)
373 PT_MAX 367 PT_MAX
374 }; 368 };
375 369
376 u8 type; 370 u8 type;
377 u8 srcdst, src1, dst1; 371 u8 srcdst, src1, dst1;
378 372
379 void set_hdr (ptype type, unsigned int dst); 373 void set_hdr (ptype type, unsigned int dst);
380 374
381 unsigned int src () 375 unsigned int src () const
382 { 376 {
383 return src1 | ((srcdst >> 4) << 8); 377 return src1 | ((srcdst >> 4) << 8);
384 } 378 }
385 379
386 unsigned int dst () 380 unsigned int dst () const
387 { 381 {
388 return dst1 | ((srcdst & 0xf) << 8); 382 return dst1 | ((srcdst & 0xf) << 8);
389 } 383 }
390 384
391 ptype typ () 385 ptype typ () const
392 { 386 {
393 return (ptype) type; 387 return (ptype) type;
394 } 388 }
395 }; 389 };
396 390
445 } 439 }
446#endif 440#endif
447 441
448 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 442 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
449 443
444 struct {
450#if RAND_SIZE 445#if RAND_SIZE
451 struct {
452 u8 rnd[RAND_SIZE]; 446 u8 rnd[RAND_SIZE];
447#endif
453 u32 seqno; 448 u32 seqno;
454 } datahdr; 449 } datahdr;
455 450
456 datahdr.seqno = seqno; 451 datahdr.seqno = ntohl (seqno);
452#if RAND_SIZE
457 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 453 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454#endif
458 455
459 EVP_EncryptUpdate (cctx, 456 EVP_EncryptUpdate (cctx,
460 (unsigned char *) data + outl, &outl2, 457 (unsigned char *) data + outl, &outl2,
461 (unsigned char *) &datahdr, DATAHDR); 458 (unsigned char *) &datahdr, DATAHDR);
462 outl += outl2; 459 outl += outl2;
463#else
464 EVP_EncryptUpdate (cctx,
465 (unsigned char *) data + outl, &outl2,
466 (unsigned char *) &seqno, DATAHDR);
467 outl += outl2;
468#endif
469 460
470 EVP_EncryptUpdate (cctx, 461 EVP_EncryptUpdate (cctx,
471 (unsigned char *) data + outl, &outl2, 462 (unsigned char *) data + outl, &outl2,
472 (unsigned char *) d, l); 463 (unsigned char *) d, l);
473 outl += outl2; 464 outl += outl2;
509 outl += outl2; 500 outl += outl2;
510 501
511 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 502 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
512 outl += outl2; 503 outl += outl2;
513 504
514 seqno = *(u32 *)(d + RAND_SIZE); 505 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
515 506
516 id2mac (dst () ? dst() : THISNODE->id, p->dst); 507 id2mac (dst () ? dst() : THISNODE->id, p->dst);
517 id2mac (src (), p->src); 508 id2mac (src (), p->src);
518 509
519#if ENABLE_COMPRESSION 510#if ENABLE_COMPRESSION
520 if (type == PT_DATA_COMPRESSED) 511 if (type == PT_DATA_COMPRESSED)
521 { 512 {
522 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
523 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
524 } 518 }
525 else 519 else
526 p->len = outl + (6 + 6 - DATAHDR); 520 p->len = outl + (6 + 6 - DATAHDR);
527#endif 521#endif
528 522
529 return p; 523 return p;
530} 524}
531 525
532struct ping_packet : vpn_packet 526struct ping_packet : vpn_packet
527{
528 void setup (int dst, ptype type)
533 { 529 {
534 void setup (int dst, ptype type)
535 {
536 set_hdr (type, dst); 530 set_hdr (type, dst);
537 len = sizeof (*this) - sizeof (net_packet); 531 len = sizeof (*this) - sizeof (net_packet);
538 }
539 }; 532 }
533};
540 534
541struct config_packet : vpn_packet 535struct config_packet : vpn_packet
536{
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
542 { 545 {
543 // actually, hmaclen cannot be checked because the hmac
544 // field comes before this data, so peers with other
545 // hmacs simply will not work.
546 u8 prot_major, prot_minor, randsize, hmaclen;
547 u8 flags, challengelen, pad2, pad3;
548 u32 cipher_nid;
549 u32 digest_nid;
550
551 const u8 curflags () const
552 {
553 return 0x80 546 return 0x80
554 | 0x02
555#if PROTOCOL_MAJOR != 2
556#error hi
557#endif
558 | (ENABLE_COMPRESSION ? 0x01 : 0x00); 547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
559 } 548 }
560 549
561 void setup (ptype type, int dst) 550 void setup (ptype type, int dst);
562 { 551 bool chk_config () const;
552};
553
554void config_packet::setup (ptype type, int dst)
555{
563 prot_major = PROTOCOL_MAJOR; 556 prot_major = PROTOCOL_MAJOR;
564 prot_minor = PROTOCOL_MINOR; 557 prot_minor = PROTOCOL_MINOR;
565 randsize = RAND_SIZE; 558 randsize = RAND_SIZE;
566 hmaclen = HMACLENGTH; 559 hmaclen = HMACLENGTH;
567 flags = curflags (); 560 flags = curflags ();
568 challengelen = sizeof (rsachallenge); 561 challengelen = sizeof (rsachallenge);
569 562
570 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
571 digest_nid = htonl (EVP_MD_type (DIGEST)); 564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
572 566
573 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
574 set_hdr (type, dst); 568 set_hdr (type, dst);
575 } 569}
576 570
577 bool chk_config () 571bool config_packet::chk_config () const
578 { 572{
579 return prot_major == PROTOCOL_MAJOR 573 return prot_major == PROTOCOL_MAJOR
580 && randsize == RAND_SIZE 574 && randsize == RAND_SIZE
581 && hmaclen == HMACLENGTH 575 && hmaclen == HMACLENGTH
582 && flags == curflags () 576 && flags == curflags ()
583 && challengelen == sizeof (rsachallenge) 577 && challengelen == sizeof (rsachallenge)
584 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
585 && digest_nid == htonl (EVP_MD_type (DIGEST)); 580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
586 } 581}
587 };
588 582
589struct auth_packet : config_packet 583struct auth_req_packet : config_packet
584{
585 char magic[8];
586 u8 initiate, can_recv; // false if this is just an automatic reply
587 u8 pad2, pad3;
588 rsaid id;
589 rsaencrdata encr;
590
591 auth_req_packet (int dst, bool initiate_, u8 can_recv_)
590 { 592 {
591 char magic[8];
592 u8 subtype;
593 u8 pad1, pad2;
594 rsaencrdata challenge;
595
596 auth_packet (int dst, auth_subtype stype)
597 {
598 config_packet::setup (PT_AUTH, dst); 593 config_packet::setup (PT_AUTH_REQ, dst);
599 subtype = stype; 594 strncpy (magic, MAGIC, 8);
595 initiate = !!initiate_;
596 can_recv = can_recv_;
597
600 len = sizeof (*this) - sizeof (net_packet); 598 len = sizeof (*this) - sizeof (net_packet);
601 strncpy (magic, MAGIC, 8);
602 }
603 }; 599 }
600};
601
602struct auth_res_packet : config_packet
603{
604 rsaid id;
605 u8 pad1, pad2, pad3;
606 u8 response_len; // encrypted length
607 rsaresponse response;
608
609 auth_res_packet (int dst)
610 {
611 config_packet::setup (PT_AUTH_RES, dst);
612
613 len = sizeof (*this) - sizeof (net_packet);
614 }
615};
604 616
605struct connect_req_packet : vpn_packet 617struct connect_req_packet : vpn_packet
618{
619 u8 id;
620 u8 pad1, pad2, pad3;
621
622 connect_req_packet (int dst, int id_)
606 { 623 {
607 u8 id; 624 id = id_;
608 u8 pad1, pad2, pad3;
609
610 connect_req_packet (int dst, int id)
611 {
612 this->id = id;
613 set_hdr (PT_CONNECT_REQ, dst); 625 set_hdr (PT_CONNECT_REQ, dst);
614 len = sizeof (*this) - sizeof (net_packet); 626 len = sizeof (*this) - sizeof (net_packet);
615 }
616 }; 627 }
628};
617 629
618struct connect_info_packet : vpn_packet 630struct connect_info_packet : vpn_packet
631{
632 u8 id, can_recv;
633 u8 pad1, pad2;
634 sockinfo si;
635
636 connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
619 { 637 {
620 u8 id; 638 id = id_;
621 u8 pad1, pad2, pad3; 639 can_recv = can_recv_;
622 sockinfo si; 640 si = si_;
623
624 connect_info_packet (int dst, int id, sockinfo &si)
625 {
626 this->id = id;
627 this->si = si;
628 set_hdr (PT_CONNECT_INFO, dst); 641 set_hdr (PT_CONNECT_INFO, dst);
642
629 len = sizeof (*this) - sizeof (net_packet); 643 len = sizeof (*this) - sizeof (net_packet);
630 }
631 }; 644 }
645};
632 646
633///////////////////////////////////////////////////////////////////////////// 647/////////////////////////////////////////////////////////////////////////////
634 648
635void 649void
636fill_sa (SOCKADDR *sa, conf_node *conf)
637{
638 sa->sin_family = AF_INET;
639 sa->sin_port = htons (conf->port);
640 sa->sin_addr.s_addr = 0;
641
642 if (conf->hostname)
643 {
644 struct hostent *he = gethostbyname (conf->hostname);
645
646 if (he
647 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
648 {
649 //sa->sin_family = he->h_addrtype;
650 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
651 }
652 else
653 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
654 }
655}
656
657void
658connection::reset_dstaddr () 650connection::reset_dstaddr ()
659{ 651{
660 fill_sa (&sa, conf); 652 si.set (conf);
661} 653}
662 654
663void 655void
664connection::send_ping (SOCKADDR *dsa, u8 pong) 656connection::send_ping (const sockinfo &si, u8 pong)
665{ 657{
666 ping_packet *pkt = new ping_packet; 658 ping_packet *pkt = new ping_packet;
667 659
668 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 660 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
669 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); 661 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
670 662
671 delete pkt; 663 delete pkt;
672} 664}
673 665
674void 666void
675connection::send_reset (SOCKADDR *dsa) 667connection::send_reset (const sockinfo &si)
676{ 668{
677 static net_rate_limiter limiter(1);
678
679 if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED) 669 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
680 { 670 {
681 config_packet *pkt = new config_packet; 671 config_packet *pkt = new config_packet;
682 672
683 pkt->setup (vpn_packet::PT_RESET, conf->id); 673 pkt->setup (vpn_packet::PT_RESET, conf->id);
684 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 674 send_vpn_packet (pkt, si, IPTOS_MINCOST);
685 675
686 delete pkt; 676 delete pkt;
687 } 677 }
688} 678}
689 679
690static rsachallenge *
691gen_challenge (u32 seqrand, SOCKADDR *sa)
692{
693 static rsachallenge k;
694
695 memcpy (&k, &challenge_bytes (), sizeof (k));
696 *(u32 *)&k[CHG_SEQNO] ^= seqrand;
697 xor_sa (k, sa);
698
699 return &k;
700}
701
702void 680void
703connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k) 681connection::send_auth_request (const sockinfo &si, bool initiate)
704{ 682{
705 static net_rate_limiter limiter(0.2); 683 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
706 684
707 if (subtype != AUTH_INIT || limiter.can (sa)) 685 // the next line is very conservative
708 { 686 prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
709 if (!k)
710 k = gen_challenge (seqrand, sa);
711 687
712 auth_packet *pkt = new auth_packet (conf->id, subtype); 688 rsachallenge chg;
713 689
714 memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata)); 690 rsa_cache.gen (pkt->id, chg);
715 691
692 if (0 > RSA_public_encrypt (sizeof chg,
693 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
694 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
695 fatal ("RSA_public_encrypt error");
696
716 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 697 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
717 698
718 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); 699 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
719 700
720 delete pkt; 701 delete pkt;
721 } 702}
703
704void
705connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706{
707 auth_res_packet *pkt = new auth_res_packet (conf->id);
708
709 pkt->id = id;
710
711 rsa_hash (id, chg, pkt->response);
712
713 pkt->hmac_set (octx);
714
715 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
716
717 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
718
719 delete pkt;
722} 720}
723 721
724void 722void
725connection::establish_connection_cb (tstamp &ts) 723connection::establish_connection_cb (tstamp &ts)
726{ 724{
727 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) 725 if (ictx || conf == THISNODE
726 || connectmode == conf_node::C_NEVER
727 || connectmode == conf_node::C_DISABLED)
728 ts = TSTAMP_CANCEL; 728 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW) 729 else if (ts <= NOW)
730 { 730 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732 732
733 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
734 retry_cnt++; 734 retry_cnt++;
735 735
736 if (connectmode == conf_node::C_ONDEMAND
737 && retry_int > ::conf.keepalive)
738 retry_int = ::conf.keepalive;
739
740 ts = NOW + retry_int; 736 ts = NOW + retry_int;
741 737
742 if (conf->hostname) 738 if (conf->hostname)
743 { 739 {
744 reset_dstaddr (); 740 reset_dstaddr ();
745 if (sa.sin_addr.s_addr) 741 if (si.host && auth_rate_limiter.can (si))
742 {
746 if (retry_cnt < 4) 743 if (retry_cnt < 4)
747 send_auth (AUTH_INIT, &sa); 744 send_auth_request (si, true);
748 else 745 else
749 send_ping (&sa, 0); 746 send_ping (si, 0);
747 }
750 } 748 }
751 else 749 else
752 vpn->connect_request (conf->id); 750 vpn->connect_request (conf->id);
753 } 751 }
754} 752}
756void 754void
757connection::reset_connection () 755connection::reset_connection ()
758{ 756{
759 if (ictx && octx) 757 if (ictx && octx)
760 { 758 {
761 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 759 slog (L_INFO, _("%s(%s): connection lost"),
760 conf->nodename, (const char *)si);
762 761
763 if (::conf.script_node_down) 762 if (::conf.script_node_down)
764 run_script (this, &connection::script_node_down, false); 763 run_script (run_script_cb (this, &connection::script_node_down), false);
765 } 764 }
766 765
767 delete ictx; ictx = 0; 766 delete ictx; ictx = 0;
768 delete octx; octx = 0; 767 delete octx; octx = 0;
769 768
770 RAND_bytes ((unsigned char *)&seqrand, sizeof (u32)); 769 si.host= 0;
771
772 sa.sin_port = 0;
773 sa.sin_addr.s_addr = 0;
774 770
775 last_activity = 0; 771 last_activity = 0;
772 retry_cnt = 0;
776 773
777 rekey.reset (); 774 rekey.reset ();
778 keepalive.reset (); 775 keepalive.reset ();
779 establish_connection.reset (); 776 establish_connection.reset ();
780} 777}
781 778
782void 779void
783connection::shutdown () 780connection::shutdown ()
784{ 781{
785 if (ictx && octx) 782 if (ictx && octx)
786 send_reset (&sa); 783 send_reset (si);
787 784
788 reset_connection (); 785 reset_connection ();
789} 786}
790 787
791void 788void
796 reset_connection (); 793 reset_connection ();
797 establish_connection (); 794 establish_connection ();
798} 795}
799 796
800void 797void
801connection::send_data_packet (tap_packet * pkt, bool broadcast) 798connection::send_data_packet (tap_packet *pkt, bool broadcast)
802{ 799{
803 vpndata_packet *p = new vpndata_packet; 800 vpndata_packet *p = new vpndata_packet;
804 int tos = 0; 801 int tos = 0;
805 802
806 if (conf->inherit_tos 803 if (conf->inherit_tos
807 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 804 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
808 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 805 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
809 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
810 807
811 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
812 vpn->send_vpn_packet (p, &sa, tos); 809 send_vpn_packet (p, si, tos);
813 810
814 delete p; 811 delete p;
815 812
816 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
817 rekey (); 814 rekey ();
830 establish_connection (); 827 establish_connection ();
831 } 828 }
832} 829}
833 830
834void 831void
835connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 832connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
836{ 833{
837 last_activity = NOW; 834 last_activity = NOW;
838 835
839 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 836 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
840 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 837 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
841 838
842 switch (pkt->typ ()) 839 switch (pkt->typ ())
843 { 840 {
844 case vpn_packet::PT_PING: 841 case vpn_packet::PT_PING:
842 // we send pings instead of auth packets after some retries,
843 // so reset the retry counter and establish a connection
844 // when we receive a ping.
845 if (!ictx)
846 {
847 if (auth_rate_limiter.can (rsi))
848 send_auth_request (rsi, true);
849 }
850 else
845 send_ping (ssa, 1); // pong 851 send_ping (rsi, 1); // pong
852
846 break; 853 break;
847 854
848 case vpn_packet::PT_PONG: 855 case vpn_packet::PT_PONG:
849 // we send pings instead of auth packets after some retries,
850 // so reset the retry counter and establish a conenction
851 // when we receive a pong.
852 if (!ictx && !octx)
853 {
854 retry_cnt = 0;
855 establish_connection.at = 0;
856 establish_connection ();
857 }
858
859 break; 856 break;
860 857
861 case vpn_packet::PT_RESET: 858 case vpn_packet::PT_RESET:
862 { 859 {
863 reset_connection (); 860 reset_connection ();
864 861
865 config_packet *p = (config_packet *) pkt; 862 config_packet *p = (config_packet *) pkt;
863
866 if (!p->chk_config ()) 864 if (!p->chk_config ())
867 { 865 {
868 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); 866 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867 conf->nodename, (const char *)rsi);
869 connectmode = conf_node::C_DISABLED; 868 connectmode = conf_node::C_DISABLED;
870 } 869 }
871 else if (connectmode == conf_node::C_ALWAYS) 870 else if (connectmode == conf_node::C_ALWAYS)
872 establish_connection (); 871 establish_connection ();
873 } 872 }
874 break; 873 break;
875 874
876 case vpn_packet::PT_AUTH: 875 case vpn_packet::PT_AUTH_REQ:
876 if (auth_rate_limiter.can (rsi))
877 {
878 auth_req_packet *p = (auth_req_packet *) pkt;
879
880 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
881
882 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
883 {
884 if (p->prot_minor != PROTOCOL_MINOR)
885 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888
889 if (p->initiate)
890 send_auth_request (rsi, false);
891
892 rsachallenge k;
893
894 if (0 > RSA_private_decrypt (sizeof (p->encr),
895 (unsigned char *)&p->encr, (unsigned char *)&k,
896 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
897 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
898 conf->nodename, (const char *)rsi);
899 else
900 {
901 retry_cnt = 0;
902 establish_connection.set (NOW + 8); //? ;)
903 keepalive.reset ();
904 rekey.reset ();
905
906 delete ictx;
907 ictx = 0;
908
909 delete octx;
910
911 octx = new crypto_ctx (k, 1);
912 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
913
914 conf->can_recv = p->can_recv;
915 send_auth_response (rsi, p->id, k);
916
917 break;
918 }
919 }
920
921 send_reset (rsi);
922 }
923
924 break;
925
926 case vpn_packet::PT_AUTH_RES:
877 { 927 {
878 auth_packet *p = (auth_packet *) pkt; 928 auth_res_packet *p = (auth_res_packet *) pkt;
879 929
880 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 930 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
881 931
882 if (p->chk_config () 932 if (p->chk_config ())
883 && !strncmp (p->magic, MAGIC, 8))
884 { 933 {
885 if (p->prot_minor != PROTOCOL_MINOR) 934 if (p->prot_minor != PROTOCOL_MINOR)
886 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 935 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 937 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888 938
889 if (p->subtype == AUTH_INIT) 939 rsachallenge chg;
890 send_auth (AUTH_INITREPLY, ssa);
891 940
892 const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge); 941 if (!rsa_cache.find (p->id, chg))
893 942 slog (L_ERR, _("%s(%s): unrequested auth response"),
894 if (!k) 943 conf->nodename, (const char *)rsi);
944 else
895 { 945 {
896 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted, disabling node"), 946 crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948 if (!p->hmac_chk (cctx))
949 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950 "could be an attack, or just corruption or an synchronization error"),
897 conf->nodename, (const char *)sockinfo (ssa)); 951 conf->nodename, (const char *)rsi);
898 connectmode = conf_node::C_DISABLED;
899 break; 952 else
900 }
901
902 retry_cnt = 0;
903 establish_connection.set (NOW + 8); //? ;)
904 keepalive.reset ();
905 rekey.reset ();
906
907 switch (p->subtype)
908 {
909 case AUTH_INIT:
910 case AUTH_INITREPLY:
911 delete ictx;
912 ictx = 0;
913
914 delete octx;
915
916 octx = new crypto_ctx (*k, 1);
917 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
918
919 send_auth (AUTH_REPLY, ssa, k);
920 break;
921
922 case AUTH_REPLY:
923
924 if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
925 { 953 {
926 delete ictx;
927
928 ictx = new crypto_ctx (*k, 0);
929 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
930
931 sa = *ssa; 954 rsaresponse h;
932 955
933 rekey.set (NOW + ::conf.rekey); 956 rsa_hash (p->id, chg, h);
934 keepalive.set (NOW + ::conf.keepalive);
935 957
936 // send queued packets 958 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
937 while (tap_packet *p = queue.get ())
938 { 959 {
960 prot_minor = p->prot_minor;
961
962 delete ictx; ictx = cctx;
963
964 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966 si = rsi;
967
968 rekey.set (NOW + ::conf.rekey);
969 keepalive.set (NOW + ::conf.keepalive);
970
971 // send queued packets
972 while (tap_packet *p = queue.get ())
973 {
939 send_data_packet (p); 974 send_data_packet (p);
940 delete p; 975 delete p;
976 }
977
978 connectmode = conf->connectmode;
979
980 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981 conf->nodename, (const char *)rsi,
982 p->prot_major, p->prot_minor);
983
984 if (::conf.script_node_up)
985 run_script (run_script_cb (this, &connection::script_node_up), false);
986
987 break;
941 } 988 }
942 989 else
943 connectmode = conf->connectmode; 990 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
944
945 slog (L_INFO, _("connection to %d (%s %s) established"),
946 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 991 conf->nodename, (const char *)rsi);
947
948 if (::conf.script_node_up)
949 run_script (this, &connection::script_node_up, false);
950 } 992 }
993
951 else 994 delete cctx;
952 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
953 conf->nodename, (const char *)sockinfo (ssa));
954
955 break;
956 default:
957 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
958 conf->nodename, (const char *)sockinfo (ssa));
959 break;
960 } 995 }
961 } 996 }
962 else
963 send_reset (ssa);
964
965 break;
966 } 997 }
998
999 send_reset (rsi);
1000 break;
967 1001
968 case vpn_packet::PT_DATA_COMPRESSED: 1002 case vpn_packet::PT_DATA_COMPRESSED:
969#if !ENABLE_COMPRESSION 1003#if !ENABLE_COMPRESSION
970 send_reset (ssa); 1004 send_reset (rsi);
971 break; 1005 break;
972#endif 1006#endif
1007
973 case vpn_packet::PT_DATA_UNCOMPRESSED: 1008 case vpn_packet::PT_DATA_UNCOMPRESSED:
974 1009
975 if (ictx && octx) 1010 if (ictx && octx)
976 { 1011 {
977 vpndata_packet *p = (vpndata_packet *)pkt; 1012 vpndata_packet *p = (vpndata_packet *)pkt;
978 1013
979 if (*ssa == sa) 1014 if (rsi == si)
980 { 1015 {
981 if (!p->hmac_chk (ictx)) 1016 if (!p->hmac_chk (ictx))
982 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1017 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
983 "could be an attack, or just corruption or an synchronization error")); 1018 "could be an attack, or just corruption or an synchronization error"),
1019 conf->nodename, (const char *)rsi);
984 else 1020 else
985 { 1021 {
986 u32 seqno; 1022 u32 seqno;
987 tap_packet *d = p->unpack (this, seqno); 1023 tap_packet *d = p->unpack (this, seqno);
988 1024
1004 break; 1040 break;
1005 } 1041 }
1006 } 1042 }
1007 } 1043 }
1008 else 1044 else
1009 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1045 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1010 } 1046 }
1011 1047
1012 send_reset (ssa); 1048 send_reset (rsi);
1013 break; 1049 break;
1014 1050
1015 case vpn_packet::PT_CONNECT_REQ: 1051 case vpn_packet::PT_CONNECT_REQ:
1016 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1052 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1017 { 1053 {
1018 connect_req_packet *p = (connect_req_packet *) pkt; 1054 connect_req_packet *p = (connect_req_packet *) pkt;
1019 1055
1020 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1056 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1021 1057
1027 if (c->ictx && c->octx) 1063 if (c->ictx && c->octx)
1028 { 1064 {
1029 // send connect_info packets to both sides, in case one is 1065 // send connect_info packets to both sides, in case one is
1030 // behind a nat firewall (or both ;) 1066 // behind a nat firewall (or both ;)
1031 { 1067 {
1032 sockinfo si(sa);
1033
1034 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1068 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1035 c->conf->id, conf->id, (const char *)si); 1069 c->conf->id, conf->id, (const char *)si);
1036 1070
1037 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 1071 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
1038 1072
1039 r->hmac_set (c->octx); 1073 r->hmac_set (c->octx);
1040 vpn->send_vpn_packet (r, &c->sa); 1074 send_vpn_packet (r, c->si);
1041 1075
1042 delete r; 1076 delete r;
1043 } 1077 }
1044 1078
1045 { 1079 {
1046 sockinfo si(c->sa);
1047
1048 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1080 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1049 conf->id, c->conf->id, (const char *)si); 1081 conf->id, c->conf->id, (const char *)c->si);
1050 1082
1051 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); 1083 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
1052 1084
1053 r->hmac_set (octx); 1085 r->hmac_set (octx);
1054 vpn->send_vpn_packet (r, &sa); 1086 send_vpn_packet (r, si);
1055 1087
1056 delete r; 1088 delete r;
1057 } 1089 }
1058 } 1090 }
1059 } 1091 }
1060 1092
1061 break; 1093 break;
1062 1094
1063 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
1064 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1065 { 1097 {
1066 connect_info_packet *p = (connect_info_packet *) pkt; 1098 connect_info_packet *p = (connect_info_packet *) pkt;
1067 1099
1068 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1069 1101
1070 connection *c = vpn->conns[p->id - 1]; 1102 connection *c = vpn->conns[p->id - 1];
1071 1103
1072 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1104 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1073 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1105 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1074 1106
1075 c->send_auth (AUTH_INIT, p->si.sa ()); 1107 c->conf->can_recv = p->can_recv;
1108 c->send_auth_request (p->si, true);
1076 } 1109 }
1110
1077 break; 1111 break;
1078 1112
1079 default: 1113 default:
1080 send_reset (ssa); 1114 send_reset (rsi);
1081 break; 1115 break;
1116
1082 } 1117 }
1083} 1118}
1084 1119
1085void connection::keepalive_cb (tstamp &ts) 1120void connection::keepalive_cb (tstamp &ts)
1086{ 1121{
1090 establish_connection (); 1125 establish_connection ();
1091 } 1126 }
1092 else if (NOW < last_activity + ::conf.keepalive) 1127 else if (NOW < last_activity + ::conf.keepalive)
1093 ts = last_activity + ::conf.keepalive; 1128 ts = last_activity + ::conf.keepalive;
1094 else if (conf->connectmode != conf_node::C_ONDEMAND 1129 else if (conf->connectmode != conf_node::C_ONDEMAND
1095 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1130 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1096 { 1131 {
1097 send_ping (&sa); 1132 send_ping (si);
1098 ts = NOW + 5; 1133 ts = NOW + 5;
1099 } 1134 }
1100 else 1135 else
1101 reset_connection (); 1136 reset_connection ();
1102
1103} 1137}
1104 1138
1105void connection::connect_request (int id) 1139void connection::connect_request (int id)
1106{ 1140{
1107 connect_req_packet *p = new connect_req_packet (conf->id, id); 1141 connect_req_packet *p = new connect_req_packet (conf->id, id);
1108 1142
1109 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1143 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1110 p->hmac_set (octx); 1144 p->hmac_set (octx);
1111 vpn->send_vpn_packet (p, &sa); 1145 send_vpn_packet (p, si);
1112 1146
1113 delete p; 1147 delete p;
1114} 1148}
1115 1149
1116void connection::script_node () 1150void connection::script_node ()
1117{ 1151{
1118 vpn->script_if_up (); 1152 vpn->script_if_up (0);
1119 1153
1120 char *env; 1154 char *env;
1121 asprintf (&env, "DESTID=%d", conf->id); 1155 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1122 putenv (env);
1123 asprintf (&env, "DESTNODE=%s", conf->nodename); 1156 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1124 putenv (env); 1157 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1125 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1126 putenv (env);
1127 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1158 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1128 putenv (env);
1129} 1159}
1130 1160
1131const char *connection::script_node_up () 1161const char *connection::script_node_up (int)
1132{ 1162{
1133 script_node (); 1163 script_node ();
1134 1164
1135 putenv ("STATE=up"); 1165 putenv ("STATE=up");
1136 1166
1137 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1167 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1138} 1168}
1139 1169
1140const char *connection::script_node_down () 1170const char *connection::script_node_down (int)
1141{ 1171{
1142 script_node (); 1172 script_node ();
1143 1173
1144 putenv ("STATE=down"); 1174 putenv ("STATE=down");
1145 1175
1146 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1176 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1177}
1178
1179// send a vpn packet out to other hosts
1180void
1181connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1182{
1183 if (prot_send & PROT_IPv4)
1184 vpn->send_ipv4_packet (pkt, si, tos);
1185 else
1186 vpn->send_udpv4_packet (pkt, si, tos);
1147} 1187}
1148 1188
1149connection::connection(struct vpn *vpn_) 1189connection::connection(struct vpn *vpn_)
1150: vpn(vpn_) 1190: vpn(vpn_)
1151, rekey (this, &connection::rekey_cb) 1191, rekey (this, &connection::rekey_cb)
1164 shutdown (); 1204 shutdown ();
1165} 1205}
1166 1206
1167///////////////////////////////////////////////////////////////////////////// 1207/////////////////////////////////////////////////////////////////////////////
1168 1208
1169const char *vpn::script_if_up () 1209const char *vpn::script_if_up (int)
1170{ 1210{
1171 // the tunnel device mtu should be the physical mtu - overhead 1211 // the tunnel device mtu should be the physical mtu - overhead
1172 // the tricky part is rounding to the cipher key blocksize 1212 // the tricky part is rounding to the cipher key blocksize
1173 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1213 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1174 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1214 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1175 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1215 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1176 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1216 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1177 1217
1178 char *env; 1218 char *env;
1193 1233
1194 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1234 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1195} 1235}
1196 1236
1197int 1237int
1198vpn::setup (void) 1238vpn::setup ()
1199{ 1239{
1200 struct sockaddr_in sa; 1240 u8 prots = 0;
1201 1241
1242 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1243 i != conf.nodes.end (); ++i)
1244 prots |= (*i)->can_send | (*i)->can_recv;
1245
1246 sockinfo si;
1247
1248 si.set (THISNODE);
1249
1250 udpv4_fd = -1;
1251
1252 if (prots & PROT_UDPv4)
1253 {
1202 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1254 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1203 if (socket_fd < 0) 1255
1256 if (udpv4_fd < 0)
1204 return -1; 1257 return -1;
1205 1258
1206 fill_sa (&sa, THISNODE); 1259 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1207 1260 {
1208 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1209 {
1210 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1261 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1211 exit (1); 1262 exit (1);
1212 } 1263 }
1213 1264
1214#ifdef IP_MTU_DISCOVER 1265#ifdef IP_MTU_DISCOVER
1215 // this I really consider a linux bug. I am neither connected 1266 // this I really consider a linux bug. I am neither connected
1216 // nor do I fragment myself. Linux still sets DF and doesn't 1267 // nor do I fragment myself. Linux still sets DF and doesn't
1217 // fragment for me sometimes. 1268 // fragment for me sometimes.
1218 { 1269 {
1219 int oval = IP_PMTUDISC_DONT; 1270 int oval = IP_PMTUDISC_DONT;
1220 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1271 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1221 } 1272 }
1222#endif 1273#endif
1223 { 1274
1275 // standard daemon practise...
1276 {
1224 int oval = 1; 1277 int oval = 1;
1225 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1278 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1226 } 1279 }
1227 1280
1228 udp_ev_watcher.start (socket_fd, POLLIN); 1281 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1282 }
1283
1284 ipv4_fd = -1;
1285 if (prots & PROT_IPv4)
1286 {
1287 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1288
1289 if (ipv4_fd < 0)
1290 return -1;
1291
1292 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1293 {
1294 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1295 exit (1);
1296 }
1297
1298#ifdef IP_MTU_DISCOVER
1299 // this I really consider a linux bug. I am neither connected
1300 // nor do I fragment myself. Linux still sets DF and doesn't
1301 // fragment for me sometimes.
1302 {
1303 int oval = IP_PMTUDISC_DONT;
1304 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1305 }
1306#endif
1307
1308 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1309 }
1229 1310
1230 tap = new tap_device (); 1311 tap = new tap_device ();
1231 if (!tap) //D this, of course, never catches 1312 if (!tap) //D this, of course, never catches
1232 { 1313 {
1233 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1314 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1234 exit (1); 1315 exit (1);
1235 } 1316 }
1236 1317
1237 run_script (this, &vpn::script_if_up, true); 1318 run_script (run_script_cb (this, &vpn::script_if_up), true);
1238 1319
1239 vpn_ev_watcher.start (tap->fd, POLLIN); 1320 tap_ev_watcher.start (tap->fd, POLLIN);
1240 1321
1241 reconnect_all (); 1322 reconnect_all ();
1242 1323
1243 return 0; 1324 return 0;
1244} 1325}
1245 1326
1246void 1327void
1247vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1328vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1248{ 1329{
1249 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1330 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1250 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1331 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1251} 1332}
1252 1333
1253void 1334void
1254vpn::shutdown_all () 1335vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1255{ 1336{
1256 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1337 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1257 (*c)->shutdown (); 1338 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1258} 1339}
1259 1340
1260void 1341void
1261vpn::reconnect_all () 1342vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1262{ 1343{
1263 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1344 unsigned int src = pkt->src ();
1264 delete *c; 1345 unsigned int dst = pkt->dst ();
1265 1346
1266 conns.clear (); 1347 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1348 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1267 1349
1268 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1350 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1269 i != conf.nodes.end (); ++i) 1351 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1270 { 1352 pkt->typ (), pkt->src (), pkt->dst ());
1271 connection *conn = new connection (this); 1353 else if (dst == 0 && !THISNODE->routerprio)
1272 1354 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1273 conn->conf = *i; 1355 else if (dst != 0 && dst != THISNODE->id)
1274 conns.push_back (conn); 1356 slog (L_WARN,
1275 1357 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1276 conn->establish_connection (); 1358 dst, conns[dst - 1]->conf->nodename,
1277 } 1359 (const char *)rsi,
1360 THISNODE->id, THISNODE->nodename);
1361 else if (src == 0 || src > conns.size ())
1362 slog (L_WARN, _("received frame from unknown node %d (%s)"),
1363 src, (const char *)rsi);
1364 else
1365 conns[src - 1]->recv_vpn_packet (pkt, rsi);
1278} 1366}
1279 1367
1280connection *vpn::find_router ()
1281{
1282 u32 prio = 0;
1283 connection *router = 0;
1284
1285 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1286 {
1287 connection *c = *i;
1288
1289 if (c->conf->routerprio > prio
1290 && c->connectmode == conf_node::C_ALWAYS
1291 && c->conf != THISNODE
1292 && c->ictx && c->octx)
1293 {
1294 prio = c->conf->routerprio;
1295 router = c;
1296 }
1297 }
1298
1299 return router;
1300}
1301
1302void vpn::connect_request (int id)
1303{
1304 connection *c = find_router ();
1305
1306 if (c)
1307 c->connect_request (id);
1308 //else // does not work, because all others must connect to the same router
1309 // // no router found, aggressively connect to all routers
1310 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1311 // if ((*i)->conf->routerprio)
1312 // (*i)->establish_connection ();
1313}
1314
1315void 1368void
1316vpn::udp_ev (short revents) 1369vpn::udpv4_ev (short revents)
1317{ 1370{
1318 if (revents & (POLLIN | POLLERR)) 1371 if (revents & (POLLIN | POLLERR))
1319 { 1372 {
1320 vpn_packet *pkt = new vpn_packet; 1373 vpn_packet *pkt = new vpn_packet;
1321 struct sockaddr_in sa; 1374 struct sockaddr_in sa;
1322 socklen_t sa_len = sizeof (sa); 1375 socklen_t sa_len = sizeof (sa);
1323 int len; 1376 int len;
1324 1377
1325 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 1378 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1379
1380 sockinfo si(sa);
1326 1381
1327 if (len > 0) 1382 if (len > 0)
1328 { 1383 {
1329 pkt->len = len; 1384 pkt->len = len;
1330 1385
1331 unsigned int src = pkt->src ();
1332 unsigned int dst = pkt->dst ();
1333
1334 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1335 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1336
1337 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1338 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1339 pkt->typ (), pkt->src (), pkt->dst ());
1340 else if (dst == 0 && !THISNODE->routerprio)
1341 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1342 else if (dst != 0 && dst != THISNODE->id)
1343 slog (L_WARN,
1344 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1345 dst, conns[dst - 1]->conf->nodename,
1346 (const char *)sockinfo (sa),
1347 THISNODE->id, THISNODE->nodename);
1348 else if (src == 0 || src > conns.size ())
1349 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1350 else
1351 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1386 recv_vpn_packet (pkt, si);
1352 } 1387 }
1353 else 1388 else
1354 { 1389 {
1355 // probably ECONNRESET or somesuch 1390 // probably ECONNRESET or somesuch
1356 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1391 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1357 } 1392 }
1358 1393
1359 delete pkt; 1394 delete pkt;
1360 } 1395 }
1361 else if (revents & POLLHUP) 1396 else if (revents & POLLHUP)
1362 { 1397 {
1363 // this cannot ;) happen on udp sockets 1398 // this cannot ;) happen on udp sockets
1364 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1399 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1365 exit (1); 1400 exit (1);
1366 } 1401 }
1367 else 1402 else
1368 { 1403 {
1369 slog (L_ERR, 1404 slog (L_ERR,
1372 exit (1); 1407 exit (1);
1373 } 1408 }
1374} 1409}
1375 1410
1376void 1411void
1412vpn::ipv4_ev (short revents)
1413{
1414 if (revents & (POLLIN | POLLERR))
1415 {
1416 vpn_packet *pkt = new vpn_packet;
1417 struct sockaddr_in sa;
1418 socklen_t sa_len = sizeof (sa);
1419 int len;
1420
1421 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1422
1423 sockinfo si(sa, PROT_IPv4);
1424
1425 if (len > 0)
1426 {
1427 pkt->len = len;
1428
1429 // raw sockets deliver the ipv4, but don't expect it on sends
1430 // this is slow, but...
1431 pkt->skip_hdr (IP_OVERHEAD);
1432
1433 recv_vpn_packet (pkt, si);
1434 }
1435 else
1436 {
1437 // probably ECONNRESET or somesuch
1438 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1439 }
1440
1441 delete pkt;
1442 }
1443 else if (revents & POLLHUP)
1444 {
1445 // this cannot ;) happen on udp sockets
1446 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1447 exit (1);
1448 }
1449 else
1450 {
1451 slog (L_ERR,
1452 _("FATAL: unknown revents %08x in socket, terminating\n"),
1453 revents);
1454 exit (1);
1455 }
1456}
1457
1458void
1377vpn::vpn_ev (short revents) 1459vpn::tap_ev (short revents)
1378{ 1460{
1379 if (revents & POLLIN) 1461 if (revents & POLLIN)
1380 { 1462 {
1381 /* process data */ 1463 /* process data */
1382 tap_packet *pkt; 1464 tap_packet *pkt;
1438{ 1520{
1439 if (events) 1521 if (events)
1440 { 1522 {
1441 if (events & EVENT_SHUTDOWN) 1523 if (events & EVENT_SHUTDOWN)
1442 { 1524 {
1525 slog (L_INFO, _("preparing shutdown..."));
1526
1443 shutdown_all (); 1527 shutdown_all ();
1444 1528
1445 remove_pid (pidfilename); 1529 remove_pid (pidfilename);
1446 1530
1447 slog (L_INFO, _("vped terminating")); 1531 slog (L_INFO, _("terminating"));
1448 1532
1449 exit (0); 1533 exit (0);
1450 } 1534 }
1451 1535
1452 if (events & EVENT_RECONNECT) 1536 if (events & EVENT_RECONNECT)
1537 {
1538 slog (L_INFO, _("forced reconnect"));
1539
1453 reconnect_all (); 1540 reconnect_all ();
1541 }
1454 1542
1455 events = 0; 1543 events = 0;
1456 } 1544 }
1457 1545
1458 ts = TSTAMP_CANCEL; 1546 ts = TSTAMP_CANCEL;
1459} 1547}
1460 1548
1549void
1550vpn::shutdown_all ()
1551{
1552 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1553 (*c)->shutdown ();
1554}
1555
1556void
1557vpn::reconnect_all ()
1558{
1559 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1560 delete *c;
1561
1562 conns.clear ();
1563
1564 auth_rate_limiter.clear ();
1565 reset_rate_limiter.clear ();
1566
1567 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1568 i != conf.nodes.end (); ++i)
1569 {
1570 connection *conn = new connection (this);
1571
1572 conn->conf = *i;
1573 conns.push_back (conn);
1574
1575 conn->establish_connection ();
1576 }
1577}
1578
1579connection *vpn::find_router ()
1580{
1581 u32 prio = 0;
1582 connection *router = 0;
1583
1584 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1585 {
1586 connection *c = *i;
1587
1588 if (c->conf->routerprio > prio
1589 && c->connectmode == conf_node::C_ALWAYS
1590 && c->conf != THISNODE
1591 && c->ictx && c->octx)
1592 {
1593 prio = c->conf->routerprio;
1594 router = c;
1595 }
1596 }
1597
1598 return router;
1599}
1600
1601void vpn::connect_request (int id)
1602{
1603 connection *c = find_router ();
1604
1605 if (c)
1606 c->connect_request (id);
1607 //else // does not work, because all others must connect to the same router
1608 // // no router found, aggressively connect to all routers
1609 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1610 // if ((*i)->conf->routerprio)
1611 // (*i)->establish_connection ();
1612}
1613
1614void
1615connection::dump_status ()
1616{
1617 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1618 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1619 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1620 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1621 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1622 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1623 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1624}
1625
1626void
1627vpn::dump_status ()
1628{
1629 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1630
1631 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1632 (*c)->dump_status ();
1633
1634 slog (L_NOTICE, _("END status dump"));
1635}
1636
1461vpn::vpn (void) 1637vpn::vpn (void)
1462: udp_ev_watcher (this, &vpn::udp_ev) 1638: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1639, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1463, vpn_ev_watcher (this, &vpn::vpn_ev) 1640, tap_ev_watcher(this, &vpn::tap_ev)
1464, event (this, &vpn::event_cb) 1641, event(this, &vpn::event_cb)
1465{ 1642{
1466} 1643}
1467 1644
1468vpn::~vpn () 1645vpn::~vpn ()
1469{ 1646{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines