ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.8 by pcg, Mon Mar 17 15:20:18 2003 UTC vs.
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC

16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17*/ 17*/
18 18
19#include "config.h" 19#include "config.h"
20 20
21#include <list>
22
21#include <cstdlib> 23#include <cstdlib>
22#include <cstring> 24#include <cstring>
23#include <cstdio> 25#include <cstdio>
24 26
25#include <sys/types.h> 27#include <sys/types.h>
56 58
57static time_t next_timecheck; 59static time_t next_timecheck;
58 60
59#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60 62
61static const rsachallenge & 63static u8
62challenge_bytes () 64best_protocol (u8 protset)
63{ 65{
64 static rsachallenge challenge; 66 if (protset & PROT_IPv4)
65 static time_t challenge_ttl; // time this challenge needs to be recreated 67 return PROT_IPv4;
66 68
67 if (now > challenge_ttl) 69 return PROT_UDPv4;
68 {
69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70 challenge_ttl = now + CHALLENGE_TTL;
71 }
72
73 return challenge;
74}
75
76// run a script. yes, it's a template function. yes, c++
77// is not a functional language. yes, this suxx.
78template<class owner>
79static void
80run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81{
82 int pid;
83
84 if ((pid = fork ()) == 0)
85 {
86 char *filename;
87 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88 execl (filename, filename, (char *) 0);
89 exit (255);
90 }
91 else if (pid > 0)
92 {
93 if (wait)
94 {
95 waitpid (pid, 0, 0);
96 /* TODO: check status */
97 }
98 }
99}
100
101// xor the socket address into the challenge to ensure different challenges
102// per host. we could rely on the OAEP padding, but this doesn't hurt.
103void
104xor_sa (rsachallenge &k, SOCKADDR *sa)
105{
106 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110} 70}
111 71
112struct crypto_ctx 72struct crypto_ctx
113 { 73 {
114 EVP_CIPHER_CTX cctx; 74 EVP_CIPHER_CTX cctx;
115 HMAC_CTX hctx; 75 HMAC_CTX hctx;
116 76
117 crypto_ctx (rsachallenge &challenge, int enc); 77 crypto_ctx (const rsachallenge &challenge, int enc);
118 ~crypto_ctx (); 78 ~crypto_ctx ();
119 }; 79 };
120 80
121crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) 81crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122{ 82{
123 EVP_CIPHER_CTX_init (&cctx); 83 EVP_CIPHER_CTX_init (&cctx);
124 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 84 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125 HMAC_CTX_init (&hctx); 85 HMAC_CTX_init (&hctx);
126 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 86 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
130{ 90{
131 EVP_CIPHER_CTX_cleanup (&cctx); 91 EVP_CIPHER_CTX_cleanup (&cctx);
132 HMAC_CTX_cleanup (&hctx); 92 HMAC_CTX_cleanup (&hctx);
133} 93}
134 94
95static void
96rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97{
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106}
107
108struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112};
113
114struct rsa_cache : list<rsa_entry>
115{
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158} rsa_cache;
159
160void rsa_cache::cleaner_cb (tstamp &ts)
161{
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174}
175
176typedef callback<const char *, int> run_script_cb;
177
178// run a shell script (or actually an external program).
179static void
180run_script (const run_script_cb &cb, bool wait)
181{
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199}
200
201//////////////////////////////////////////////////////////////////////////////
202
203void pkt_queue::put (tap_packet *p)
204{
205 if (queue[i])
206 {
207 delete queue[i];
208 j = (j + 1) % QUEUEDEPTH;
209 }
210
211 queue[i] = p;
212
213 i = (i + 1) % QUEUEDEPTH;
214}
215
216tap_packet *pkt_queue::get ()
217{
218 tap_packet *p = queue[j];
219
220 if (p)
221 {
222 queue[j] = 0;
223 j = (j + 1) % QUEUEDEPTH;
224 }
225
226 return p;
227}
228
229pkt_queue::pkt_queue ()
230{
231 memset (queue, 0, sizeof (queue));
232 i = 0;
233 j = 0;
234}
235
236pkt_queue::~pkt_queue ()
237{
238 for (i = QUEUEDEPTH; --i > 0; )
239 delete queue[i];
240}
241
242struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246};
247
248// only do action once every x seconds per host whole allowing bursts.
249// this implementation ("splay list" ;) is inefficient,
250// but low on resources.
251struct net_rate_limiter : list<net_rateinfo>
252{
253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
258 bool can (u32 host);
259};
260
261net_rate_limiter auth_rate_limiter, reset_rate_limiter;
262
263bool net_rate_limiter::can (u32 host)
264{
265 iterator i;
266
267 for (i = begin (); i != end (); )
268 if (i->host == host)
269 break;
270 else if (i->last < NOW - EXPIRE)
271 i = erase (i);
272 else
273 i++;
274
275 if (i == end ())
276 {
277 net_rateinfo ri;
278
279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
283
284 push_front (ri);
285
286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
307}
308
135///////////////////////////////////////////////////////////////////////////// 309/////////////////////////////////////////////////////////////////////////////
136 310
137static void next_wakeup (time_t next) 311static void next_wakeup (time_t next)
138{ 312{
139 if (next_timecheck > next) 313 if (next_timecheck > next)
141} 315}
142 316
143static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 317static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144 318
145struct hmac_packet:net_packet 319struct hmac_packet:net_packet
320{
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326private:
327 void hmac_gen (crypto_ctx * ctx)
146 { 328 {
147 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149 void hmac_set (crypto_ctx * ctx);
150 bool hmac_chk (crypto_ctx * ctx);
151
152private:
153 void hmac_gen (crypto_ctx * ctx)
154 {
155 unsigned int xlen; 329 unsigned int xlen;
156 HMAC_CTX *hctx = &ctx->hctx; 330 HMAC_CTX *hctx = &ctx->hctx;
157 331
158 HMAC_Init_ex (hctx, 0, 0, 0, 0); 332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
159 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160 len - sizeof (hmac_packet)); 334 len - sizeof (hmac_packet));
161 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162 }
163 }; 336 }
337};
164 338
165void 339void
166hmac_packet::hmac_set (crypto_ctx * ctx) 340hmac_packet::hmac_set (crypto_ctx * ctx)
167{ 341{
168 hmac_gen (ctx); 342 hmac_gen (ctx);
184 { 358 {
185 PT_RESET = 0, 359 PT_RESET = 0,
186 PT_DATA_UNCOMPRESSED, 360 PT_DATA_UNCOMPRESSED,
187 PT_DATA_COMPRESSED, 361 PT_DATA_COMPRESSED,
188 PT_PING, PT_PONG, // wasting namespace space? ;) 362 PT_PING, PT_PONG, // wasting namespace space? ;)
189 PT_AUTH, // authentification 363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
190 PT_CONNECT_REQ, // want other host to contact me 365 PT_CONNECT_REQ, // want other host to contact me
191 PT_CONNECT_INFO, // request connection to some node 366 PT_CONNECT_INFO, // request connection to some node
192 PT_REKEY, // rekeying (not yet implemented)
193 PT_MAX 367 PT_MAX
194 }; 368 };
195 369
196 u8 type; 370 u8 type;
197 u8 srcdst, src1, dst1; 371 u8 srcdst, src1, dst1;
198 372
199 void set_hdr (ptype type, unsigned int dst); 373 void set_hdr (ptype type, unsigned int dst);
200 374
201 unsigned int src () 375 unsigned int src () const
202 { 376 {
203 return src1 | ((srcdst >> 4) << 8); 377 return src1 | ((srcdst >> 4) << 8);
204 } 378 }
379
205 unsigned int dst () 380 unsigned int dst () const
206 { 381 {
207 return dst1 | ((srcdst & 0xf) << 8); 382 return dst1 | ((srcdst & 0xf) << 8);
208 } 383 }
384
209 ptype typ () 385 ptype typ () const
210 { 386 {
211 return (ptype) type; 387 return (ptype) type;
212 } 388 }
213 }; 389 };
214 390
252 u32 cl; 428 u32 cl;
253 429
254 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 430 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255 if (cl) 431 if (cl)
256 { 432 {
257 //printf ("compressed packet, %d => %d\n", l, cl);//D
258 type = PT_DATA_COMPRESSED; 433 type = PT_DATA_COMPRESSED;
259 d = cdata; 434 d = cdata;
260 l = cl + 2; 435 l = cl + 2;
261 436
262 d[0] = cl >> 8; 437 d[0] = cl >> 8;
264 } 439 }
265#endif 440#endif
266 441
267 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 442 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268 443
444 struct {
269#if RAND_SIZE 445#if RAND_SIZE
270 struct {
271 u8 rnd[RAND_SIZE]; 446 u8 rnd[RAND_SIZE];
447#endif
272 u32 seqno; 448 u32 seqno;
273 } datahdr; 449 } datahdr;
274 450
275 datahdr.seqno = seqno; 451 datahdr.seqno = ntohl (seqno);
452#if RAND_SIZE
276 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 453 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454#endif
277 455
278 EVP_EncryptUpdate (cctx, 456 EVP_EncryptUpdate (cctx,
279 (unsigned char *) data + outl, &outl2, 457 (unsigned char *) data + outl, &outl2,
280 (unsigned char *) &datahdr, DATAHDR); 458 (unsigned char *) &datahdr, DATAHDR);
281 outl += outl2; 459 outl += outl2;
282#else
283 EVP_EncryptUpdate (cctx,
284 (unsigned char *) data + outl, &outl2,
285 (unsigned char *) &seqno, DATAHDR);
286 outl += outl2;
287#endif
288 460
289 EVP_EncryptUpdate (cctx, 461 EVP_EncryptUpdate (cctx,
290 (unsigned char *) data + outl, &outl2, 462 (unsigned char *) data + outl, &outl2,
291 (unsigned char *) d, l); 463 (unsigned char *) d, l);
292 outl += outl2; 464 outl += outl2;
328 outl += outl2; 500 outl += outl2;
329 501
330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 502 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331 outl += outl2; 503 outl += outl2;
332 504
333 seqno = *(u32 *)(d + RAND_SIZE); 505 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
334 506
335 id2mac (dst () ? dst() : THISNODE->id, p->dst); 507 id2mac (dst () ? dst() : THISNODE->id, p->dst);
336 id2mac (src (), p->src); 508 id2mac (src (), p->src);
337 509
338#if ENABLE_COMPRESSION 510#if ENABLE_COMPRESSION
339 if (type == PT_DATA_COMPRESSED) 511 if (type == PT_DATA_COMPRESSED)
340 { 512 {
341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
342 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
343 //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D 516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
344 } 518 }
345 else 519 else
346 p->len = outl + (6 + 6 - DATAHDR); 520 p->len = outl + (6 + 6 - DATAHDR);
347#endif 521#endif
348 522
349 return p; 523 return p;
350} 524}
351 525
352struct ping_packet : vpn_packet 526struct ping_packet : vpn_packet
527{
528 void setup (int dst, ptype type)
353 { 529 {
354 void setup (int dst, ptype type)
355 {
356 set_hdr (type, dst); 530 set_hdr (type, dst);
357 len = sizeof (*this) - sizeof (net_packet); 531 len = sizeof (*this) - sizeof (net_packet);
358 }
359 }; 532 }
533};
360 534
361struct config_packet : vpn_packet 535struct config_packet : vpn_packet
536{
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
362 { 545 {
363 // actually, hmaclen cannot be checked because the hmac
364 // field comes before this data, so peers with other
365 // hmacs simply will not work.
366 u8 prot_major, prot_minor, randsize, hmaclen;
367 u8 flags, challengelen, pad2, pad3;
368 u32 cipher_nid;
369 u32 digest_nid;
370
371 const u8 curflags () const
372 {
373 return 0x80 546 return 0x80
374 | (ENABLE_COMPRESSION ? 0x01 : 0x00) 547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
375 | (ENABLE_TRUST ? 0x02 : 0x00);
376 } 548 }
377 549
378 void setup (ptype type, int dst) 550 void setup (ptype type, int dst);
379 { 551 bool chk_config () const;
552};
553
554void config_packet::setup (ptype type, int dst)
555{
380 prot_major = PROTOCOL_MAJOR; 556 prot_major = PROTOCOL_MAJOR;
381 prot_minor = PROTOCOL_MINOR; 557 prot_minor = PROTOCOL_MINOR;
382 randsize = RAND_SIZE; 558 randsize = RAND_SIZE;
383 hmaclen = HMACLENGTH; 559 hmaclen = HMACLENGTH;
384 flags = curflags (); 560 flags = curflags ();
385 challengelen = sizeof (rsachallenge); 561 challengelen = sizeof (rsachallenge);
386 562
387 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388 digest_nid = htonl (EVP_MD_type (DIGEST)); 564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
389 566
390 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
391 set_hdr (type, dst); 568 set_hdr (type, dst);
392 } 569}
393 570
394 bool chk_config () 571bool config_packet::chk_config () const
395 { 572{
396 return prot_major == PROTOCOL_MAJOR 573 return prot_major == PROTOCOL_MAJOR
397 && randsize == RAND_SIZE 574 && randsize == RAND_SIZE
398 && hmaclen == HMACLENGTH 575 && hmaclen == HMACLENGTH
399 && flags == curflags () 576 && flags == curflags ()
400 && challengelen == sizeof (rsachallenge) 577 && challengelen == sizeof (rsachallenge)
401 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
402 && digest_nid == htonl (EVP_MD_type (DIGEST)); 580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
403 } 581}
404 };
405 582
406struct auth_packet : config_packet 583struct auth_req_packet : config_packet
584{
585 char magic[8];
586 u8 initiate, can_recv; // false if this is just an automatic reply
587 u8 pad2, pad3;
588 rsaid id;
589 rsaencrdata encr;
590
591 auth_req_packet (int dst, bool initiate_, u8 can_recv_)
407 { 592 {
408 char magic[8];
409 u8 subtype;
410 u8 pad1, pad2;
411 rsaencrdata challenge;
412
413 auth_packet (int dst, auth_subtype stype)
414 {
415 config_packet::setup (PT_AUTH, dst); 593 config_packet::setup (PT_AUTH_REQ, dst);
416 subtype = stype; 594 strncpy (magic, MAGIC, 8);
595 initiate = !!initiate_;
596 can_recv = can_recv_;
597
417 len = sizeof (*this) - sizeof (net_packet); 598 len = sizeof (*this) - sizeof (net_packet);
418 strncpy (magic, MAGIC, 8);
419 }
420 }; 599 }
600};
601
602struct auth_res_packet : config_packet
603{
604 rsaid id;
605 u8 pad1, pad2, pad3;
606 u8 response_len; // encrypted length
607 rsaresponse response;
608
609 auth_res_packet (int dst)
610 {
611 config_packet::setup (PT_AUTH_RES, dst);
612
613 len = sizeof (*this) - sizeof (net_packet);
614 }
615};
421 616
422struct connect_req_packet : vpn_packet 617struct connect_req_packet : vpn_packet
618{
619 u8 id;
620 u8 pad1, pad2, pad3;
621
622 connect_req_packet (int dst, int id_)
423 { 623 {
424 u8 id; 624 id = id_;
425 u8 pad1, pad2, pad3;
426
427 connect_req_packet (int dst, int id)
428 {
429 this->id = id;
430 set_hdr (PT_CONNECT_REQ, dst); 625 set_hdr (PT_CONNECT_REQ, dst);
431 len = sizeof (*this) - sizeof (net_packet); 626 len = sizeof (*this) - sizeof (net_packet);
432 }
433 }; 627 }
628};
434 629
435struct connect_info_packet : vpn_packet 630struct connect_info_packet : vpn_packet
631{
632 u8 id, can_recv;
633 u8 pad1, pad2;
634 sockinfo si;
635
636 connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
436 { 637 {
437 u8 id; 638 id = id_;
438 u8 pad1, pad2, pad3; 639 can_recv = can_recv_;
439 sockinfo si; 640 si = si_;
440
441 connect_info_packet (int dst, int id, sockinfo &si)
442 {
443 this->id = id;
444 this->si = si;
445 set_hdr (PT_CONNECT_INFO, dst); 641 set_hdr (PT_CONNECT_INFO, dst);
642
446 len = sizeof (*this) - sizeof (net_packet); 643 len = sizeof (*this) - sizeof (net_packet);
447 }
448 }; 644 }
645};
449 646
450///////////////////////////////////////////////////////////////////////////// 647/////////////////////////////////////////////////////////////////////////////
451 648
452void 649void
453fill_sa (SOCKADDR *sa, conf_node *conf) 650connection::reset_dstaddr ()
454{ 651{
455 sa->sin_family = AF_INET; 652 si.set (conf);
456 sa->sin_port = htons (conf->port); 653}
457 sa->sin_addr.s_addr = 0;
458 654
655void
656connection::send_ping (const sockinfo &si, u8 pong)
657{
658 ping_packet *pkt = new ping_packet;
659
660 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
661 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
662
663 delete pkt;
664}
665
666void
667connection::send_reset (const sockinfo &si)
668{
669 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
670 {
671 config_packet *pkt = new config_packet;
672
673 pkt->setup (vpn_packet::PT_RESET, conf->id);
674 send_vpn_packet (pkt, si, IPTOS_MINCOST);
675
676 delete pkt;
677 }
678}
679
680void
681connection::send_auth_request (const sockinfo &si, bool initiate)
682{
683 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
684
685 // the next line is very conservative
686 prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
687
688 rsachallenge chg;
689
690 rsa_cache.gen (pkt->id, chg);
691
692 if (0 > RSA_public_encrypt (sizeof chg,
693 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
694 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
695 fatal ("RSA_public_encrypt error");
696
697 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
698
699 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
700
701 delete pkt;
702}
703
704void
705connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706{
707 auth_res_packet *pkt = new auth_res_packet (conf->id);
708
709 pkt->id = id;
710
711 rsa_hash (id, chg, pkt->response);
712
713 pkt->hmac_set (octx);
714
715 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
716
717 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
718
719 delete pkt;
720}
721
722void
723connection::establish_connection_cb (tstamp &ts)
724{
725 if (ictx || conf == THISNODE
726 || connectmode == conf_node::C_NEVER
727 || connectmode == conf_node::C_DISABLED)
728 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW)
730 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732
733 if (retry_int < 3600 * 8)
734 retry_cnt++;
735
736 ts = NOW + retry_int;
737
459 if (conf->hostname) 738 if (conf->hostname)
460 { 739 {
461 struct hostent *he = gethostbyname (conf->hostname); 740 reset_dstaddr ();
462 741 if (si.host && auth_rate_limiter.can (si))
463 if (he
464 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465 { 742 {
466 //sa->sin_family = he->h_addrtype; 743 if (retry_cnt < 4)
467 memcpy (&sa->sin_addr, he->h_addr_list[0], 4); 744 send_auth_request (si, true);
745 else
746 send_ping (si, 0);
747 }
468 } 748 }
469 else 749 else
470 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471 }
472}
473
474void
475connection::reset_dstaddr ()
476{
477 fill_sa (&sa, conf);
478}
479
480void
481connection::send_ping (SOCKADDR *dsa, u8 pong)
482{
483 ping_packet *pkt = new ping_packet;
484
485 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
487
488 delete pkt;
489}
490
491void
492connection::send_reset (SOCKADDR *dsa)
493{
494 static net_rate_limiter limiter(1);
495
496 if (limiter.can (dsa))
497 {
498 config_packet *pkt = new config_packet;
499
500 pkt->setup (vpn_packet::PT_RESET, conf->id);
501 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
502
503 delete pkt;
504 }
505}
506
507static rsachallenge *
508gen_challenge (SOCKADDR *sa)
509{
510 static rsachallenge k;
511
512 memcpy (&k, &challenge_bytes (), sizeof (k));
513 RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514 xor_sa (k, sa);
515
516 return &k;
517}
518
519void
520connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k)
521{
522 static net_rate_limiter limiter(2);
523
524 if (subtype != AUTH_INIT || limiter.can (sa))
525 {
526 auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528 //printf ("send auth_packet subtype %d\n", subtype);//D
529
530 if (!k)
531 k = gen_challenge (sa);
532
533#if ENABLE_TRUST
534 if (0 > RSA_public_encrypt (sizeof (*k),
535 (unsigned char *)k, (unsigned char *)&pkt->challenge,
536 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537 fatal ("RSA_public_encrypt error");
538#else
539# error untrusted mode not yet implemented: programemr does not know how to
540 rsaencrdata enc;
541
542 if (0 > RSA_private_encrypt (sizeof (*k),
543 (unsigned char *)k, (unsigned char *)&enc,
544 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545 fatal ("RSA_private_encrypt error");
546
547 if (0 > RSA_public_encrypt (sizeof (enc),
548 (unsigned char *)enc, (unsigned char *)&pkt->challenge,
549 conf->rsa_key, RSA_NO_PADDING))
550 fatal ("RSA_public_encrypt error");
551#endif
552
553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556
557 delete pkt;
558 }
559}
560
561void
562connection::establish_connection ()
563{
564 if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER)
565 {
566 if (now >= next_retry)
567 {
568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570 if (retry_cnt < (17 << 2) | 3)
571 retry_cnt++;
572
573 if (connectmode == conf_node::C_ONDEMAND
574 && retry_int > ::conf.keepalive)
575 retry_int = ::conf.keepalive;
576
577 next_retry = now + retry_int;
578 next_wakeup (next_retry);
579
580 if (conf->hostname)
581 {
582 reset_dstaddr ();
583 if (sa.sin_addr.s_addr)
584 if (retry_cnt < 4)
585 send_auth (AUTH_INIT, &sa);
586 else
587 send_ping (&sa, 0);
588 }
589 else
590 vpn->connect_request (conf->id); 750 vpn->connect_request (conf->id);
591 }
592 } 751 }
593} 752}
594 753
595void 754void
596connection::reset_connection () 755connection::reset_connection ()
597{ 756{
598 if (ictx && octx) 757 if (ictx && octx)
599 { 758 {
600 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 759 slog (L_INFO, _("%s(%s): connection lost"),
760 conf->nodename, (const char *)si);
601 761
602 if (::conf.script_node_down) 762 if (::conf.script_node_down)
603 run_script (this, &connection::script_node_down, false); 763 run_script (run_script_cb (this, &connection::script_node_down), false);
604 } 764 }
605 765
606 delete ictx; 766 delete ictx; ictx = 0;
607 ictx = 0; 767 delete octx; octx = 0;
608 768
609 delete octx; 769 si.host= 0;
610 octx = 0;
611 770
612 sa.sin_port = 0;
613 sa.sin_addr.s_addr = 0;
614
615 next_retry = 0;
616 next_rekey = 0;
617 last_activity = 0; 771 last_activity = 0;
772 retry_cnt = 0;
773
774 rekey.reset ();
775 keepalive.reset ();
776 establish_connection.reset ();
618} 777}
619 778
620void 779void
621connection::shutdown () 780connection::shutdown ()
622{ 781{
623 if (ictx && octx) 782 if (ictx && octx)
624 send_reset (&sa); 783 send_reset (si);
625 784
626 reset_connection (); 785 reset_connection ();
627} 786}
628 787
629void 788void
630connection::rekey () 789connection::rekey_cb (tstamp &ts)
631{ 790{
791 ts = TSTAMP_CANCEL;
792
632 reset_connection (); 793 reset_connection ();
633 establish_connection (); 794 establish_connection ();
634} 795}
635 796
636void 797void
637connection::send_data_packet (tap_packet * pkt, bool broadcast) 798connection::send_data_packet (tap_packet *pkt, bool broadcast)
638{ 799{
639 vpndata_packet *p = new vpndata_packet; 800 vpndata_packet *p = new vpndata_packet;
640 int tos = 0; 801 int tos = 0;
641 802
642 if (conf->inherit_tos 803 if (conf->inherit_tos
643 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 804 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
644 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 805 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
645 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
646 807
647 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
648 vpn->send_vpn_packet (p, &sa, tos); 809 send_vpn_packet (p, si, tos);
649 810
650 delete p; 811 delete p;
651 812
652 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
653 rekey (); 814 rekey ();
666 establish_connection (); 827 establish_connection ();
667 } 828 }
668} 829}
669 830
670void 831void
671connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 832connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
672{ 833{
673 last_activity = now; 834 last_activity = NOW;
674 835
675 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 836 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
676 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 837 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
677 838
678 switch (pkt->typ ()) 839 switch (pkt->typ ())
679 { 840 {
680 case vpn_packet::PT_PING: 841 case vpn_packet::PT_PING:
842 // we send pings instead of auth packets after some retries,
843 // so reset the retry counter and establish a connection
844 // when we receive a ping.
845 if (!ictx)
846 {
847 if (auth_rate_limiter.can (rsi))
848 send_auth_request (rsi, true);
849 }
850 else
681 send_ping (ssa, 1); // pong 851 send_ping (rsi, 1); // pong
852
682 break; 853 break;
683 854
684 case vpn_packet::PT_PONG: 855 case vpn_packet::PT_PONG:
685 // we send pings instead of auth packets after some retries,
686 // so reset the retry counter and establish a conenction
687 // when we receive a pong.
688 if (!ictx && !octx)
689 {
690 retry_cnt = 0;
691 next_retry = 0;
692 establish_connection ();
693 }
694
695 break; 856 break;
696 857
697 case vpn_packet::PT_RESET: 858 case vpn_packet::PT_RESET:
698 { 859 {
699 reset_connection (); 860 reset_connection ();
700 861
701 config_packet *p = (config_packet *) pkt; 862 config_packet *p = (config_packet *) pkt;
863
702 if (p->chk_config ()) 864 if (!p->chk_config ())
865 {
866 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867 conf->nodename, (const char *)rsi);
868 connectmode = conf_node::C_DISABLED;
869 }
703 if (connectmode == conf_node::C_ALWAYS) 870 else if (connectmode == conf_node::C_ALWAYS)
704 establish_connection (); 871 establish_connection ();
705
706 //D slog the protocol mismatch?
707 } 872 }
708 break; 873 break;
709 874
710 case vpn_packet::PT_AUTH: 875 case vpn_packet::PT_AUTH_REQ:
876 if (auth_rate_limiter.can (rsi))
877 {
878 auth_req_packet *p = (auth_req_packet *) pkt;
879
880 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
881
882 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
883 {
884 if (p->prot_minor != PROTOCOL_MINOR)
885 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888
889 if (p->initiate)
890 send_auth_request (rsi, false);
891
892 rsachallenge k;
893
894 if (0 > RSA_private_decrypt (sizeof (p->encr),
895 (unsigned char *)&p->encr, (unsigned char *)&k,
896 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
897 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
898 conf->nodename, (const char *)rsi);
899 else
900 {
901 retry_cnt = 0;
902 establish_connection.set (NOW + 8); //? ;)
903 keepalive.reset ();
904 rekey.reset ();
905
906 delete ictx;
907 ictx = 0;
908
909 delete octx;
910
911 octx = new crypto_ctx (k, 1);
912 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
913
914 conf->can_recv = p->can_recv;
915 send_auth_response (rsi, p->id, k);
916
917 break;
918 }
919 }
920
921 send_reset (rsi);
922 }
923
924 break;
925
926 case vpn_packet::PT_AUTH_RES:
711 { 927 {
712 auth_packet *p = (auth_packet *) pkt; 928 auth_res_packet *p = (auth_res_packet *) pkt;
713 929
714 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 930 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
715 931
716 if (p->chk_config () 932 if (p->chk_config ())
717 && !strncmp (p->magic, MAGIC, 8))
718 { 933 {
719 if (p->prot_minor != PROTOCOL_MINOR) 934 if (p->prot_minor != PROTOCOL_MINOR)
720 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 935 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936 conf->nodename, (const char *)rsi,
721 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 937 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
722 938
723 if (p->subtype == AUTH_INIT)
724 send_auth (AUTH_INITREPLY, ssa);
725
726 rsachallenge k; 939 rsachallenge chg;
727 940
728#if ENABLE_TRUST 941 if (!rsa_cache.find (p->id, chg))
729 if (0 > RSA_private_decrypt (sizeof (rsaencrdata), 942 slog (L_ERR, _("%s(%s): unrequested auth response"),
730 (unsigned char *)&p->challenge, (unsigned char *)&k, 943 conf->nodename, (const char *)rsi);
731 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
732 // continued below
733#else
734 rsaencrdata j;
735 944 else
736 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
737 (unsigned char *)&p->challenge, (unsigned char *)&j,
738 ::conf.rsa_key, RSA_NO_PADDING))
739 fatal ("RSA_private_decrypt error");
740
741 if (0 > RSA_public_decrypt (sizeof (k),
742 (unsigned char *)&j, (unsigned char *)&k,
743 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
744 // continued below
745#endif
746 { 945 {
747 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 946 crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948 if (!p->hmac_chk (cctx))
949 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950 "could be an attack, or just corruption or an synchronization error"),
748 conf->nodename, (const char *)sockinfo (ssa)); 951 conf->nodename, (const char *)rsi);
749 break; 952 else
750 }
751
752 retry_cnt = 0;
753 next_retry = now + 8;
754
755 switch (p->subtype)
756 {
757 case AUTH_INIT:
758 case AUTH_INITREPLY:
759 delete ictx;
760 ictx = 0;
761
762 delete octx;
763
764 octx = new crypto_ctx (k, 1);
765 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
766
767 send_auth (AUTH_REPLY, ssa, &k);
768 break;
769
770 case AUTH_REPLY:
771
772 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
773 sizeof (rsachallenge) - sizeof (u32)))
774 { 953 {
775 delete ictx;
776
777 ictx = new crypto_ctx (k, 0);
778 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
779
780 sa = *ssa; 954 rsaresponse h;
781 955
782 next_rekey = now + ::conf.rekey; 956 rsa_hash (p->id, chg, h);
783 next_wakeup (next_rekey);
784 957
785 // send queued packets 958 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
786 while (tap_packet *p = queue.get ())
787 { 959 {
960 prot_minor = p->prot_minor;
961
962 delete ictx; ictx = cctx;
963
964 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966 si = rsi;
967
968 rekey.set (NOW + ::conf.rekey);
969 keepalive.set (NOW + ::conf.keepalive);
970
971 // send queued packets
972 while (tap_packet *p = queue.get ())
973 {
788 send_data_packet (p); 974 send_data_packet (p);
789 delete p; 975 delete p;
976 }
977
978 connectmode = conf->connectmode;
979
980 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981 conf->nodename, (const char *)rsi,
982 p->prot_major, p->prot_minor);
983
984 if (::conf.script_node_up)
985 run_script (run_script_cb (this, &connection::script_node_up), false);
986
987 break;
790 } 988 }
791 989 else
792 connectmode = conf->connectmode; 990 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
793
794 slog (L_INFO, _("connection to %d (%s %s) established"),
795 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 991 conf->nodename, (const char *)rsi);
796
797 if (::conf.script_node_up)
798 run_script (this, &connection::script_node_up, false);
799 } 992 }
993
800 else 994 delete cctx;
801 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
802 conf->nodename, (const char *)sockinfo (ssa));
803
804 break;
805 default:
806 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
807 conf->nodename, (const char *)sockinfo (ssa));
808 break;
809 } 995 }
810 } 996 }
811 else
812 send_reset (ssa);
813
814 break;
815 } 997 }
998
999 send_reset (rsi);
1000 break;
816 1001
817 case vpn_packet::PT_DATA_COMPRESSED: 1002 case vpn_packet::PT_DATA_COMPRESSED:
818#if !ENABLE_COMPRESSION 1003#if !ENABLE_COMPRESSION
819 send_reset (ssa); 1004 send_reset (rsi);
820 break; 1005 break;
821#endif 1006#endif
1007
822 case vpn_packet::PT_DATA_UNCOMPRESSED: 1008 case vpn_packet::PT_DATA_UNCOMPRESSED:
823 1009
824 if (ictx && octx) 1010 if (ictx && octx)
825 { 1011 {
826 vpndata_packet *p = (vpndata_packet *)pkt; 1012 vpndata_packet *p = (vpndata_packet *)pkt;
827 1013
828 if (*ssa == sa) 1014 if (rsi == si)
829 { 1015 {
830 if (!p->hmac_chk (ictx)) 1016 if (!p->hmac_chk (ictx))
831 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1017 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
832 "could be an attack, or just corruption or an synchronization error")); 1018 "could be an attack, or just corruption or an synchronization error"),
1019 conf->nodename, (const char *)rsi);
833 else 1020 else
834 { 1021 {
835 u32 seqno; 1022 u32 seqno;
836 tap_packet *d = p->unpack (this, seqno); 1023 tap_packet *d = p->unpack (this, seqno);
837 1024
853 break; 1040 break;
854 } 1041 }
855 } 1042 }
856 } 1043 }
857 else 1044 else
858 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1045 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
859 } 1046 }
860 1047
861 send_reset (ssa); 1048 send_reset (rsi);
862 break; 1049 break;
863 1050
864 case vpn_packet::PT_CONNECT_REQ: 1051 case vpn_packet::PT_CONNECT_REQ:
865 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1052 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
866 { 1053 {
867 connect_req_packet *p = (connect_req_packet *) pkt; 1054 connect_req_packet *p = (connect_req_packet *) pkt;
868 1055
869 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1056 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
870 1057
876 if (c->ictx && c->octx) 1063 if (c->ictx && c->octx)
877 { 1064 {
878 // send connect_info packets to both sides, in case one is 1065 // send connect_info packets to both sides, in case one is
879 // behind a nat firewall (or both ;) 1066 // behind a nat firewall (or both ;)
880 { 1067 {
881 sockinfo si(sa);
882
883 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1068 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
884 c->conf->id, conf->id, (const char *)si); 1069 c->conf->id, conf->id, (const char *)si);
885 1070
886 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 1071 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
887 1072
888 r->hmac_set (c->octx); 1073 r->hmac_set (c->octx);
889 vpn->send_vpn_packet (r, &c->sa); 1074 send_vpn_packet (r, c->si);
890 1075
891 delete r; 1076 delete r;
892 } 1077 }
893 1078
894 { 1079 {
895 sockinfo si(c->sa);
896
897 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1080 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
898 conf->id, c->conf->id, (const char *)si); 1081 conf->id, c->conf->id, (const char *)c->si);
899 1082
900 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si); 1083 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
901 1084
902 r->hmac_set (octx); 1085 r->hmac_set (octx);
903 vpn->send_vpn_packet (r, &sa); 1086 send_vpn_packet (r, si);
904 1087
905 delete r; 1088 delete r;
906 } 1089 }
907 } 1090 }
908 } 1091 }
909 1092
910 break; 1093 break;
911 1094
912 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
913 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
914 { 1097 {
915 connect_info_packet *p = (connect_info_packet *) pkt; 1098 connect_info_packet *p = (connect_info_packet *) pkt;
916 1099
917 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
918 1101
919 connection *c = vpn->conns[p->id - 1]; 1102 connection *c = vpn->conns[p->id - 1];
920 1103
921 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1104 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
922 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1105 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
923 1106
924 c->send_auth (AUTH_INIT, p->si.sa ()); 1107 c->conf->can_recv = p->can_recv;
1108 c->send_auth_request (p->si, true);
925 } 1109 }
1110
926 break; 1111 break;
927 1112
928 default: 1113 default:
929 send_reset (ssa); 1114 send_reset (rsi);
930 break; 1115 break;
931 }
932}
933 1116
934void connection::timer ()
935{
936 if (conf != THISNODE)
937 { 1117 }
938 if (now >= next_retry && connectmode == conf_node::C_ALWAYS) 1118}
1119
1120void connection::keepalive_cb (tstamp &ts)
1121{
1122 if (NOW >= last_activity + ::conf.keepalive + 30)
1123 {
1124 reset_connection ();
939 establish_connection (); 1125 establish_connection ();
940 1126 }
941 if (ictx && octx)
942 {
943 if (now >= next_rekey)
944 rekey ();
945 else if (now >= last_activity + ::conf.keepalive + 30)
946 {
947 reset_connection ();
948 establish_connection ();
949 }
950 else if (now >= last_activity + ::conf.keepalive) 1127 else if (NOW < last_activity + ::conf.keepalive)
1128 ts = last_activity + ::conf.keepalive;
951 if (conf->connectmode != conf_node::C_ONDEMAND 1129 else if (conf->connectmode != conf_node::C_ONDEMAND
952 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1130 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1131 {
953 send_ping (&sa); 1132 send_ping (si);
954 else 1133 ts = NOW + 5;
1134 }
1135 else
955 reset_connection (); 1136 reset_connection ();
956
957 }
958 }
959} 1137}
960 1138
961void connection::connect_request (int id) 1139void connection::connect_request (int id)
962{ 1140{
963 connect_req_packet *p = new connect_req_packet (conf->id, id); 1141 connect_req_packet *p = new connect_req_packet (conf->id, id);
964 1142
965 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1143 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
966 p->hmac_set (octx); 1144 p->hmac_set (octx);
967 vpn->send_vpn_packet (p, &sa); 1145 send_vpn_packet (p, si);
968 1146
969 delete p; 1147 delete p;
970} 1148}
971 1149
972void connection::script_node () 1150void connection::script_node ()
973{ 1151{
974 vpn->script_if_up (); 1152 vpn->script_if_up (0);
975 1153
976 char *env; 1154 char *env;
977 asprintf (&env, "DESTID=%d", conf->id); 1155 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
978 putenv (env);
979 asprintf (&env, "DESTNODE=%s", conf->nodename); 1156 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
980 putenv (env); 1157 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
981 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
982 putenv (env);
983 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1158 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
984 putenv (env);
985} 1159}
986 1160
987const char *connection::script_node_up () 1161const char *connection::script_node_up (int)
988{ 1162{
989 script_node (); 1163 script_node ();
990 1164
991 putenv ("STATE=up"); 1165 putenv ("STATE=up");
992 1166
993 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1167 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
994} 1168}
995 1169
996const char *connection::script_node_down () 1170const char *connection::script_node_down (int)
997{ 1171{
998 script_node (); 1172 script_node ();
999 1173
1000 putenv ("STATE=down"); 1174 putenv ("STATE=down");
1001 1175
1002 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1176 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1003} 1177}
1004 1178
1179// send a vpn packet out to other hosts
1180void
1181connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1182{
1183 if (prot_send & PROT_IPv4)
1184 vpn->send_ipv4_packet (pkt, si, tos);
1185 else
1186 vpn->send_udpv4_packet (pkt, si, tos);
1187}
1188
1189connection::connection(struct vpn *vpn_)
1190: vpn(vpn_)
1191, rekey (this, &connection::rekey_cb)
1192, keepalive (this, &connection::keepalive_cb)
1193, establish_connection (this, &connection::establish_connection_cb)
1194{
1195 octx = ictx = 0;
1196 retry_cnt = 0;
1197
1198 connectmode = conf_node::C_ALWAYS; // initial setting
1199 reset_connection ();
1200}
1201
1202connection::~connection ()
1203{
1204 shutdown ();
1205}
1206
1005///////////////////////////////////////////////////////////////////////////// 1207/////////////////////////////////////////////////////////////////////////////
1006 1208
1007vpn::vpn (void)
1008{}
1009
1010const char *vpn::script_if_up () 1209const char *vpn::script_if_up (int)
1011{ 1210{
1012 // the tunnel device mtu should be the physical mtu - overhead 1211 // the tunnel device mtu should be the physical mtu - overhead
1013 // the tricky part is rounding to the cipher key blocksize 1212 // the tricky part is rounding to the cipher key blocksize
1014 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1213 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1015 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1214 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1016 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1215 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1017 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1216 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1018 1217
1019 char *env; 1218 char *env;
1034 1233
1035 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1234 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1036} 1235}
1037 1236
1038int 1237int
1039vpn::setup (void) 1238vpn::setup ()
1040{ 1239{
1041 struct sockaddr_in sa; 1240 u8 prots = 0;
1042 1241
1242 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1243 i != conf.nodes.end (); ++i)
1244 prots |= (*i)->can_send | (*i)->can_recv;
1245
1246 sockinfo si;
1247
1248 si.set (THISNODE);
1249
1250 udpv4_fd = -1;
1251
1252 if (prots & PROT_UDPv4)
1253 {
1043 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1254 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1044 if (socket_fd < 0) 1255
1256 if (udpv4_fd < 0)
1045 return -1; 1257 return -1;
1046 1258
1047 fill_sa (&sa, THISNODE); 1259 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1048 1260 {
1049 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1050 {
1051 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1261 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1052 exit (1); 1262 exit (1);
1053 } 1263 }
1054 1264
1055#ifdef IP_MTU_DISCOVER 1265#ifdef IP_MTU_DISCOVER
1056 // this I really consider a linux bug. I am neither connected 1266 // this I really consider a linux bug. I am neither connected
1057 // nor do I fragment myself. Linux still sets DF and doesn't 1267 // nor do I fragment myself. Linux still sets DF and doesn't
1058 // fragment for me sometimes. 1268 // fragment for me sometimes.
1059 { 1269 {
1060 int oval = IP_PMTUDISC_DONT; 1270 int oval = IP_PMTUDISC_DONT;
1061 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1271 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1062 } 1272 }
1063#endif 1273#endif
1064 { 1274
1275 // standard daemon practise...
1276 {
1065 int oval = 1; 1277 int oval = 1;
1066 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1278 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1279 }
1280
1281 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1067 } 1282 }
1283
1284 ipv4_fd = -1;
1285 if (prots & PROT_IPv4)
1286 {
1287 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1288
1289 if (ipv4_fd < 0)
1290 return -1;
1291
1292 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1293 {
1294 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1295 exit (1);
1296 }
1297
1298#ifdef IP_MTU_DISCOVER
1299 // this I really consider a linux bug. I am neither connected
1300 // nor do I fragment myself. Linux still sets DF and doesn't
1301 // fragment for me sometimes.
1302 {
1303 int oval = IP_PMTUDISC_DONT;
1304 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1305 }
1306#endif
1307
1308 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1309 }
1068 1310
1069 tap = new tap_device (); 1311 tap = new tap_device ();
1070 if (!tap) //D this, of course, never catches 1312 if (!tap) //D this, of course, never catches
1071 { 1313 {
1072 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1314 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1073 exit (1); 1315 exit (1);
1074 } 1316 }
1075 1317
1076 run_script (this, &vpn::script_if_up, true); 1318 run_script (run_script_cb (this, &vpn::script_if_up), true);
1319
1320 tap_ev_watcher.start (tap->fd, POLLIN);
1321
1322 reconnect_all ();
1077 1323
1078 return 0; 1324 return 0;
1079} 1325}
1080 1326
1081void 1327void
1082vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1328vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{ 1329{
1084 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1330 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1085 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1331 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1332}
1333
1334void
1335vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1336{
1337 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1338 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1339}
1340
1341void
1342vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1343{
1344 unsigned int src = pkt->src ();
1345 unsigned int dst = pkt->dst ();
1346
1347 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1348 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1349
1350 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1351 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1352 pkt->typ (), pkt->src (), pkt->dst ());
1353 else if (dst == 0 && !THISNODE->routerprio)
1354 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1355 else if (dst != 0 && dst != THISNODE->id)
1356 slog (L_WARN,
1357 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1358 dst, conns[dst - 1]->conf->nodename,
1359 (const char *)rsi,
1360 THISNODE->id, THISNODE->nodename);
1361 else if (src == 0 || src > conns.size ())
1362 slog (L_WARN, _("received frame from unknown node %d (%s)"),
1363 src, (const char *)rsi);
1364 else
1365 conns[src - 1]->recv_vpn_packet (pkt, rsi);
1366}
1367
1368void
1369vpn::udpv4_ev (short revents)
1370{
1371 if (revents & (POLLIN | POLLERR))
1372 {
1373 vpn_packet *pkt = new vpn_packet;
1374 struct sockaddr_in sa;
1375 socklen_t sa_len = sizeof (sa);
1376 int len;
1377
1378 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1379
1380 sockinfo si(sa);
1381
1382 if (len > 0)
1383 {
1384 pkt->len = len;
1385
1386 recv_vpn_packet (pkt, si);
1387 }
1388 else
1389 {
1390 // probably ECONNRESET or somesuch
1391 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1392 }
1393
1394 delete pkt;
1395 }
1396 else if (revents & POLLHUP)
1397 {
1398 // this cannot ;) happen on udp sockets
1399 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1400 exit (1);
1401 }
1402 else
1403 {
1404 slog (L_ERR,
1405 _("FATAL: unknown revents %08x in socket, terminating\n"),
1406 revents);
1407 exit (1);
1408 }
1409}
1410
1411void
1412vpn::ipv4_ev (short revents)
1413{
1414 if (revents & (POLLIN | POLLERR))
1415 {
1416 vpn_packet *pkt = new vpn_packet;
1417 struct sockaddr_in sa;
1418 socklen_t sa_len = sizeof (sa);
1419 int len;
1420
1421 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1422
1423 sockinfo si(sa, PROT_IPv4);
1424
1425 if (len > 0)
1426 {
1427 pkt->len = len;
1428
1429 // raw sockets deliver the ipv4, but don't expect it on sends
1430 // this is slow, but...
1431 pkt->skip_hdr (IP_OVERHEAD);
1432
1433 recv_vpn_packet (pkt, si);
1434 }
1435 else
1436 {
1437 // probably ECONNRESET or somesuch
1438 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1439 }
1440
1441 delete pkt;
1442 }
1443 else if (revents & POLLHUP)
1444 {
1445 // this cannot ;) happen on udp sockets
1446 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1447 exit (1);
1448 }
1449 else
1450 {
1451 slog (L_ERR,
1452 _("FATAL: unknown revents %08x in socket, terminating\n"),
1453 revents);
1454 exit (1);
1455 }
1456}
1457
1458void
1459vpn::tap_ev (short revents)
1460{
1461 if (revents & POLLIN)
1462 {
1463 /* process data */
1464 tap_packet *pkt;
1465
1466 pkt = tap->recv ();
1467
1468 int dst = mac2id (pkt->dst);
1469 int src = mac2id (pkt->src);
1470
1471 if (src != THISNODE->id)
1472 {
1473 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1474 exit (1);
1475 }
1476
1477 if (dst == THISNODE->id)
1478 {
1479 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1480 exit (1);
1481 }
1482
1483 if (dst > conns.size ())
1484 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1485 else
1486 {
1487 if (dst)
1488 {
1489 // unicast
1490 if (dst != THISNODE->id)
1491 conns[dst - 1]->inject_data_packet (pkt);
1492 }
1493 else
1494 {
1495 // broadcast, first check router, then self, then english
1496 connection *router = find_router ();
1497
1498 if (router)
1499 router->inject_data_packet (pkt, true);
1500 else
1501 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1502 if ((*c)->conf != THISNODE)
1503 (*c)->inject_data_packet (pkt);
1504 }
1505 }
1506
1507 delete pkt;
1508 }
1509 else if (revents & (POLLHUP | POLLERR))
1510 {
1511 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1512 exit (1);
1513 }
1514 else
1515 abort ();
1516}
1517
1518void
1519vpn::event_cb (tstamp &ts)
1520{
1521 if (events)
1522 {
1523 if (events & EVENT_SHUTDOWN)
1524 {
1525 slog (L_INFO, _("preparing shutdown..."));
1526
1527 shutdown_all ();
1528
1529 remove_pid (pidfilename);
1530
1531 slog (L_INFO, _("terminating"));
1532
1533 exit (0);
1534 }
1535
1536 if (events & EVENT_RECONNECT)
1537 {
1538 slog (L_INFO, _("forced reconnect"));
1539
1540 reconnect_all ();
1541 }
1542
1543 events = 0;
1544 }
1545
1546 ts = TSTAMP_CANCEL;
1086} 1547}
1087 1548
1088void 1549void
1089vpn::shutdown_all () 1550vpn::shutdown_all ()
1090{ 1551{
1097{ 1558{
1098 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1559 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1099 delete *c; 1560 delete *c;
1100 1561
1101 conns.clear (); 1562 conns.clear ();
1563
1564 auth_rate_limiter.clear ();
1565 reset_rate_limiter.clear ();
1102 1566
1103 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1567 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1104 i != conf.nodes.end (); ++i) 1568 i != conf.nodes.end (); ++i)
1105 { 1569 {
1106 connection *conn = new connection (this); 1570 connection *conn = new connection (this);
1146 // if ((*i)->conf->routerprio) 1610 // if ((*i)->conf->routerprio)
1147 // (*i)->establish_connection (); 1611 // (*i)->establish_connection ();
1148} 1612}
1149 1613
1150void 1614void
1151vpn::main_loop () 1615connection::dump_status ()
1152{ 1616{
1153 struct pollfd pollfd[2]; 1617 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1618 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1619 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1620 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1621 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1622 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1623 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1624}
1154 1625
1155 pollfd[0].fd = tap->fd; 1626void
1156 pollfd[0].events = POLLIN; 1627vpn::dump_status ()
1157 pollfd[1].fd = socket_fd; 1628{
1158 pollfd[1].events = POLLIN; 1629 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1159 1630
1160 events = 0;
1161 now = time (0);
1162 next_timecheck = now + 1;
1163
1164 reconnect_all ();
1165
1166 for (;;)
1167 {
1168 int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1169
1170 now = time (0);
1171
1172 if (npoll > 0)
1173 {
1174 if (pollfd[1].revents)
1175 {
1176 if (pollfd[1].revents & (POLLIN | POLLERR))
1177 {
1178 vpn_packet *pkt = new vpn_packet;
1179 struct sockaddr_in sa;
1180 socklen_t sa_len = sizeof (sa);
1181 int len;
1182
1183 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1184
1185 if (len > 0)
1186 {
1187 pkt->len = len;
1188
1189 unsigned int src = pkt->src ();
1190 unsigned int dst = pkt->dst ();
1191
1192 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1193 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1194
1195 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1196 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1197 pkt->typ (), pkt->src (), pkt->dst ());
1198 else if (dst == 0 && !THISNODE->routerprio)
1199 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1200 else if (dst != 0 && dst != THISNODE->id)
1201 slog (L_WARN,
1202 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1203 dst, conns[dst - 1]->conf->nodename,
1204 (const char *)sockinfo (sa),
1205 THISNODE->id, THISNODE->nodename);
1206 else if (src == 0 || src > conns.size ())
1207 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1208 else
1209 conns[src - 1]->recv_vpn_packet (pkt, &sa);
1210 }
1211 else
1212 {
1213 // probably ECONNRESET or somesuch
1214 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1215 }
1216
1217 delete pkt;
1218 }
1219 else if (pollfd[1].revents & POLLHUP)
1220 {
1221 // this cannot ;) happen on udp sockets
1222 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1223 exit (1);
1224 }
1225 else
1226 {
1227 slog (L_ERR,
1228 _("FATAL: unknown revents %08x in socket, terminating\n"),
1229 pollfd[1].revents);
1230 exit (1);
1231 }
1232 }
1233
1234 // I use else here to give vpn_packets absolute priority
1235 else if (pollfd[0].revents)
1236 {
1237 if (pollfd[0].revents & POLLIN)
1238 {
1239 /* process data */
1240 tap_packet *pkt;
1241
1242 pkt = tap->recv ();
1243
1244 int dst = mac2id (pkt->dst);
1245 int src = mac2id (pkt->src);
1246
1247 if (src != THISNODE->id)
1248 {
1249 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1250 exit (1);
1251 }
1252
1253 if (dst == THISNODE->id)
1254 {
1255 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1256 exit (1);
1257 }
1258
1259 if (dst > conns.size ())
1260 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1261 else
1262 {
1263 if (dst)
1264 {
1265 // unicast
1266 if (dst != THISNODE->id)
1267 conns[dst - 1]->inject_data_packet (pkt);
1268 }
1269 else
1270 {
1271 // broadcast, first check router, then self, then english
1272 connection *router = find_router ();
1273
1274 if (router)
1275 router->inject_data_packet (pkt, true);
1276 else
1277 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1631 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1278 if ((*c)->conf != THISNODE) 1632 (*c)->dump_status ();
1279 (*c)->inject_data_packet (pkt);
1280 }
1281 }
1282 1633
1283 delete pkt; 1634 slog (L_NOTICE, _("END status dump"));
1284 } 1635}
1285 else if (pollfd[0].revents & (POLLHUP | POLLERR))
1286 {
1287 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1288 exit (1);
1289 }
1290 else
1291 abort ();
1292 }
1293 }
1294 1636
1295 if (events) 1637vpn::vpn (void)
1296 { 1638: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1297 if (events & EVENT_SHUTDOWN) 1639, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1298 { 1640, tap_ev_watcher(this, &vpn::tap_ev)
1299 shutdown_all (); 1641, event(this, &vpn::event_cb)
1300 1642{
1301 remove_pid (pidfilename);
1302
1303 slog (L_INFO, _("vped terminating"));
1304
1305 exit (0);
1306 }
1307
1308 if (events & EVENT_RECONNECT)
1309 reconnect_all ();
1310
1311 events = 0;
1312 }
1313
1314 // very very very dumb and crude and inefficient timer handling, or maybe not?
1315 if (now >= next_timecheck)
1316 {
1317 next_timecheck = now + TIMER_GRANULARITY;
1318
1319 for (conns_vector::iterator c = conns.begin ();
1320 c != conns.end (); ++c)
1321 (*c)->timer ();
1322 }
1323 }
1324} 1643}
1325 1644
1326vpn::~vpn () 1645vpn::~vpn ()
1327{} 1646{
1647}
1328 1648

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines