[ViewVC] Diff of: cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.1 by pcg, Sat Mar 1 15:53:03 2003 UTC vs.
Revision 1.24 by pcg, Fri Mar 28 16:14:40 2003 UTC

…		…
16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA	16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	*/	17	*/
18		18
19	#include "config.h"	19	#include "config.h"
20		20
		21	#include <list>
		22
21	#include <cstdlib>	23	#include <cstdlib>
22	#include <cstring>	24	#include <cstring>
23	#include <cstdio>	25	#include <cstdio>
24		26
25	#include <sys/types.h>	27	#include <sys/types.h>
…		…
56		58
57	static time_t next_timecheck;	59	static time_t next_timecheck;
58		60
59	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60		62
61	static const rsachallenge &	63	static u8
62	challenge_bytes ()	64	best_protocol (u8 protset)
63	{	65	{
64	static rsachallenge challenge;	66	if (protset & PROT_IPv4)
65	static time_t challenge_ttl; // time this challenge needs to be recreated	67	return PROT_IPv4;
66		68
67	if (now > challenge_ttl)	69	return PROT_UDPv4;
68	{
69	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70	challenge_ttl = now + CHALLENGE_TTL;
71	}
72
73	return challenge;
74	}
75
76	// run a script. yes, it's a template function. yes, c++
77	// is not a functional language. yes, this suxx.
78	template<class owner>
79	static void
80	run_script (owner obj, const char (owner::*setup)(), bool wait)
81	{
82	int pid;
83
84	if ((pid = fork ()) == 0)
85	{
86	char *filename;
87	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88	execl (filename, filename, (char *) 0);
89	exit (255);
90	}
91	else if (pid > 0)
92	{
93	if (wait)
94	{
95	waitpid (pid, 0, 0);
96	/* TODO: check status */
97	}
98	}
99	}
100
101	// xor the socket address into the challenge to ensure different challenges
102	// per host. we could rely on the OAEP padding, but this doesn't hurt.
103	void
104	xor_sa (rsachallenge &k, SOCKADDR *sa)
105	{
106	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110	}	70	}
111		71
112	struct crypto_ctx	72	struct crypto_ctx
113	{	73	{
114	EVP_CIPHER_CTX cctx;	74	EVP_CIPHER_CTX cctx;
115	HMAC_CTX hctx;	75	HMAC_CTX hctx;
116		76
117	crypto_ctx (rsachallenge &challenge, int enc);	77	crypto_ctx (const rsachallenge &challenge, int enc);
118	~crypto_ctx ();	78	~crypto_ctx ();
119	};	79	};
120		80
121	crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc)	81	crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122	{	82	{
123	EVP_CIPHER_CTX_init (&cctx);	83	EVP_CIPHER_CTX_init (&cctx);
124	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);	84	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125	HMAC_CTX_init (&hctx);	85	HMAC_CTX_init (&hctx);
126	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);	86	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
…		…
130	{	90	{
131	EVP_CIPHER_CTX_cleanup (&cctx);	91	EVP_CIPHER_CTX_cleanup (&cctx);
132	HMAC_CTX_cleanup (&hctx);	92	HMAC_CTX_cleanup (&hctx);
133	}	93	}
134		94
		95	static void
		96	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
		97	{
		98	EVP_MD_CTX ctx;
		99
		100	EVP_MD_CTX_init (&ctx);
		101	EVP_DigestInit (&ctx, RSA_HASH);
		102	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
		103	EVP_DigestUpdate(&ctx, &id, sizeof id);
		104	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
		105	EVP_MD_CTX_cleanup (&ctx);
		106	}
		107
		108	struct rsa_entry {
		109	tstamp expire;
		110	rsaid id;
		111	rsachallenge chg;
		112	};
		113
		114	struct rsa_cache : list<rsa_entry>
		115	{
		116	void cleaner_cb (tstamp &ts); time_watcher cleaner;
		117
		118	bool find (const rsaid &id, rsachallenge &chg)
		119	{
		120	for (iterator i = begin (); i != end (); ++i)
		121	{
		122	if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
		123	{
		124	memcpy (&chg, &i->chg, sizeof chg);
		125
		126	erase (i);
		127	return true;
		128	}
		129	}
		130
		131	if (cleaner.at < NOW)
		132	cleaner.start (NOW + RSA_TTL);
		133
		134	return false;
		135	}
		136
		137	void gen (rsaid &id, rsachallenge &chg)
		138	{
		139	rsa_entry e;
		140
		141	RAND_bytes ((unsigned char *)&id, sizeof id);
		142	RAND_bytes ((unsigned char *)&chg, sizeof chg);
		143
		144	e.expire = NOW + RSA_TTL;
		145	e.id = id;
		146	memcpy (&e.chg, &chg, sizeof chg);
		147
		148	push_back (e);
		149
		150	if (cleaner.at < NOW)
		151	cleaner.start (NOW + RSA_TTL);
		152	}
		153
		154	rsa_cache ()
		155	: cleaner (this, &rsa_cache::cleaner_cb)
		156	{ }
		157
		158	} rsa_cache;
		159
		160	void rsa_cache::cleaner_cb (tstamp &ts)
		161	{
		162	if (empty ())
		163	ts = TSTAMP_CANCEL;
		164	else
		165	{
		166	ts = NOW + RSA_TTL;
		167
		168	for (iterator i = begin (); i != end (); )
		169	if (i->expire <= NOW)
		170	i = erase (i);
		171	else
		172	++i;
		173	}
		174	}
		175
		176	typedef callback<const char *, int> run_script_cb;
		177
		178	// run a shell script (or actually an external program).
		179	static void
		180	run_script (const run_script_cb &cb, bool wait)
		181	{
		182	int pid;
		183
		184	if ((pid = fork ()) == 0)
		185	{
		186	char *filename;
		187	asprintf (&filename, "%s/%s", confbase, cb(0));
		188	execl (filename, filename, (char *) 0);
		189	exit (255);
		190	}
		191	else if (pid > 0)
		192	{
		193	if (wait)
		194	{
		195	waitpid (pid, 0, 0);
		196	/* TODO: check status */
		197	}
		198	}
		199	}
		200
		201	//////////////////////////////////////////////////////////////////////////////
		202
		203	void pkt_queue::put (tap_packet *p)
		204	{
		205	if (queue[i])
		206	{
		207	delete queue[i];
		208	j = (j + 1) % QUEUEDEPTH;
		209	}
		210
		211	queue[i] = p;
		212
		213	i = (i + 1) % QUEUEDEPTH;
		214	}
		215
		216	tap_packet *pkt_queue::get ()
		217	{
		218	tap_packet *p = queue[j];
		219
		220	if (p)
		221	{
		222	queue[j] = 0;
		223	j = (j + 1) % QUEUEDEPTH;
		224	}
		225
		226	return p;
		227	}
		228
		229	pkt_queue::pkt_queue ()
		230	{
		231	memset (queue, 0, sizeof (queue));
		232	i = 0;
		233	j = 0;
		234	}
		235
		236	pkt_queue::~pkt_queue ()
		237	{
		238	for (i = QUEUEDEPTH; --i > 0; )
		239	delete queue[i];
		240	}
		241
		242	struct net_rateinfo {
		243	u32 host;
		244	double pcnt, diff;
		245	tstamp last;
		246	};
		247
		248	// only do action once every x seconds per host whole allowing bursts.
		249	// this implementation ("splay list" ;) is inefficient,
		250	// but low on resources.
		251	struct net_rate_limiter : list<net_rateinfo>
		252	{
		253	static const double ALPHA = 1. - 1. / 90.; // allow bursts
		254	static const double CUTOFF = 20.; // one event every CUTOFF seconds
		255	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
		256
		257	bool can (const sockinfo &si) { return can((u32)si.host); }
		258	bool can (u32 host);
		259	};
		260
		261	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
		262
		263	bool net_rate_limiter::can (u32 host)
		264	{
		265	iterator i;
		266
		267	for (i = begin (); i != end (); )
		268	if (i->host == host)
		269	break;
		270	else if (i->last < NOW - EXPIRE)
		271	i = erase (i);
		272	else
		273	i++;
		274
		275	if (i == end ())
		276	{
		277	net_rateinfo ri;
		278
		279	ri.host = host;
		280	ri.pcnt = 1.;
		281	ri.diff = CUTOFF * (1. / (1. - ALPHA));
		282	ri.last = NOW;
		283
		284	push_front (ri);
		285
		286	return true;
		287	}
		288	else
		289	{
		290	net_rateinfo ri (*i);
		291	erase (i);
		292
		293	ri.pcnt = ri.pcnt * ALPHA;
		294	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
		295
		296	ri.last = NOW;
		297
		298	bool send = ri.diff / ri.pcnt > CUTOFF;
		299
		300	if (send)
		301	ri.pcnt++;
		302
		303	push_front (ri);
		304
		305	return send;
		306	}
		307	}
		308
135	/////////////////////////////////////////////////////////////////////////////	309	/////////////////////////////////////////////////////////////////////////////
136		310
137	static void next_wakeup (time_t next)	311	static void next_wakeup (time_t next)
138	{	312	{
139	if (next_timecheck > next)	313	if (next_timecheck > next)
…		…
141	}	315	}
142		316
143	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];	317	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144		318
145	struct hmac_packet:net_packet	319	struct hmac_packet:net_packet
		320	{
		321	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
		322
		323	void hmac_set (crypto_ctx * ctx);
		324	bool hmac_chk (crypto_ctx * ctx);
		325
		326	private:
		327	void hmac_gen (crypto_ctx * ctx)
146	{	328	{
147	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149	void hmac_set (crypto_ctx * ctx);
150	bool hmac_chk (crypto_ctx * ctx);
151
152	private:
153	void hmac_gen (crypto_ctx * ctx)
154	{
155	unsigned int xlen;	329	unsigned int xlen;
156	HMAC_CTX *hctx = &ctx->hctx;	330	HMAC_CTX *hctx = &ctx->hctx;
157		331
158	HMAC_Init_ex (hctx, 0, 0, 0, 0);	332	HMAC_Init_ex (hctx, 0, 0, 0, 0);
159	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),	333	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160	len - sizeof (hmac_packet));	334	len - sizeof (hmac_packet));
161	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);	335	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162	}
163	};	336	}
		337	};
164		338
165	void	339	void
166	hmac_packet::hmac_set (crypto_ctx * ctx)	340	hmac_packet::hmac_set (crypto_ctx * ctx)
167	{	341	{
168	hmac_gen (ctx);	342	hmac_gen (ctx);
…		…
184	{	358	{
185	PT_RESET = 0,	359	PT_RESET = 0,
186	PT_DATA_UNCOMPRESSED,	360	PT_DATA_UNCOMPRESSED,
187	PT_DATA_COMPRESSED,	361	PT_DATA_COMPRESSED,
188	PT_PING, PT_PONG, // wasting namespace space? ;)	362	PT_PING, PT_PONG, // wasting namespace space? ;)
189	PT_AUTH, // authentification	363	PT_AUTH_REQ, // authentification request
		364	PT_AUTH_RES, // authentification response
190	PT_CONNECT_REQ, // want other host to contact me	365	PT_CONNECT_REQ, // want other host to contact me
191	PT_CONNECT_INFO, // request connection to some node	366	PT_CONNECT_INFO, // request connection to some node
192	PT_REKEY, // rekeying (not yet implemented)
193	PT_MAX	367	PT_MAX
194	};	368	};
195		369
196	u8 type;	370	u8 type;
197	u8 srcdst, src1, dst1;	371	u8 srcdst, src1, dst1;
198		372
199	void set_hdr (ptype type, unsigned int dst);	373	void set_hdr (ptype type, unsigned int dst);
200		374
201	unsigned int src ()	375	unsigned int src () const
202	{	376	{
203	return src1 \| ((srcdst >> 4) << 8);	377	return src1 \| ((srcdst >> 4) << 8);
204	}	378	}
		379
205	unsigned int dst ()	380	unsigned int dst () const
206	{	381	{
207	return dst1 \| ((srcdst & 0xf) << 8);	382	return dst1 \| ((srcdst & 0xf) << 8);
208	}	383	}
		384
209	ptype typ ()	385	ptype typ () const
210	{	386	{
211	return (ptype) type;	387	return (ptype) type;
212	}	388	}
213	};	389	};
214		390
…		…
252	u32 cl;	428	u32 cl;
253		429
254	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);	430	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255	if (cl)	431	if (cl)
256	{	432	{
257	//printf ("compressed packet, %d => %d\n", l, cl);//D
258	type = PT_DATA_COMPRESSED;	433	type = PT_DATA_COMPRESSED;
259	d = cdata;	434	d = cdata;
260	l = cl + 2;	435	l = cl + 2;
261		436
262	d[0] = cl >> 8;	437	d[0] = cl >> 8;
…		…
264	}	439	}
265	#endif	440	#endif
266		441
267	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);	442	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268		443
		444	struct {
269	#if RAND_SIZE	445	#if RAND_SIZE
270	struct {
271	u8 rnd[RAND_SIZE];	446	u8 rnd[RAND_SIZE];
		447	#endif
272	u32 seqno;	448	u32 seqno;
273	} datahdr;	449	} datahdr;
274		450
275	datahdr.seqno = seqno;	451	datahdr.seqno = ntohl (seqno);
		452	#if RAND_SIZE
276	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);	453	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
		454	#endif
277		455
278	EVP_EncryptUpdate (cctx,	456	EVP_EncryptUpdate (cctx,
279	(unsigned char *) data + outl, &outl2,	457	(unsigned char *) data + outl, &outl2,
280	(unsigned char *) &datahdr, DATAHDR);	458	(unsigned char *) &datahdr, DATAHDR);
281	outl += outl2;	459	outl += outl2;
282	#else
283	EVP_EncryptUpdate (cctx,
284	(unsigned char *) data + outl, &outl2,
285	(unsigned char *) &seqno, DATAHDR);
286	outl += outl2;
287	#endif
288		460
289	EVP_EncryptUpdate (cctx,	461	EVP_EncryptUpdate (cctx,
290	(unsigned char *) data + outl, &outl2,	462	(unsigned char *) data + outl, &outl2,
291	(unsigned char *) d, l);	463	(unsigned char *) d, l);
292	outl += outl2;	464	outl += outl2;
…		…
328	outl += outl2;	500	outl += outl2;
329		501
330	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);	502	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331	outl += outl2;	503	outl += outl2;
332		504
333	seqno = (u32 )(d + RAND_SIZE);	505	seqno = ntohl ((u32 )(d + RAND_SIZE));
334		506
335	id2mac (dst (), p->dst);	507	id2mac (dst () ? dst() : THISNODE->id, p->dst);
336	id2mac (src (), p->src);	508	id2mac (src (), p->src);
337		509
338	#if ENABLE_COMPRESSION	510	#if ENABLE_COMPRESSION
339	if (type == PT_DATA_COMPRESSED)	511	if (type == PT_DATA_COMPRESSED)
340	{	512	{
341	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];	513	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];
		514
342	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;	515	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
343	//printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D	516	&(*p)[6 + 6], MAX_MTU)
		517	+ 6 + 6;
344	}	518	}
345	else	519	else
346	p->len = outl + (6 + 6 - DATAHDR);	520	p->len = outl + (6 + 6 - DATAHDR);
347	#endif	521	#endif
348		522
349	return p;	523	return p;
350	}	524	}
351		525
352	struct ping_packet : vpn_packet	526	struct ping_packet : vpn_packet
		527	{
		528	void setup (int dst, ptype type)
353	{	529	{
354	void setup (int dst, ptype type)
355	{
356	set_hdr (type, dst);	530	set_hdr (type, dst);
357	len = sizeof (*this) - sizeof (net_packet);	531	len = sizeof (*this) - sizeof (net_packet);
358	}
359	};	532	}
		533	};
360		534
361	struct config_packet : vpn_packet	535	struct config_packet : vpn_packet
		536	{
		537	// actually, hmaclen cannot be checked because the hmac
		538	// field comes before this data, so peers with other
		539	// hmacs simply will not work.
		540	u8 prot_major, prot_minor, randsize, hmaclen;
		541	u8 flags, challengelen, pad2, pad3;
		542	u32 cipher_nid, digest_nid, hmac_nid;
		543
		544	const u8 curflags () const
362	{	545	{
363	// actually, hmaclen cannot be checked because the hmac
364	// field comes before this data, so peers with other
365	// hmacs simply will not work.
366	u8 prot_major, prot_minor, randsize, hmaclen;
367	u8 flags, challengelen, pad2, pad3;
368	u32 cipher_nid;
369	u32 digest_nid;
370
371	const u8 curflags () const
372	{
373	return 0x80	546	return 0x80
374	\| (ENABLE_COMPRESSION ? 0x01 : 0x00)	547	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);
375	\| (ENABLE_TRUST ? 0x02 : 0x00);
376	}	548	}
377		549
378	void setup (ptype type, int dst)	550	void setup (ptype type, int dst);
379	{	551	bool chk_config () const;
		552	};
		553
		554	void config_packet::setup (ptype type, int dst)
		555	{
380	prot_major = PROTOCOL_MAJOR;	556	prot_major = PROTOCOL_MAJOR;
381	prot_minor = PROTOCOL_MINOR;	557	prot_minor = PROTOCOL_MINOR;
382	randsize = RAND_SIZE;	558	randsize = RAND_SIZE;
383	hmaclen = HMACLENGTH;	559	hmaclen = HMACLENGTH;
384	flags = curflags ();	560	flags = curflags ();
385	challengelen = sizeof (rsachallenge);	561	challengelen = sizeof (rsachallenge);
386		562
387	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));	563	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388	digest_nid = htonl (EVP_MD_type (DIGEST));	564	digest_nid = htonl (EVP_MD_type (RSA_HASH));
		565	hmac_nid = htonl (EVP_MD_type (DIGEST));
389		566
390	len = sizeof (*this) - sizeof (net_packet);	567	len = sizeof (*this) - sizeof (net_packet);
391	set_hdr (type, dst);	568	set_hdr (type, dst);
392	}	569	}
393		570
394	bool chk_config ()	571	bool config_packet::chk_config () const
395	{	572	{
396	return prot_major == PROTOCOL_MAJOR	573	return prot_major == PROTOCOL_MAJOR
397	&& randsize == RAND_SIZE	574	&& randsize == RAND_SIZE
398	&& hmaclen == HMACLENGTH	575	&& hmaclen == HMACLENGTH
399	&& flags == curflags ()	576	&& flags == curflags ()
400	&& challengelen == sizeof (rsachallenge)	577	&& challengelen == sizeof (rsachallenge)
401	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	578	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
		579	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
402	&& digest_nid == htonl (EVP_MD_type (DIGEST));	580	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
403	}	581	}
404	};
405		582
406	struct auth_packet : config_packet	583	struct auth_req_packet : config_packet
		584	{
		585	char magic[8];
		586	u8 initiate; // false if this is just an automatic reply
		587	u8 protocols; // supported protocols (will get patches on forward)
		588	u8 pad2, pad3;
		589	rsaid id;
		590	rsaencrdata encr;
		591
		592	auth_req_packet (int dst, bool initiate_, u8 protocols_)
407	{	593	{
408	char magic[8];
409	u8 subtype;
410	u8 pad1, pad2;
411	rsaencrdata challenge;
412
413	auth_packet (int dst, auth_subtype stype)
414	{
415	config_packet::setup (PT_AUTH, dst);	594	config_packet::setup (PT_AUTH_REQ, dst);
416	subtype = stype;	595	strncpy (magic, MAGIC, 8);
		596	initiate = !!initiate_;
		597	protocols = protocols_;
		598
417	len = sizeof (*this) - sizeof (net_packet);	599	len = sizeof (*this) - sizeof (net_packet);
418	strncpy (magic, MAGIC, 8);
419	}
420	};	600	}
		601	};
		602
		603	struct auth_res_packet : config_packet
		604	{
		605	rsaid id;
		606	u8 pad1, pad2, pad3;
		607	u8 response_len; // encrypted length
		608	rsaresponse response;
		609
		610	auth_res_packet (int dst)
		611	{
		612	config_packet::setup (PT_AUTH_RES, dst);
		613
		614	len = sizeof (*this) - sizeof (net_packet);
		615	}
		616	};
421		617
422	struct connect_req_packet : vpn_packet	618	struct connect_req_packet : vpn_packet
		619	{
		620	u8 id, protocols;
		621	u8 pad1, pad2;
		622
		623	connect_req_packet (int dst, int id_, u8 protocols_)
		624	: id(id_)
		625	, protocols(protocols_)
423	{	626	{
424	u8 id;
425	u8 pad1, pad2, pad3;
426
427	connect_req_packet (int dst, int id)
428	{
429	this->id = id;
430	set_hdr (PT_CONNECT_REQ, dst);	627	set_hdr (PT_CONNECT_REQ, dst);
431	len = sizeof (*this) - sizeof (net_packet);	628	len = sizeof (*this) - sizeof (net_packet);
432	}
433	};	629	}
		630	};
434		631
435	struct connect_info_packet : vpn_packet	632	struct connect_info_packet : vpn_packet
		633	{
		634	u8 id, protocols;
		635	u8 pad1, pad2;
		636	sockinfo si;
		637
		638	connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
		639	: id(id_)
		640	, protocols(protocols_)
		641	, si(si_)
436	{	642	{
437	u8 id;
438	u8 pad1, pad2, pad3;
439	sockinfo si;
440
441	connect_info_packet (int dst, int id, sockinfo &si)
442	{
443	this->id = id;
444	this->si = si;
445	set_hdr (PT_CONNECT_INFO, dst);	643	set_hdr (PT_CONNECT_INFO, dst);
		644
446	len = sizeof (*this) - sizeof (net_packet);	645	len = sizeof (*this) - sizeof (net_packet);
447	}
448	};	646	}
		647	};
449		648
450	/////////////////////////////////////////////////////////////////////////////	649	/////////////////////////////////////////////////////////////////////////////
451		650
452	void	651	void
453	fill_sa (SOCKADDR sa, conf_node conf)	652	connection::reset_dstaddr ()
454	{	653	{
455	sa->sin_family = AF_INET;	654	si.set (conf);
456	sa->sin_port = htons (conf->port);	655	}
457	sa->sin_addr.s_addr = 0;
458		656
		657	void
		658	connection::send_ping (const sockinfo &si, u8 pong)
		659	{
		660	ping_packet *pkt = new ping_packet;
		661
		662	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
		663	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
		664
		665	delete pkt;
		666	}
		667
		668	void
		669	connection::send_reset (const sockinfo &si)
		670	{
		671	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
		672	{
		673	config_packet *pkt = new config_packet;
		674
		675	pkt->setup (vpn_packet::PT_RESET, conf->id);
		676	send_vpn_packet (pkt, si, IPTOS_MINCOST);
		677
		678	delete pkt;
		679	}
		680	}
		681
		682	void
		683	connection::send_auth_request (const sockinfo &si, bool initiate)
		684	{
		685	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
		686
		687	prot_send = best_protocol (THISNODE->protocols & conf->protocols);
		688
		689	rsachallenge chg;
		690
		691	rsa_cache.gen (pkt->id, chg);
		692
		693	if (0 > RSA_public_encrypt (sizeof chg,
		694	(unsigned char )&chg, (unsigned char )&pkt->encr,
		695	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
		696	fatal ("RSA_public_encrypt error");
		697
		698	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
		699
		700	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
		701
		702	delete pkt;
		703	}
		704
		705	void
		706	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
		707	{
		708	auth_res_packet *pkt = new auth_res_packet (conf->id);
		709
		710	pkt->id = id;
		711
		712	rsa_hash (id, chg, pkt->response);
		713
		714	pkt->hmac_set (octx);
		715
		716	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
		717
		718	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
		719
		720	delete pkt;
		721	}
		722
		723	void
		724	connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
		725	{
		726	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
		727	conf->id, rid, (const char *)rsi);
		728
		729	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
		730
		731	r->hmac_set (octx);
		732	send_vpn_packet (r, si);
		733
		734	delete r;
		735	}
		736
		737	void
		738	connection::establish_connection_cb (tstamp &ts)
		739	{
		740	if (ictx \|\| conf == THISNODE
		741	\|\| connectmode == conf_node::C_NEVER
		742	\|\| connectmode == conf_node::C_DISABLED)
		743	ts = TSTAMP_CANCEL;
		744	else if (ts <= NOW)
		745	{
		746	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
		747
		748	if (retry_int < 3600 * 8)
		749	retry_cnt++;
		750
		751	ts = NOW + retry_int;
		752
459	if (conf->hostname)	753	if (conf->hostname)
460	{	754	{
461	struct hostent *he = gethostbyname (conf->hostname);	755	reset_dstaddr ();
462		756	if (si.host && auth_rate_limiter.can (si))
463	if (he
464	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465	{	757	{
466	//sa->sin_family = he->h_addrtype;	758	if (retry_cnt < 4)
467	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);	759	send_auth_request (si, true);
		760	else
		761	send_ping (si, 0);
		762	}
468	}	763	}
469	else	764	else
470	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471	}
472	}
473
474	void
475	connection::reset_dstaddr ()
476	{
477	fill_sa (&sa, conf);
478	}
479
480	void
481	connection::send_ping (SOCKADDR *dsa, u8 pong)
482	{
483	ping_packet *pkt = new ping_packet;
484
485	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486	vpn->send_vpn_packet (pkt, dsa);
487
488	delete pkt;
489	}
490
491	void
492	connection::send_reset (SOCKADDR *dsa)
493	{
494	static net_rate_limiter limiter(1);
495
496	if (limiter.can (dsa))
497	{
498	config_packet *pkt = new config_packet;
499
500	pkt->setup (vpn_packet::PT_RESET, conf->id);
501	vpn->send_vpn_packet (pkt, dsa);
502
503	delete pkt;
504	}
505	}
506
507	static rsachallenge *
508	gen_challenge (SOCKADDR *sa)
509	{
510	static rsachallenge k;
511
512	memcpy (&k, &challenge_bytes (), sizeof (k));
513	RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514	xor_sa (k, sa);
515
516	return &k;
517	}
518
519	void
520	connection::send_auth (auth_subtype subtype, SOCKADDR sa, rsachallenge k)
521	{
522	static net_rate_limiter limiter(2);
523
524	if (subtype != AUTH_INIT \|\| limiter.can (sa))
525	{
526	auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528	//printf ("send auth_packet subtype %d\n", subtype);//D
529
530	if (!k)
531	k = gen_challenge (sa);
532
533	#if ENABLE_TRUST
534	if (0 > RSA_public_encrypt (sizeof (*k),
535	(unsigned char )k, (unsigned char )&pkt->challenge,
536	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537	fatal ("RSA_public_encrypt error");
538	#else
539	# error untrusted mode not yet implemented: programemr does not know how to
540	rsaencrdata enc;
541
542	if (0 > RSA_private_encrypt (sizeof (*k),
543	(unsigned char )k, (unsigned char )&enc,
544	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545	fatal ("RSA_private_encrypt error");
546
547	if (0 > RSA_public_encrypt (sizeof (enc),
548	(unsigned char )enc, (unsigned char )&pkt->challenge,
549	conf->rsa_key, RSA_NO_PADDING))
550	fatal ("RSA_public_encrypt error");
551	#endif
552
553	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555	vpn->send_vpn_packet (pkt, sa);
556
557	delete pkt;
558	}
559	}
560
561	void
562	connection::establish_connection ()
563	{
564	if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER)
565	{
566	if (now >= next_retry)
567	{
568	int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570	if (retry_cnt < (17 << 2) \| 3)
571	retry_cnt++;
572
573	if (conf->connectmode == conf_node::C_ONDEMAND
574	&& retry_int > ::conf.keepalive)
575	retry_int = ::conf.keepalive;
576
577	next_retry = now + retry_int;
578	next_wakeup (next_retry);
579
580	if (conf->hostname)
581	{
582	reset_dstaddr ();
583	if (sa.sin_addr.s_addr)
584	if (retry_cnt < 4)
585	send_auth (AUTH_INIT, &sa);
586	else
587	send_ping (&sa, 0);
588	}
589	else
590	vpn->connect_request (conf->id);	765	vpn->connect_request (conf->id);
591	}
592	}	766	}
593	}	767	}
594		768
595	void	769	void
596	connection::reset_connection ()	770	connection::reset_connection ()
597	{	771	{
598	if (ictx && octx)	772	if (ictx && octx)
599	{	773	{
600	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);	774	slog (L_INFO, _("%s(%s): connection lost"),
		775	conf->nodename, (const char *)si);
601		776
602	if (::conf.script_node_down)	777	if (::conf.script_node_down)
603	run_script (this, &connection::script_node_down, false);	778	run_script (run_script_cb (this, &connection::script_node_down), false);
604	}	779	}
605		780
606	delete ictx;	781	delete ictx; ictx = 0;
607	ictx = 0;	782	delete octx; octx = 0;
608		783
609	delete octx;	784	si.host= 0;
610	octx = 0;
611		785
612	sa.sin_port = 0;
613	sa.sin_addr.s_addr = 0;
614
615	next_retry = 0;
616	next_rekey = 0;
617	last_activity = 0;	786	last_activity = 0;
		787	retry_cnt = 0;
		788
		789	rekey.reset ();
		790	keepalive.reset ();
		791	establish_connection.reset ();
618	}	792	}
619		793
620	void	794	void
621	connection::shutdown ()	795	connection::shutdown ()
622	{	796	{
623	if (ictx && octx)	797	if (ictx && octx)
624	send_reset (&sa);	798	send_reset (si);
625		799
626	reset_connection ();	800	reset_connection ();
627	}	801	}
628		802
629	void	803	void
630	connection::rekey ()	804	connection::rekey_cb (tstamp &ts)
631	{	805	{
		806	ts = TSTAMP_CANCEL;
		807
632	reset_connection ();	808	reset_connection ();
633	establish_connection ();	809	establish_connection ();
634	}	810	}
635		811
636	void	812	void
637	connection::send_data_packet (tap_packet * pkt, bool broadcast)	813	connection::send_data_packet (tap_packet *pkt, bool broadcast)
638	{	814	{
639	vpndata_packet *p = new vpndata_packet;	815	vpndata_packet *p = new vpndata_packet;
		816	int tos = 0;
		817
		818	if (conf->inherit_tos
		819	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP
		820	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
		821	tos = (*pkt)[15] & IPTOS_TOS_MASK;
640		822
641	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	823	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642	vpn->send_vpn_packet (p, &sa);	824	send_vpn_packet (p, si, tos);
643		825
644	delete p;	826	delete p;
645		827
646	if (oseqno > MAX_SEQNO)	828	if (oseqno > MAX_SEQNO)
647	rekey ();	829	rekey ();
…		…
660	establish_connection ();	842	establish_connection ();
661	}	843	}
662	}	844	}
663		845
664	void	846	void
665	connection::recv_vpn_packet (vpn_packet pkt, SOCKADDR ssa)	847	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
666	{	848	{
667	last_activity = now;	849	last_activity = NOW;
668		850
669	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	851	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
670	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	852	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
671		853
672	switch (pkt->typ ())	854	switch (pkt->typ ())
673	{	855	{
674	case vpn_packet::PT_PING:	856	case vpn_packet::PT_PING:
		857	// we send pings instead of auth packets after some retries,
		858	// so reset the retry counter and establish a connection
		859	// when we receive a ping.
		860	if (!ictx)
		861	{
		862	if (auth_rate_limiter.can (rsi))
		863	send_auth_request (rsi, true);
		864	}
		865	else
675	send_ping (ssa, 1); // pong	866	send_ping (rsi, 1); // pong
		867
676	break;	868	break;
677		869
678	case vpn_packet::PT_PONG:	870	case vpn_packet::PT_PONG:
679	// we send pings instead of auth packets after some retries,
680	// so reset the retry counter and establish a conenction
681	// when we receive a pong.
682	if (!ictx && !octx)
683	{
684	retry_cnt = 0;
685	next_retry = 0;
686	establish_connection ();
687	}
688
689	break;	871	break;
690		872
691	case vpn_packet::PT_RESET:	873	case vpn_packet::PT_RESET:
692	{	874	{
693	reset_connection ();	875	reset_connection ();
694		876
695	config_packet p = (config_packet ) pkt;	877	config_packet p = (config_packet ) pkt;
		878
696	if (p->chk_config ())	879	if (!p->chk_config ())
		880	{
		881	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
		882	conf->nodename, (const char *)rsi);
		883	connectmode = conf_node::C_DISABLED;
		884	}
697	if (conf->connectmode == conf_node::C_ALWAYS)	885	else if (connectmode == conf_node::C_ALWAYS)
698	establish_connection ();	886	establish_connection ();
699
700	//D slog the protocol mismatch?
701	}	887	}
702	break;	888	break;
703		889
704	case vpn_packet::PT_AUTH:	890	case vpn_packet::PT_AUTH_REQ:
		891	if (auth_rate_limiter.can (rsi))
		892	{
		893	auth_req_packet p = (auth_req_packet ) pkt;
		894
		895	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
		896
		897	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
		898	{
		899	if (p->prot_minor != PROTOCOL_MINOR)
		900	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		901	conf->nodename, (const char *)rsi,
		902	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
		903
		904	if (p->initiate)
		905	send_auth_request (rsi, false);
		906
		907	rsachallenge k;
		908
		909	if (0 > RSA_private_decrypt (sizeof (p->encr),
		910	(unsigned char )&p->encr, (unsigned char )&k,
		911	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		912	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
		913	conf->nodename, (const char *)rsi);
		914	else
		915	{
		916	retry_cnt = 0;
		917	establish_connection.set (NOW + 8); //? ;)
		918	keepalive.reset ();
		919	rekey.reset ();
		920
		921	delete ictx;
		922	ictx = 0;
		923
		924	delete octx;
		925
		926	octx = new crypto_ctx (k, 1);
		927	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
		928
		929	conf->protocols = p->protocols;
		930	send_auth_response (rsi, p->id, k);
		931
		932	break;
		933	}
		934	}
		935
		936	send_reset (rsi);
		937	}
		938
		939	break;
		940
		941	case vpn_packet::PT_AUTH_RES:
705	{	942	{
706	auth_packet p = (auth_packet ) pkt;	943	auth_res_packet p = (auth_res_packet ) pkt;
707		944
708	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);	945	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
709		946
710	if (p->chk_config ()	947	if (p->chk_config ())
711	&& !strncmp (p->magic, MAGIC, 8))
712	{	948	{
713	if (p->prot_minor != PROTOCOL_MINOR)	949	if (p->prot_minor != PROTOCOL_MINOR)
714	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),	950	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		951	conf->nodename, (const char *)rsi,
715	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	952	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
716		953
717	if (p->subtype == AUTH_INIT)
718	send_auth (AUTH_INITREPLY, ssa);
719
720	rsachallenge k;	954	rsachallenge chg;
721		955
722	#if ENABLE_TRUST	956	if (!rsa_cache.find (p->id, chg))
723	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),	957	slog (L_ERR, _("%s(%s): unrequested auth response"),
724	(unsigned char )&p->challenge, (unsigned char )&k,	958	conf->nodename, (const char *)rsi);
725	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
726	// continued below
727	#else
728	rsaencrdata j;
729		959	else
730	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731	(unsigned char )&p->challenge, (unsigned char )&j,
732	::conf.rsa_key, RSA_NO_PADDING))
733	fatal ("RSA_private_decrypt error");
734
735	if (0 > RSA_public_decrypt (sizeof (k),
736	(unsigned char )&j, (unsigned char )&k,
737	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
738	// continued below
739	#endif
740	{	960	{
741	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),	961	crypto_ctx *cctx = new crypto_ctx (chg, 0);
		962
		963	if (!p->hmac_chk (cctx))
		964	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
		965	"could be an attack, or just corruption or an synchronization error"),
742	conf->nodename, (const char *)sockinfo (ssa));	966	conf->nodename, (const char *)rsi);
743	break;	967	else
744	}
745
746	retry_cnt = 0;
747	next_retry = now + 8;
748
749	switch (p->subtype)
750	{
751	case AUTH_INIT:
752	case AUTH_INITREPLY:
753	delete ictx;
754	ictx = 0;
755
756	delete octx;
757
758	octx = new crypto_ctx (k, 1);
759	oseqno = (u32 )&k[CHG_SEQNO] & 0x7fffffff;
760
761	send_auth (AUTH_REPLY, ssa, &k);
762	break;
763
764	case AUTH_REPLY:
765
766	if (!memcmp ((u8 )gen_challenge (ssa) + sizeof (u32), (u8 )&k + sizeof (u32),
767	sizeof (rsachallenge) - sizeof (u32)))
768	{	968	{
769	delete ictx;
770
771	ictx = new crypto_ctx (k, 0);
772	iseqno = (u32 )&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid
773	ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774
775	sa = *ssa;	969	rsaresponse h;
776		970
777	next_rekey = now + ::conf.rekey;	971	rsa_hash (p->id, chg, h);
778	next_wakeup (next_rekey);
779		972
780	// send queued packets	973	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
781	while (tap_packet *p = queue.get ())
782	{	974	{
		975	prot_minor = p->prot_minor;
		976
		977	delete ictx; ictx = cctx;
		978
		979	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
		980
		981	si = rsi;
		982
		983	rekey.set (NOW + ::conf.rekey);
		984	keepalive.set (NOW + ::conf.keepalive);
		985
		986	// send queued packets
		987	while (tap_packet *p = queue.get ())
		988	{
783	send_data_packet (p);	989	send_data_packet (p);
784	delete p;	990	delete p;
		991	}
		992
		993	connectmode = conf->connectmode;
		994
		995	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
		996	conf->nodename, (const char *)rsi,
		997	p->prot_major, p->prot_minor);
		998
		999	if (::conf.script_node_up)
		1000	run_script (run_script_cb (this, &connection::script_node_up), false);
		1001
		1002	break;
785	}	1003	}
786		1004	else
787	slog (L_INFO, _("connection to %d (%s %s) established"),	1005	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
788	conf->id, conf->nodename, (const char *)sockinfo (ssa));	1006	conf->nodename, (const char *)rsi);
789
790	if (::conf.script_node_up)
791	run_script (this, &connection::script_node_up, false);
792	}	1007	}
		1008
793	else	1009	delete cctx;
794	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
795	conf->nodename, (const char *)sockinfo (ssa));
796
797	break;
798	default:
799	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
800	conf->nodename, (const char *)sockinfo (ssa));
801	break;
802	}	1010	}
803	}	1011	}
804	else
805	send_reset (ssa);
806
807	break;
808	}	1012	}
		1013
		1014	send_reset (rsi);
		1015	break;
809		1016
810	case vpn_packet::PT_DATA_COMPRESSED:	1017	case vpn_packet::PT_DATA_COMPRESSED:
811	#if !ENABLE_COMPRESSION	1018	#if !ENABLE_COMPRESSION
812	send_reset (ssa);	1019	send_reset (rsi);
813	break;	1020	break;
814	#endif	1021	#endif
		1022
815	case vpn_packet::PT_DATA_UNCOMPRESSED:	1023	case vpn_packet::PT_DATA_UNCOMPRESSED:
816		1024
817	if (ictx && octx)	1025	if (ictx && octx)
818	{	1026	{
819	vpndata_packet p = (vpndata_packet )pkt;	1027	vpndata_packet p = (vpndata_packet )pkt;
820		1028
821	if (*ssa == sa)	1029	if (rsi == si)
822	{	1030	{
823	if (!p->hmac_chk (ictx))	1031	if (!p->hmac_chk (ictx))
824	slog (L_ERR, _("hmac authentication error, received invalid packet\n"	1032	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
825	"could be an attack, or just corruption or an synchronization error"));	1033	"could be an attack, or just corruption or an synchronization error"),
		1034	conf->nodename, (const char *)rsi);
826	else	1035	else
827	{	1036	{
828	u32 seqno;	1037	u32 seqno;
829	tap_packet *d = p->unpack (this, seqno);	1038	tap_packet *d = p->unpack (this, seqno);
830		1039
831	if (seqno <= iseqno - 32)	1040	if (iseqno.recv_ok (seqno))
832	slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
833	"possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
834	else if (seqno > iseqno + 32)
835	slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
836	"possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
837	else
838	{	1041	{
839	if (seqno > iseqno)
840	{
841	ismask <<= seqno - iseqno;
842	iseqno = seqno;
843	}
844
845	u32 mask = 1 << (iseqno - seqno);
846
847	//printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
848	if (ismask & mask)
849	slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
850	"possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
851	else
852	{
853	ismask \|= mask;
854
855	vpn->tap->send (d);	1042	vpn->tap->send (d);
856		1043
857	if (p->dst () == 0) // re-broadcast	1044	if (p->dst () == 0) // re-broadcast
858	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)	1045	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
859	{	1046	{
860	connection c = i;	1047	connection c = i;
861		1048
862	if (c->conf != THISNODE && c->conf != conf)	1049	if (c->conf != THISNODE && c->conf != conf)
863	c->inject_data_packet (d);	1050	c->inject_data_packet (d);
864	}
865
866	delete d;
867
868	break;
869	}	1051	}
		1052
		1053	delete d;
		1054
		1055	break;
870	}	1056	}
871	}	1057	}
872	}	1058	}
873	else	1059	else
874	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D	1060	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
875	}	1061	}
876		1062
877	send_reset (ssa);	1063	send_reset (rsi);
878	break;	1064	break;
879		1065
880	case vpn_packet::PT_CONNECT_REQ:	1066	case vpn_packet::PT_CONNECT_REQ:
881	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1067	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
882	{	1068	{
883	connect_req_packet p = (connect_req_packet ) pkt;	1069	connect_req_packet p = (connect_req_packet ) pkt;
884		1070
885	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1071	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
886		1072	conf->protocols = p->protocols;
887	connection *c = vpn->conns[p->id - 1];	1073	connection *c = vpn->conns[p->id - 1];
888		1074
889	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1075	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
890	conf->id, p->id, c->ictx && c->octx);	1076	conf->id, p->id, c->ictx && c->octx);
891		1077
892	if (c->ictx && c->octx)	1078	if (c->ictx && c->octx)
893	{	1079	{
894	sockinfo si(sa);	1080	// send connect_info packets to both sides, in case one is
895		1081	// behind a nat firewall (or both ;)
896	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",	1082	c->send_connect_info (conf->id, si, conf->protocols);
897	c->conf->id, p->id, (const char *)si);	1083	send_connect_info (c->conf->id, c->si, c->conf->protocols);
898
899	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
900
901	r->hmac_set (c->octx);
902	vpn->send_vpn_packet (r, &c->sa);
903
904	delete r;
905	}	1084	}
906	}	1085	}
907		1086
908	break;	1087	break;
909		1088
910	case vpn_packet::PT_CONNECT_INFO:	1089	case vpn_packet::PT_CONNECT_INFO:
911	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1090	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
912	{	1091	{
913	connect_info_packet p = (connect_info_packet ) pkt;	1092	connect_info_packet p = (connect_info_packet ) pkt;
914		1093
915	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1094	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
916		1095	conf->protocols = p->protocols;
917	connection *c = vpn->conns[p->id - 1];	1096	connection *c = vpn->conns[p->id - 1];
918		1097
919	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1098	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
920	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1099	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
921		1100
922	c->send_auth (AUTH_INIT, p->si.sa ());	1101	c->send_auth_request (p->si, true);
923	}	1102	}
		1103
924	break;	1104	break;
925		1105
926	default:	1106	default:
927	send_reset (ssa);	1107	send_reset (rsi);
928	break;	1108	break;
929	}
930	}
931		1109
932	void connection::timer ()
933	{
934	if (conf != THISNODE)
935	{	1110	}
936	if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS)	1111	}
		1112
		1113	void connection::keepalive_cb (tstamp &ts)
		1114	{
		1115	if (NOW >= last_activity + ::conf.keepalive + 30)
		1116	{
		1117	reset_connection ();
937	establish_connection ();	1118	establish_connection ();
938		1119	}
939	if (ictx && octx)
940	{
941	if (now >= next_rekey)
942	rekey ();
943	else if (now >= last_activity + ::conf.keepalive + 30)
944	{
945	reset_connection ();
946	establish_connection ();
947	}
948	else if (now >= last_activity + ::conf.keepalive)	1120	else if (NOW < last_activity + ::conf.keepalive)
		1121	ts = last_activity + ::conf.keepalive;
949	if (conf->connectmode != conf_node::C_ONDEMAND	1122	else if (conf->connectmode != conf_node::C_ONDEMAND
950	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1123	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
		1124	{
951	send_ping (&sa);	1125	send_ping (si);
952	else	1126	ts = NOW + 5;
		1127	}
		1128	else
953	reset_connection ();	1129	reset_connection ();
954
955	}
956	}
957	}	1130	}
958		1131
959	void connection::connect_request (int id)	1132	void connection::connect_request (int id)
960	{	1133	{
961	connect_req_packet *p = new connect_req_packet (conf->id, id);	1134	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
962		1135
963	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);	1136	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
964	p->hmac_set (octx);	1137	p->hmac_set (octx);
965	vpn->send_vpn_packet (p, &sa);	1138	send_vpn_packet (p, si);
966		1139
967	delete p;	1140	delete p;
968	}	1141	}
969		1142
970	void connection::script_node ()	1143	void connection::script_node ()
971	{	1144	{
972	vpn->script_if_up ();	1145	vpn->script_if_up (0);
973		1146
974	char *env;	1147	char *env;
975	asprintf (&env, "DESTID=%d", conf->id);	1148	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
976	putenv (env);
977	asprintf (&env, "DESTNODE=%s", conf->nodename);	1149	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
978	putenv (env);	1150	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
979	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
980	putenv (env);
981	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));	1151	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
982	putenv (env);
983	}	1152	}
984		1153
985	const char *connection::script_node_up ()	1154	const char *connection::script_node_up (int)
986	{	1155	{
987	script_node ();	1156	script_node ();
988		1157
989	putenv ("STATE=up");	1158	putenv ("STATE=up");
990		1159
991	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";	1160	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
992	}	1161	}
993		1162
994	const char *connection::script_node_down ()	1163	const char *connection::script_node_down (int)
995	{	1164	{
996	script_node ();	1165	script_node ();
997		1166
998	putenv ("STATE=down");	1167	putenv ("STATE=down");
999		1168
1000	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1169	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1001	}	1170	}
1002		1171
		1172	// send a vpn packet out to other hosts
		1173	void
		1174	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		1175	{
		1176	if (prot_send & PROT_IPv4)
		1177	vpn->send_ipv4_packet (pkt, si, tos);
		1178	else
		1179	vpn->send_udpv4_packet (pkt, si, tos);
		1180	}
		1181
		1182	connection::connection(struct vpn *vpn_)
		1183	: vpn(vpn_)
		1184	, rekey (this, &connection::rekey_cb)
		1185	, keepalive (this, &connection::keepalive_cb)
		1186	, establish_connection (this, &connection::establish_connection_cb)
		1187	{
		1188	octx = ictx = 0;
		1189	retry_cnt = 0;
		1190
		1191	connectmode = conf_node::C_ALWAYS; // initial setting
		1192	reset_connection ();
		1193	}
		1194
		1195	connection::~connection ()
		1196	{
		1197	shutdown ();
		1198	}
		1199
1003	/////////////////////////////////////////////////////////////////////////////	1200	/////////////////////////////////////////////////////////////////////////////
1004		1201
1005	vpn::vpn (void)
1006	{}
1007
1008	const char *vpn::script_if_up ()	1202	const char *vpn::script_if_up (int)
1009	{	1203	{
1010	// the tunnel device mtu should be the physical mtu - overhead	1204	// the tunnel device mtu should be the physical mtu - overhead
1011	// the tricky part is rounding to the cipher key blocksize	1205	// the tricky part is rounding to the cipher key blocksize
1012	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	1206	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1013	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	1207	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1014	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	1208	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1015	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	1209	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1016		1210
1017	char *env;	1211	char *env;
…		…
1032		1226
1033	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	1227	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1034	}	1228	}
1035		1229
1036	int	1230	int
1037	vpn::setup (void)	1231	vpn::setup ()
1038	{	1232	{
1039	struct sockaddr_in sa;	1233	sockinfo si;
1040		1234
		1235	si.set (THISNODE);
		1236
		1237	udpv4_fd = -1;
		1238
		1239	if (THISNODE->protocols & PROT_UDPv4)
		1240	{
1041	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	1241	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1042	if (socket_fd < 0)	1242
		1243	if (udpv4_fd < 0)
1043	return -1;	1244	return -1;
1044		1245
1045	fill_sa (&sa, THISNODE);	1246	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1046		1247	{
1047	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1048	{
1049	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	1248	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1050	exit (1);	1249	exit (1);
1051	}	1250	}
1052		1251
1053	#ifdef IP_MTU_DISCOVER	1252	#ifdef IP_MTU_DISCOVER
1054	// this I really consider a linux bug. I am neither connected	1253	// this I really consider a linux bug. I am neither connected
1055	// nor do I fragment myself. Linux still sets DF and doesn't	1254	// nor do I fragment myself. Linux still sets DF and doesn't
1056	// fragment for me sometimes.	1255	// fragment for me sometimes.
1057	{	1256	{
1058	int oval = IP_PMTUDISC_DONT;	1257	int oval = IP_PMTUDISC_DONT;
1059	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	1258	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1060	}	1259	}
1061	#endif	1260	#endif
1062	{	1261
		1262	// standard daemon practise...
		1263	{
1063	int oval = 1;	1264	int oval = 1;
1064	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	1265	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
		1266	}
		1267
		1268	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1065	}	1269	}
		1270
		1271	ipv4_fd = -1;
		1272	if (THISNODE->protocols & PROT_IPv4)
		1273	{
		1274	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		1275
		1276	if (ipv4_fd < 0)
		1277	return -1;
		1278
		1279	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		1280	{
		1281	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		1282	exit (1);
		1283	}
		1284
		1285	#ifdef IP_MTU_DISCOVER
		1286	// this I really consider a linux bug. I am neither connected
		1287	// nor do I fragment myself. Linux still sets DF and doesn't
		1288	// fragment for me sometimes.
		1289	{
		1290	int oval = IP_PMTUDISC_DONT;
		1291	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		1292	}
		1293	#endif
		1294
		1295	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		1296	}
1066		1297
1067	tap = new tap_device ();	1298	tap = new tap_device ();
1068	if (!tap) //D this, of course, never catches	1299	if (!tap) //D this, of course, never catches
1069	{	1300	{
1070	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	1301	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1071	exit (1);	1302	exit (1);
1072	}	1303	}
1073		1304
1074	run_script (this, &vpn::script_if_up, true);	1305	run_script (run_script_cb (this, &vpn::script_if_up), true);
		1306
		1307	tap_ev_watcher.start (tap->fd, POLLIN);
		1308
		1309	reconnect_all ();
1075		1310
1076	return 0;	1311	return 0;
1077	}	1312	}
1078		1313
1079	void	1314	void
1080	vpn::send_vpn_packet (vpn_packet pkt, SOCKADDR sa)	1315	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1081	{	1316	{
1082	sendto (socket_fd, &((pkt)[0]), pkt->len, 0, (sockaddr )sa, sizeof (*sa));	1317	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		1318	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		1319	}
		1320
		1321	void
		1322	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		1323	{
		1324	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		1325	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		1326	}
		1327
		1328	void
		1329	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
		1330	{
		1331	unsigned int src = pkt->src ();
		1332	unsigned int dst = pkt->dst ();
		1333
		1334	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		1335	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
		1336
		1337	if (src == 0 \|\| src > conns.size ()
		1338	\|\| dst > conns.size ()
		1339	\|\| pkt->typ () >= vpn_packet::PT_MAX)
		1340	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
		1341	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
		1342	else
		1343	{
		1344	connection *c = conns[src - 1];
		1345
		1346	if (dst == 0 && !THISNODE->routerprio)
		1347	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
		1348	c->conf->nodename, (const char *)rsi);
		1349	else if (dst != 0 && dst != THISNODE->id)
		1350	// FORWARDING NEEDED ;)
		1351	slog (L_WARN,
		1352	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		1353	dst, conns[dst - 1]->conf->nodename,
		1354	(const char *)rsi,
		1355	THISNODE->id, THISNODE->nodename);
		1356	else
		1357	c->recv_vpn_packet (pkt, rsi);
		1358	}
		1359	}
		1360
		1361	void
		1362	vpn::udpv4_ev (short revents)
		1363	{
		1364	if (revents & (POLLIN \| POLLERR))
		1365	{
		1366	vpn_packet *pkt = new vpn_packet;
		1367	struct sockaddr_in sa;
		1368	socklen_t sa_len = sizeof (sa);
		1369	int len;
		1370
		1371	len = recvfrom (udpv4_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
		1372
		1373	sockinfo si(sa);
		1374
		1375	if (len > 0)
		1376	{
		1377	pkt->len = len;
		1378
		1379	recv_vpn_packet (pkt, si);
		1380	}
		1381	else
		1382	{
		1383	// probably ECONNRESET or somesuch
		1384	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		1385	}
		1386
		1387	delete pkt;
		1388	}
		1389	else if (revents & POLLHUP)
		1390	{
		1391	// this cannot ;) happen on udp sockets
		1392	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
		1393	exit (1);
		1394	}
		1395	else
		1396	{
		1397	slog (L_ERR,
		1398	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1399	revents);
		1400	exit (1);
		1401	}
		1402	}
		1403
		1404	void
		1405	vpn::ipv4_ev (short revents)
		1406	{
		1407	if (revents & (POLLIN \| POLLERR))
		1408	{
		1409	vpn_packet *pkt = new vpn_packet;
		1410	struct sockaddr_in sa;
		1411	socklen_t sa_len = sizeof (sa);
		1412	int len;
		1413
		1414	len = recvfrom (ipv4_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
		1415
		1416	sockinfo si(sa, PROT_IPv4);
		1417
		1418	if (len > 0)
		1419	{
		1420	pkt->len = len;
		1421
		1422	// raw sockets deliver the ipv4, but don't expect it on sends
		1423	// this is slow, but...
		1424	pkt->skip_hdr (IP_OVERHEAD);
		1425
		1426	recv_vpn_packet (pkt, si);
		1427	}
		1428	else
		1429	{
		1430	// probably ECONNRESET or somesuch
		1431	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		1432	}
		1433
		1434	delete pkt;
		1435	}
		1436	else if (revents & POLLHUP)
		1437	{
		1438	// this cannot ;) happen on udp sockets
		1439	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		1440	exit (1);
		1441	}
		1442	else
		1443	{
		1444	slog (L_ERR,
		1445	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1446	revents);
		1447	exit (1);
		1448	}
		1449	}
		1450
		1451	void
		1452	vpn::tap_ev (short revents)
		1453	{
		1454	if (revents & POLLIN)
		1455	{
		1456	/* process data */
		1457	tap_packet *pkt;
		1458
		1459	pkt = tap->recv ();
		1460
		1461	int dst = mac2id (pkt->dst);
		1462	int src = mac2id (pkt->src);
		1463
		1464	if (src != THISNODE->id)
		1465	{
		1466	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
		1467	exit (1);
		1468	}
		1469
		1470	if (dst == THISNODE->id)
		1471	{
		1472	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
		1473	exit (1);
		1474	}
		1475
		1476	if (dst > conns.size ())
		1477	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
		1478	else
		1479	{
		1480	if (dst)
		1481	{
		1482	// unicast
		1483	if (dst != THISNODE->id)
		1484	conns[dst - 1]->inject_data_packet (pkt);
		1485	}
		1486	else
		1487	{
		1488	// broadcast, first check router, then self, then english
		1489	connection *router = find_router ();
		1490
		1491	if (router)
		1492	router->inject_data_packet (pkt, true);
		1493	else
		1494	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1495	if ((*c)->conf != THISNODE)
		1496	(*c)->inject_data_packet (pkt);
		1497	}
		1498	}
		1499
		1500	delete pkt;
		1501	}
		1502	else if (revents & (POLLHUP \| POLLERR))
		1503	{
		1504	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
		1505	exit (1);
		1506	}
		1507	else
		1508	abort ();
		1509	}
		1510
		1511	void
		1512	vpn::event_cb (tstamp &ts)
		1513	{
		1514	if (events)
		1515	{
		1516	if (events & EVENT_SHUTDOWN)
		1517	{
		1518	slog (L_INFO, _("preparing shutdown..."));
		1519
		1520	shutdown_all ();
		1521
		1522	remove_pid (pidfilename);
		1523
		1524	slog (L_INFO, _("terminating"));
		1525
		1526	exit (0);
		1527	}
		1528
		1529	if (events & EVENT_RECONNECT)
		1530	{
		1531	slog (L_INFO, _("forced reconnect"));
		1532
		1533	reconnect_all ();
		1534	}
		1535
		1536	events = 0;
		1537	}
		1538
		1539	ts = TSTAMP_CANCEL;
1083	}	1540	}
1084		1541
1085	void	1542	void
1086	vpn::shutdown_all ()	1543	vpn::shutdown_all ()
1087	{	1544	{
…		…
1095	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1552	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1096	delete *c;	1553	delete *c;
1097		1554
1098	conns.clear ();	1555	conns.clear ();
1099		1556
		1557	auth_rate_limiter.clear ();
		1558	reset_rate_limiter.clear ();
		1559
1100	for (configuration::node_vector::iterator i = conf.nodes.begin ();	1560	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1101	i != conf.nodes.end (); ++i)	1561	i != conf.nodes.end (); ++i)
1102	{	1562	{
1103	connection *conn = new connection (this);	1563	connection *conn = new connection (this);
1104		1564
1105	conn->conf = *i;	1565	conn->conf = *i;
1106	conns.push_back (conn);	1566	conns.push_back (conn);
1107		1567
1108	if (conn->conf->connectmode == conf_node::C_ALWAYS)
1109	conn->establish_connection ();	1568	conn->establish_connection ();
1110	}	1569	}
1111	}	1570	}
1112		1571
1113	connection *vpn::find_router ()	1572	connection *vpn::find_router ()
1114	{	1573	{
…		…
1118	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)	1577	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1119	{	1578	{
1120	connection c = i;	1579	connection c = i;
1121		1580
1122	if (c->conf->routerprio > prio	1581	if (c->conf->routerprio > prio
1123	&& c->conf->connectmode == conf_node::C_ALWAYS	1582	&& c->connectmode == conf_node::C_ALWAYS
1124	&& c->conf != THISNODE	1583	&& c->conf != THISNODE
1125	&& c->ictx && c->octx)	1584	&& c->ictx && c->octx)
1126	{	1585	{
1127	prio = c->conf->routerprio;	1586	prio = c->conf->routerprio;
1128	router = c;	1587	router = c;
…		…
1136	{	1595	{
1137	connection *c = find_router ();	1596	connection *c = find_router ();
1138		1597
1139	if (c)	1598	if (c)
1140	c->connect_request (id);	1599	c->connect_request (id);
		1600	//else // does not work, because all others must connect to the same router
		1601	// // no router found, aggressively connect to all routers
		1602	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1603	// if ((*i)->conf->routerprio)
		1604	// (*i)->establish_connection ();
1141	}	1605	}
1142		1606
1143	void	1607	void
1144	vpn::main_loop ()	1608	connection::dump_status ()
1145	{	1609	{
1146	struct pollfd pollfd[2];	1610	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		1611	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		1612	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		1613	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		1614	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		1615	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		1616	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		1617	}
1147		1618
1148	pollfd[0].fd = tap->fd;	1619	void
1149	pollfd[0].events = POLLIN;	1620	vpn::dump_status ()
1150	pollfd[1].fd = socket_fd;	1621	{
1151	pollfd[1].events = POLLIN;	1622	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1152		1623
1153	events = 0;
1154	now = time (0);
1155	next_timecheck = now + 1;
1156
1157	reconnect_all ();
1158
1159	for (;;)
1160	{
1161	int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1162
1163	now = time (0);
1164
1165	if (npoll > 0)
1166	{
1167	if (pollfd[1].revents)
1168	{
1169	if (pollfd[1].revents & (POLLIN \| POLLERR))
1170	{
1171	vpn_packet *pkt = new vpn_packet;
1172	struct sockaddr_in sa;
1173	socklen_t sa_len = sizeof (sa);
1174	int len;
1175
1176	len = recvfrom (socket_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
1177
1178	if (len > 0)
1179	{
1180	pkt->len = len;
1181
1182	unsigned int src = pkt->src ();
1183	unsigned int dst = pkt->dst ();
1184
1185	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1186	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1187
1188	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
1189	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1190	pkt->typ (), pkt->src (), pkt->dst ());
1191	else if (dst == 0 && !THISNODE->routerprio)
1192	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1193	else if (dst != 0 && dst != THISNODE->id)
1194	slog (L_WARN,
1195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1196	dst, conns[dst - 1]->conf->nodename,
1197	(const char *)sockinfo (sa),
1198	THISNODE->id, THISNODE->nodename);
1199	else if (src == 0 \|\| src > conns.size ())
1200	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1201	else
1202	conns[src - 1]->recv_vpn_packet (pkt, &sa);
1203	}
1204	else
1205	{
1206	// probably ECONNRESET or somesuch
1207	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1208	}
1209
1210	delete pkt;
1211	}
1212	else if (pollfd[1].revents & POLLHUP)
1213	{
1214	// this cannot ;) happen on udp sockets
1215	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1216	exit (1);
1217	}
1218	else
1219	{
1220	slog (L_ERR,
1221	_("FATAL: unknown revents %08x in socket, terminating\n"),
1222	pollfd[1].revents);
1223	exit (1);
1224	}
1225	}
1226
1227	// I use else here to give vpn_packets absolute priority
1228	else if (pollfd[0].revents)
1229	{
1230	if (pollfd[0].revents & POLLIN)
1231	{
1232	/* process data */
1233	tap_packet *pkt;
1234
1235	pkt = tap->recv ();
1236
1237	int dst = mac2id (pkt->dst);
1238	int src = mac2id (pkt->src);
1239
1240	if (src != THISNODE->id)
1241	{
1242	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1243	exit (1);
1244	}
1245
1246	if (dst == THISNODE->id)
1247	{
1248	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1249	exit (1);
1250	}
1251
1252	if (dst > conns.size ())
1253	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1254	else
1255	{
1256	if (dst)
1257	{
1258	// unicast
1259	if (dst != THISNODE->id)
1260	conns[dst - 1]->inject_data_packet (pkt);
1261	}
1262	else
1263	{
1264	// broadcast, first check router, then self, then english
1265	connection *router = find_router ();
1266
1267	if (router)
1268	router->inject_data_packet (pkt, true);
1269	else
1270	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1624	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1271	if ((*c)->conf != THISNODE)	1625	(*c)->dump_status ();
1272	(*c)->inject_data_packet (pkt);
1273	}
1274	}
1275		1626
1276	delete pkt;	1627	slog (L_NOTICE, _("END status dump"));
1277	}	1628	}
1278	else if (pollfd[0].revents & (POLLHUP \| POLLERR))
1279	{
1280	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1281	exit (1);
1282	}
1283	else
1284	abort ();
1285	}
1286	}
1287		1629
1288	if (events)	1630	vpn::vpn (void)
1289	{	1631	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1290	if (events & EVENT_SHUTDOWN)	1632	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1291	{	1633	, tap_ev_watcher(this, &vpn::tap_ev)
1292	shutdown_all ();	1634	, event(this, &vpn::event_cb)
1293		1635	{
1294	remove_pid (pidfilename);
1295
1296	slog (L_INFO, _("vped terminating"));
1297
1298	exit (0);
1299	}
1300
1301	if (events & EVENT_RECONNECT)
1302	reconnect_all ();
1303
1304	events = 0;
1305	}
1306
1307	// very very very dumb and crude and inefficient timer handling, or maybe not?
1308	if (now >= next_timecheck)
1309	{
1310	next_timecheck = now + TIMER_GRANULARITY;
1311
1312	for (conns_vector::iterator c = conns.begin ();
1313	c != conns.end (); ++c)
1314	(*c)->timer ();
1315	}
1316	}
1317	}	1636	}
1318		1637
1319	vpn::~vpn ()	1638	vpn::~vpn ()
1320	{}	1639	{
		1640	}
1321		1641

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/protocol.C (file contents): Revision 1.1 by pcg, Sat Mar 1 15:53:03 2003 UTC vs. Revision 1.24 by pcg, Fri Mar 28 16:14:40 2003 UTC

Diff Legend

Comparing gvpe/src/protocol.C (file contents):
Revision 1.1 by pcg, Sat Mar 1 15:53:03 2003 UTC vs.
Revision 1.24 by pcg, Fri Mar 28 16:14:40 2003 UTC