ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.14 by pcg, Sat Mar 22 22:39:11 2003 UTC vs.
Revision 1.24 by pcg, Fri Mar 28 16:14:40 2003 UTC

58 58
59static time_t next_timecheck; 59static time_t next_timecheck;
60 60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62 62
63static const rsachallenge & 63static u8
64challenge_bytes () 64best_protocol (u8 protset)
65{ 65{
66 static rsachallenge challenge; 66 if (protset & PROT_IPv4)
67 static double challenge_ttl; // time this challenge needs to be recreated 67 return PROT_IPv4;
68 68
69 if (NOW > challenge_ttl) 69 return PROT_UDPv4;
70 {
71 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
72 challenge_ttl = NOW + CHALLENGE_TTL;
73 }
74
75 return challenge;
76}
77
78// caching of rsa operations really helps slow computers
79struct rsa_entry {
80 tstamp expire;
81 rsachallenge chg;
82 RSA *key; // which key
83 rsaencrdata encr;
84
85 rsa_entry ()
86 {
87 expire = NOW + CHALLENGE_TTL;
88 }
89};
90
91struct rsa_cache : list<rsa_entry>
92{
93 void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95 const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96 {
97 for (iterator i = begin (); i != end (); ++i)
98 {
99 if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100 return &i->encr;
101 }
102
103 if (cleaner.at < NOW)
104 cleaner.start (NOW + CHALLENGE_TTL);
105
106 resize (size () + 1);
107 rsa_entry *e = &(*rbegin ());
108
109 e->key = key;
110 memcpy (&e->chg, &chg, sizeof chg);
111
112 if (0 > RSA_public_encrypt (sizeof chg,
113 (unsigned char *)&chg, (unsigned char *)&e->encr,
114 key, RSA_PKCS1_OAEP_PADDING))
115 fatal ("RSA_public_encrypt error");
116
117 return &e->encr;
118 }
119
120 const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121 {
122 for (iterator i = begin (); i != end (); ++i)
123 if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124 return &i->chg;
125
126 if (cleaner.at < NOW)
127 cleaner.start (NOW + CHALLENGE_TTL);
128
129 resize (size () + 1);
130 rsa_entry *e = &(*rbegin ());
131
132 e->key = key;
133 memcpy (&e->encr, &encr, sizeof encr);
134
135 if (0 > RSA_private_decrypt (sizeof encr,
136 (unsigned char *)&encr, (unsigned char *)&e->chg,
137 key, RSA_PKCS1_OAEP_PADDING))
138 {
139 pop_back ();
140 return 0;
141 }
142
143 return &e->chg;
144 }
145
146 rsa_cache ()
147 : cleaner (this, &rsa_cache::cleaner_cb)
148 { }
149
150} rsa_cache;
151
152void rsa_cache::cleaner_cb (tstamp &ts)
153{
154 if (empty ())
155 ts = TSTAMP_CANCEL;
156 else
157 {
158 ts = NOW + 3;
159 for (iterator i = begin (); i != end (); )
160 {
161 if (i->expire >= NOW)
162 i = erase (i);
163 else
164 ++i;
165 }
166 }
167}
168
169// run a script. yes, it's a template function. yes, c++
170// is not a functional language. yes, this suxx.
171template<class owner>
172static void
173run_script (owner *obj, const char *(owner::*setup)(), bool wait)
174{
175 int pid;
176
177 if ((pid = fork ()) == 0)
178 {
179 char *filename;
180 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
181 execl (filename, filename, (char *) 0);
182 exit (255);
183 }
184 else if (pid > 0)
185 {
186 if (wait)
187 {
188 waitpid (pid, 0, 0);
189 /* TODO: check status */
190 }
191 }
192}
193
194// xor the socket address into the challenge to ensure different challenges
195// per host. we could rely on the OAEP padding, but this doesn't hurt.
196void
197xor_sa (rsachallenge &k, SOCKADDR *sa)
198{
199 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
200 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
201 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
202 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
203} 70}
204 71
205struct crypto_ctx 72struct crypto_ctx
206 { 73 {
207 EVP_CIPHER_CTX cctx; 74 EVP_CIPHER_CTX cctx;
223{ 90{
224 EVP_CIPHER_CTX_cleanup (&cctx); 91 EVP_CIPHER_CTX_cleanup (&cctx);
225 HMAC_CTX_cleanup (&hctx); 92 HMAC_CTX_cleanup (&hctx);
226} 93}
227 94
95static void
96rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97{
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106}
107
108struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112};
113
114struct rsa_cache : list<rsa_entry>
115{
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158} rsa_cache;
159
160void rsa_cache::cleaner_cb (tstamp &ts)
161{
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174}
175
176typedef callback<const char *, int> run_script_cb;
177
178// run a shell script (or actually an external program).
179static void
180run_script (const run_script_cb &cb, bool wait)
181{
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199}
200
228////////////////////////////////////////////////////////////////////////////// 201//////////////////////////////////////////////////////////////////////////////
229 202
230void pkt_queue::put (tap_packet *p) 203void pkt_queue::put (tap_packet *p)
231{ 204{
232 if (queue[i]) 205 if (queue[i])
264{ 237{
265 for (i = QUEUEDEPTH; --i > 0; ) 238 for (i = QUEUEDEPTH; --i > 0; )
266 delete queue[i]; 239 delete queue[i];
267} 240}
268 241
242struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246};
247
269// only do action once every x seconds per host. 248// only do action once every x seconds per host whole allowing bursts.
270// currently this is quite a slow implementation, 249// this implementation ("splay list" ;) is inefficient,
271// but suffices for normal operation. 250// but low on resources.
272struct u32_rate_limiter : private map<u32, tstamp> 251struct net_rate_limiter : list<net_rateinfo>
273 { 252{
274 tstamp every; 253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
275 256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
276 bool can (u32 host); 258 bool can (u32 host);
277
278 u32_rate_limiter (tstamp every = 1)
279 {
280 this->every = every;
281 }
282 }; 259};
283 260
284struct net_rate_limiter : u32_rate_limiter 261net_rate_limiter auth_rate_limiter, reset_rate_limiter;
285 {
286 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
287 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
288 262
289 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
290 };
291
292bool u32_rate_limiter::can (u32 host) 263bool net_rate_limiter::can (u32 host)
293{ 264{
294 iterator i; 265 iterator i;
295 266
296 for (i = begin (); i != end (); ) 267 for (i = begin (); i != end (); )
297 if (i->second <= NOW) 268 if (i->host == host)
298 { 269 break;
270 else if (i->last < NOW - EXPIRE)
299 erase (i); 271 i = erase (i);
300 i = begin ();
301 }
302 else 272 else
303 ++i; 273 i++;
304 274
305 i = find (host);
306
307 if (i != end ()) 275 if (i == end ())
308 return false; 276 {
277 net_rateinfo ri;
309 278
310 insert (value_type (host, NOW + every)); 279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
311 283
284 push_front (ri);
285
312 return true; 286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
313} 307}
314 308
315///////////////////////////////////////////////////////////////////////////// 309/////////////////////////////////////////////////////////////////////////////
316 310
317static void next_wakeup (time_t next) 311static void next_wakeup (time_t next)
321} 315}
322 316
323static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 317static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
324 318
325struct hmac_packet:net_packet 319struct hmac_packet:net_packet
320{
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326private:
327 void hmac_gen (crypto_ctx * ctx)
326 { 328 {
327 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
328
329 void hmac_set (crypto_ctx * ctx);
330 bool hmac_chk (crypto_ctx * ctx);
331
332private:
333 void hmac_gen (crypto_ctx * ctx)
334 {
335 unsigned int xlen; 329 unsigned int xlen;
336 HMAC_CTX *hctx = &ctx->hctx; 330 HMAC_CTX *hctx = &ctx->hctx;
337 331
338 HMAC_Init_ex (hctx, 0, 0, 0, 0); 332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
339 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
340 len - sizeof (hmac_packet)); 334 len - sizeof (hmac_packet));
341 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
342 }
343 }; 336 }
337};
344 338
345void 339void
346hmac_packet::hmac_set (crypto_ctx * ctx) 340hmac_packet::hmac_set (crypto_ctx * ctx)
347{ 341{
348 hmac_gen (ctx); 342 hmac_gen (ctx);
364 { 358 {
365 PT_RESET = 0, 359 PT_RESET = 0,
366 PT_DATA_UNCOMPRESSED, 360 PT_DATA_UNCOMPRESSED,
367 PT_DATA_COMPRESSED, 361 PT_DATA_COMPRESSED,
368 PT_PING, PT_PONG, // wasting namespace space? ;) 362 PT_PING, PT_PONG, // wasting namespace space? ;)
369 PT_AUTH, // authentification 363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
370 PT_CONNECT_REQ, // want other host to contact me 365 PT_CONNECT_REQ, // want other host to contact me
371 PT_CONNECT_INFO, // request connection to some node 366 PT_CONNECT_INFO, // request connection to some node
372 PT_REKEY, // rekeying (not yet implemented)
373 PT_MAX 367 PT_MAX
374 }; 368 };
375 369
376 u8 type; 370 u8 type;
377 u8 srcdst, src1, dst1; 371 u8 srcdst, src1, dst1;
378 372
379 void set_hdr (ptype type, unsigned int dst); 373 void set_hdr (ptype type, unsigned int dst);
380 374
381 unsigned int src () 375 unsigned int src () const
382 { 376 {
383 return src1 | ((srcdst >> 4) << 8); 377 return src1 | ((srcdst >> 4) << 8);
384 } 378 }
385 379
386 unsigned int dst () 380 unsigned int dst () const
387 { 381 {
388 return dst1 | ((srcdst & 0xf) << 8); 382 return dst1 | ((srcdst & 0xf) << 8);
389 } 383 }
390 384
391 ptype typ () 385 ptype typ () const
392 { 386 {
393 return (ptype) type; 387 return (ptype) type;
394 } 388 }
395 }; 389 };
396 390
515 509
516#if ENABLE_COMPRESSION 510#if ENABLE_COMPRESSION
517 if (type == PT_DATA_COMPRESSED) 511 if (type == PT_DATA_COMPRESSED)
518 { 512 {
519 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
520 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
521 } 518 }
522 else 519 else
523 p->len = outl + (6 + 6 - DATAHDR); 520 p->len = outl + (6 + 6 - DATAHDR);
524#endif 521#endif
525 522
526 return p; 523 return p;
527} 524}
528 525
529struct ping_packet : vpn_packet 526struct ping_packet : vpn_packet
527{
528 void setup (int dst, ptype type)
530 { 529 {
531 void setup (int dst, ptype type)
532 {
533 set_hdr (type, dst); 530 set_hdr (type, dst);
534 len = sizeof (*this) - sizeof (net_packet); 531 len = sizeof (*this) - sizeof (net_packet);
535 }
536 }; 532 }
533};
537 534
538struct config_packet : vpn_packet 535struct config_packet : vpn_packet
536{
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
539 { 545 {
540 // actually, hmaclen cannot be checked because the hmac
541 // field comes before this data, so peers with other
542 // hmacs simply will not work.
543 u8 prot_major, prot_minor, randsize, hmaclen;
544 u8 flags, challengelen, pad2, pad3;
545 u32 cipher_nid;
546 u32 digest_nid;
547
548 const u8 curflags () const
549 {
550 return 0x80 546 return 0x80
551 | (ENABLE_COMPRESSION ? 0x01 : 0x00); 547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
552 } 548 }
553 549
554 void setup (ptype type, int dst) 550 void setup (ptype type, int dst);
555 { 551 bool chk_config () const;
552};
553
554void config_packet::setup (ptype type, int dst)
555{
556 prot_major = PROTOCOL_MAJOR; 556 prot_major = PROTOCOL_MAJOR;
557 prot_minor = PROTOCOL_MINOR; 557 prot_minor = PROTOCOL_MINOR;
558 randsize = RAND_SIZE; 558 randsize = RAND_SIZE;
559 hmaclen = HMACLENGTH; 559 hmaclen = HMACLENGTH;
560 flags = curflags (); 560 flags = curflags ();
561 challengelen = sizeof (rsachallenge); 561 challengelen = sizeof (rsachallenge);
562 562
563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
564 digest_nid = htonl (EVP_MD_type (DIGEST)); 564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
565 566
566 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
567 set_hdr (type, dst); 568 set_hdr (type, dst);
568 } 569}
569 570
570 bool chk_config () 571bool config_packet::chk_config () const
571 { 572{
572 return prot_major == PROTOCOL_MAJOR 573 return prot_major == PROTOCOL_MAJOR
573 && randsize == RAND_SIZE 574 && randsize == RAND_SIZE
574 && hmaclen == HMACLENGTH 575 && hmaclen == HMACLENGTH
575 && flags == curflags () 576 && flags == curflags ()
576 && challengelen == sizeof (rsachallenge) 577 && challengelen == sizeof (rsachallenge)
577 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
578 && digest_nid == htonl (EVP_MD_type (DIGEST)); 580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
579 } 581}
580 };
581 582
582struct auth_packet : config_packet 583struct auth_req_packet : config_packet
584{
585 char magic[8];
586 u8 initiate; // false if this is just an automatic reply
587 u8 protocols; // supported protocols (will get patches on forward)
588 u8 pad2, pad3;
589 rsaid id;
590 rsaencrdata encr;
591
592 auth_req_packet (int dst, bool initiate_, u8 protocols_)
583 { 593 {
584 char magic[8];
585 u8 subtype;
586 u8 pad1, pad2;
587 rsaencrdata challenge;
588
589 auth_packet (int dst, auth_subtype stype)
590 {
591 config_packet::setup (PT_AUTH, dst); 594 config_packet::setup (PT_AUTH_REQ, dst);
592 subtype = stype; 595 strncpy (magic, MAGIC, 8);
596 initiate = !!initiate_;
597 protocols = protocols_;
598
593 len = sizeof (*this) - sizeof (net_packet); 599 len = sizeof (*this) - sizeof (net_packet);
594 strncpy (magic, MAGIC, 8);
595 }
596 }; 600 }
601};
602
603struct auth_res_packet : config_packet
604{
605 rsaid id;
606 u8 pad1, pad2, pad3;
607 u8 response_len; // encrypted length
608 rsaresponse response;
609
610 auth_res_packet (int dst)
611 {
612 config_packet::setup (PT_AUTH_RES, dst);
613
614 len = sizeof (*this) - sizeof (net_packet);
615 }
616};
597 617
598struct connect_req_packet : vpn_packet 618struct connect_req_packet : vpn_packet
619{
620 u8 id, protocols;
621 u8 pad1, pad2;
622
623 connect_req_packet (int dst, int id_, u8 protocols_)
624 : id(id_)
625 , protocols(protocols_)
599 { 626 {
600 u8 id;
601 u8 pad1, pad2, pad3;
602
603 connect_req_packet (int dst, int id)
604 {
605 this->id = id;
606 set_hdr (PT_CONNECT_REQ, dst); 627 set_hdr (PT_CONNECT_REQ, dst);
607 len = sizeof (*this) - sizeof (net_packet); 628 len = sizeof (*this) - sizeof (net_packet);
608 }
609 }; 629 }
630};
610 631
611struct connect_info_packet : vpn_packet 632struct connect_info_packet : vpn_packet
633{
634 u8 id, protocols;
635 u8 pad1, pad2;
636 sockinfo si;
637
638 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
639 : id(id_)
640 , protocols(protocols_)
641 , si(si_)
612 { 642 {
613 u8 id;
614 u8 pad1, pad2, pad3;
615 sockinfo si;
616
617 connect_info_packet (int dst, int id, sockinfo &si)
618 {
619 this->id = id;
620 this->si = si;
621 set_hdr (PT_CONNECT_INFO, dst); 643 set_hdr (PT_CONNECT_INFO, dst);
644
622 len = sizeof (*this) - sizeof (net_packet); 645 len = sizeof (*this) - sizeof (net_packet);
623 }
624 }; 646 }
647};
625 648
626///////////////////////////////////////////////////////////////////////////// 649/////////////////////////////////////////////////////////////////////////////
627 650
628void 651void
629fill_sa (SOCKADDR *sa, conf_node *conf)
630{
631 sa->sin_family = AF_INET;
632 sa->sin_port = htons (conf->port);
633 sa->sin_addr.s_addr = 0;
634
635 if (conf->hostname)
636 {
637 struct hostent *he = gethostbyname (conf->hostname);
638
639 if (he
640 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
641 {
642 //sa->sin_family = he->h_addrtype;
643 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
644 }
645 else
646 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
647 }
648}
649
650void
651connection::reset_dstaddr () 652connection::reset_dstaddr ()
652{ 653{
653 fill_sa (&sa, conf); 654 si.set (conf);
654} 655}
655 656
656void 657void
657connection::send_ping (SOCKADDR *dsa, u8 pong) 658connection::send_ping (const sockinfo &si, u8 pong)
658{ 659{
659 ping_packet *pkt = new ping_packet; 660 ping_packet *pkt = new ping_packet;
660 661
661 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 662 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
662 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); 663 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
663 664
664 delete pkt; 665 delete pkt;
665} 666}
666 667
667void 668void
668connection::send_reset (SOCKADDR *dsa) 669connection::send_reset (const sockinfo &si)
669{ 670{
670 static net_rate_limiter limiter(1);
671
672 if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED) 671 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
673 { 672 {
674 config_packet *pkt = new config_packet; 673 config_packet *pkt = new config_packet;
675 674
676 pkt->setup (vpn_packet::PT_RESET, conf->id); 675 pkt->setup (vpn_packet::PT_RESET, conf->id);
677 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 676 send_vpn_packet (pkt, si, IPTOS_MINCOST);
678 677
679 delete pkt; 678 delete pkt;
680 } 679 }
681} 680}
682 681
683static rsachallenge *
684gen_challenge (u32 seqrand, SOCKADDR *sa)
685{
686 static rsachallenge k;
687
688 memcpy (&k, &challenge_bytes (), sizeof (k));
689 *(u32 *)&k[CHG_SEQNO] ^= seqrand;
690 xor_sa (k, sa);
691
692 return &k;
693}
694
695void 682void
696connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k) 683connection::send_auth_request (const sockinfo &si, bool initiate)
697{ 684{
698 static net_rate_limiter limiter(0.2); 685 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
699 686
700 if (subtype != AUTH_INIT || limiter.can (sa)) 687 prot_send = best_protocol (THISNODE->protocols & conf->protocols);
701 {
702 if (!k)
703 k = gen_challenge (seqrand, sa);
704 688
705 auth_packet *pkt = new auth_packet (conf->id, subtype); 689 rsachallenge chg;
706 690
707 memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata)); 691 rsa_cache.gen (pkt->id, chg);
708 692
693 if (0 > RSA_public_encrypt (sizeof chg,
694 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
695 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
696 fatal ("RSA_public_encrypt error");
697
709 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 698 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
710 699
711 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); 700 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
712 701
713 delete pkt; 702 delete pkt;
714 } 703}
704
705void
706connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
707{
708 auth_res_packet *pkt = new auth_res_packet (conf->id);
709
710 pkt->id = id;
711
712 rsa_hash (id, chg, pkt->response);
713
714 pkt->hmac_set (octx);
715
716 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
717
718 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
719
720 delete pkt;
721}
722
723void
724connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
725{
726 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
727 conf->id, rid, (const char *)rsi);
728
729 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
730
731 r->hmac_set (octx);
732 send_vpn_packet (r, si);
733
734 delete r;
715} 735}
716 736
717void 737void
718connection::establish_connection_cb (tstamp &ts) 738connection::establish_connection_cb (tstamp &ts)
719{ 739{
720 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) 740 if (ictx || conf == THISNODE
741 || connectmode == conf_node::C_NEVER
742 || connectmode == conf_node::C_DISABLED)
721 ts = TSTAMP_CANCEL; 743 ts = TSTAMP_CANCEL;
722 else if (ts <= NOW) 744 else if (ts <= NOW)
723 { 745 {
724 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; 746 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
725 747
726 if (retry_int < 3600 * 8) 748 if (retry_int < 3600 * 8)
727 retry_cnt++; 749 retry_cnt++;
728 750
729 if (connectmode == conf_node::C_ONDEMAND
730 && retry_int > ::conf.keepalive)
731 retry_int = ::conf.keepalive;
732
733 ts = NOW + retry_int; 751 ts = NOW + retry_int;
734 752
735 if (conf->hostname) 753 if (conf->hostname)
736 { 754 {
737 reset_dstaddr (); 755 reset_dstaddr ();
738 if (sa.sin_addr.s_addr) 756 if (si.host && auth_rate_limiter.can (si))
757 {
739 if (retry_cnt < 4) 758 if (retry_cnt < 4)
740 send_auth (AUTH_INIT, &sa); 759 send_auth_request (si, true);
741 else 760 else
742 send_ping (&sa, 0); 761 send_ping (si, 0);
762 }
743 } 763 }
744 else 764 else
745 vpn->connect_request (conf->id); 765 vpn->connect_request (conf->id);
746 } 766 }
747} 767}
749void 769void
750connection::reset_connection () 770connection::reset_connection ()
751{ 771{
752 if (ictx && octx) 772 if (ictx && octx)
753 { 773 {
754 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 774 slog (L_INFO, _("%s(%s): connection lost"),
775 conf->nodename, (const char *)si);
755 776
756 if (::conf.script_node_down) 777 if (::conf.script_node_down)
757 run_script (this, &connection::script_node_down, false); 778 run_script (run_script_cb (this, &connection::script_node_down), false);
758 } 779 }
759 780
760 delete ictx; ictx = 0; 781 delete ictx; ictx = 0;
761 delete octx; octx = 0; 782 delete octx; octx = 0;
762 783
763 RAND_bytes ((unsigned char *)&seqrand, sizeof (u32)); 784 si.host= 0;
764
765 sa.sin_port = 0;
766 sa.sin_addr.s_addr = 0;
767 785
768 last_activity = 0; 786 last_activity = 0;
787 retry_cnt = 0;
769 788
770 rekey.reset (); 789 rekey.reset ();
771 keepalive.reset (); 790 keepalive.reset ();
772 establish_connection.reset (); 791 establish_connection.reset ();
773} 792}
774 793
775void 794void
776connection::shutdown () 795connection::shutdown ()
777{ 796{
778 if (ictx && octx) 797 if (ictx && octx)
779 send_reset (&sa); 798 send_reset (si);
780 799
781 reset_connection (); 800 reset_connection ();
782} 801}
783 802
784void 803void
789 reset_connection (); 808 reset_connection ();
790 establish_connection (); 809 establish_connection ();
791} 810}
792 811
793void 812void
794connection::send_data_packet (tap_packet * pkt, bool broadcast) 813connection::send_data_packet (tap_packet *pkt, bool broadcast)
795{ 814{
796 vpndata_packet *p = new vpndata_packet; 815 vpndata_packet *p = new vpndata_packet;
797 int tos = 0; 816 int tos = 0;
798 817
799 if (conf->inherit_tos 818 if (conf->inherit_tos
800 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 819 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
801 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 820 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
802 tos = (*pkt)[15] & IPTOS_TOS_MASK; 821 tos = (*pkt)[15] & IPTOS_TOS_MASK;
803 822
804 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 823 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
805 vpn->send_vpn_packet (p, &sa, tos); 824 send_vpn_packet (p, si, tos);
806 825
807 delete p; 826 delete p;
808 827
809 if (oseqno > MAX_SEQNO) 828 if (oseqno > MAX_SEQNO)
810 rekey (); 829 rekey ();
823 establish_connection (); 842 establish_connection ();
824 } 843 }
825} 844}
826 845
827void 846void
828connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 847connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
829{ 848{
830 last_activity = NOW; 849 last_activity = NOW;
831 850
832 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 851 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
833 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 852 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
834 853
835 switch (pkt->typ ()) 854 switch (pkt->typ ())
836 { 855 {
837 case vpn_packet::PT_PING: 856 case vpn_packet::PT_PING:
857 // we send pings instead of auth packets after some retries,
858 // so reset the retry counter and establish a connection
859 // when we receive a ping.
860 if (!ictx)
861 {
862 if (auth_rate_limiter.can (rsi))
863 send_auth_request (rsi, true);
864 }
865 else
838 send_ping (ssa, 1); // pong 866 send_ping (rsi, 1); // pong
867
839 break; 868 break;
840 869
841 case vpn_packet::PT_PONG: 870 case vpn_packet::PT_PONG:
842 // we send pings instead of auth packets after some retries,
843 // so reset the retry counter and establish a conenction
844 // when we receive a pong.
845 if (!ictx && !octx)
846 {
847 retry_cnt = 0;
848 establish_connection.at = 0;
849 establish_connection ();
850 }
851
852 break; 871 break;
853 872
854 case vpn_packet::PT_RESET: 873 case vpn_packet::PT_RESET:
855 { 874 {
856 reset_connection (); 875 reset_connection ();
857 876
858 config_packet *p = (config_packet *) pkt; 877 config_packet *p = (config_packet *) pkt;
878
859 if (!p->chk_config ()) 879 if (!p->chk_config ())
860 { 880 {
861 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); 881 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
882 conf->nodename, (const char *)rsi);
862 connectmode = conf_node::C_DISABLED; 883 connectmode = conf_node::C_DISABLED;
863 } 884 }
864 else if (connectmode == conf_node::C_ALWAYS) 885 else if (connectmode == conf_node::C_ALWAYS)
865 establish_connection (); 886 establish_connection ();
866 } 887 }
867 break; 888 break;
868 889
869 case vpn_packet::PT_AUTH: 890 case vpn_packet::PT_AUTH_REQ:
891 if (auth_rate_limiter.can (rsi))
892 {
893 auth_req_packet *p = (auth_req_packet *) pkt;
894
895 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
896
897 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
898 {
899 if (p->prot_minor != PROTOCOL_MINOR)
900 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
901 conf->nodename, (const char *)rsi,
902 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
903
904 if (p->initiate)
905 send_auth_request (rsi, false);
906
907 rsachallenge k;
908
909 if (0 > RSA_private_decrypt (sizeof (p->encr),
910 (unsigned char *)&p->encr, (unsigned char *)&k,
911 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
912 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
913 conf->nodename, (const char *)rsi);
914 else
915 {
916 retry_cnt = 0;
917 establish_connection.set (NOW + 8); //? ;)
918 keepalive.reset ();
919 rekey.reset ();
920
921 delete ictx;
922 ictx = 0;
923
924 delete octx;
925
926 octx = new crypto_ctx (k, 1);
927 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
928
929 conf->protocols = p->protocols;
930 send_auth_response (rsi, p->id, k);
931
932 break;
933 }
934 }
935
936 send_reset (rsi);
937 }
938
939 break;
940
941 case vpn_packet::PT_AUTH_RES:
870 { 942 {
871 auth_packet *p = (auth_packet *) pkt; 943 auth_res_packet *p = (auth_res_packet *) pkt;
872 944
873 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 945 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
874 946
875 if (p->chk_config () 947 if (p->chk_config ())
876 && !strncmp (p->magic, MAGIC, 8))
877 { 948 {
878 if (p->prot_minor != PROTOCOL_MINOR) 949 if (p->prot_minor != PROTOCOL_MINOR)
879 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 950 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
951 conf->nodename, (const char *)rsi,
880 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 952 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
881 953
882 if (p->subtype == AUTH_INIT) 954 rsachallenge chg;
883 send_auth (AUTH_INITREPLY, ssa);
884 955
885 const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge); 956 if (!rsa_cache.find (p->id, chg))
886 957 slog (L_ERR, _("%s(%s): unrequested auth response"),
887 if (!k) 958 conf->nodename, (const char *)rsi);
959 else
888 { 960 {
889 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 961 crypto_ctx *cctx = new crypto_ctx (chg, 0);
962
963 if (!p->hmac_chk (cctx))
964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
965 "could be an attack, or just corruption or an synchronization error"),
890 conf->nodename, (const char *)sockinfo (ssa)); 966 conf->nodename, (const char *)rsi);
891 break; 967 else
892 }
893
894 retry_cnt = 0;
895 establish_connection.set (NOW + 8); //? ;)
896 keepalive.reset ();
897 rekey.reset ();
898
899 switch (p->subtype)
900 {
901 case AUTH_INIT:
902 case AUTH_INITREPLY:
903 delete ictx;
904 ictx = 0;
905
906 delete octx;
907
908 octx = new crypto_ctx (*k, 1);
909 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
910
911 send_auth (AUTH_REPLY, ssa, k);
912 break;
913
914 case AUTH_REPLY:
915
916 if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
917 { 968 {
918 delete ictx;
919
920 ictx = new crypto_ctx (*k, 0);
921 iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
922
923 sa = *ssa; 969 rsaresponse h;
924 970
925 rekey.set (NOW + ::conf.rekey); 971 rsa_hash (p->id, chg, h);
926 keepalive.set (NOW + ::conf.keepalive);
927 972
928 // send queued packets 973 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
929 while (tap_packet *p = queue.get ())
930 { 974 {
975 prot_minor = p->prot_minor;
976
977 delete ictx; ictx = cctx;
978
979 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
980
981 si = rsi;
982
983 rekey.set (NOW + ::conf.rekey);
984 keepalive.set (NOW + ::conf.keepalive);
985
986 // send queued packets
987 while (tap_packet *p = queue.get ())
988 {
931 send_data_packet (p); 989 send_data_packet (p);
932 delete p; 990 delete p;
991 }
992
993 connectmode = conf->connectmode;
994
995 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
996 conf->nodename, (const char *)rsi,
997 p->prot_major, p->prot_minor);
998
999 if (::conf.script_node_up)
1000 run_script (run_script_cb (this, &connection::script_node_up), false);
1001
1002 break;
933 } 1003 }
934 1004 else
935 connectmode = conf->connectmode; 1005 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
936
937 slog (L_INFO, _("connection to %d (%s %s) established"),
938 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 1006 conf->nodename, (const char *)rsi);
939
940 if (::conf.script_node_up)
941 run_script (this, &connection::script_node_up, false);
942 } 1007 }
1008
943 else 1009 delete cctx;
944 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
945 conf->nodename, (const char *)sockinfo (ssa));
946
947 break;
948 default:
949 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
950 conf->nodename, (const char *)sockinfo (ssa));
951 break;
952 } 1010 }
953 } 1011 }
954 else
955 send_reset (ssa);
956
957 break;
958 } 1012 }
1013
1014 send_reset (rsi);
1015 break;
959 1016
960 case vpn_packet::PT_DATA_COMPRESSED: 1017 case vpn_packet::PT_DATA_COMPRESSED:
961#if !ENABLE_COMPRESSION 1018#if !ENABLE_COMPRESSION
962 send_reset (ssa); 1019 send_reset (rsi);
963 break; 1020 break;
964#endif 1021#endif
1022
965 case vpn_packet::PT_DATA_UNCOMPRESSED: 1023 case vpn_packet::PT_DATA_UNCOMPRESSED:
966 1024
967 if (ictx && octx) 1025 if (ictx && octx)
968 { 1026 {
969 vpndata_packet *p = (vpndata_packet *)pkt; 1027 vpndata_packet *p = (vpndata_packet *)pkt;
970 1028
971 if (*ssa == sa) 1029 if (rsi == si)
972 { 1030 {
973 if (!p->hmac_chk (ictx)) 1031 if (!p->hmac_chk (ictx))
974 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1032 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
975 "could be an attack, or just corruption or an synchronization error")); 1033 "could be an attack, or just corruption or an synchronization error"),
1034 conf->nodename, (const char *)rsi);
976 else 1035 else
977 { 1036 {
978 u32 seqno; 1037 u32 seqno;
979 tap_packet *d = p->unpack (this, seqno); 1038 tap_packet *d = p->unpack (this, seqno);
980 1039
996 break; 1055 break;
997 } 1056 }
998 } 1057 }
999 } 1058 }
1000 else 1059 else
1001 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1060 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1002 } 1061 }
1003 1062
1004 send_reset (ssa); 1063 send_reset (rsi);
1005 break; 1064 break;
1006 1065
1007 case vpn_packet::PT_CONNECT_REQ: 1066 case vpn_packet::PT_CONNECT_REQ:
1008 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1067 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1009 { 1068 {
1010 connect_req_packet *p = (connect_req_packet *) pkt; 1069 connect_req_packet *p = (connect_req_packet *) pkt;
1011 1070
1012 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1071 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1013 1072 conf->protocols = p->protocols;
1014 connection *c = vpn->conns[p->id - 1]; 1073 connection *c = vpn->conns[p->id - 1];
1015 1074
1016 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1075 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1017 conf->id, p->id, c->ictx && c->octx); 1076 conf->id, p->id, c->ictx && c->octx);
1018 1077
1019 if (c->ictx && c->octx) 1078 if (c->ictx && c->octx)
1020 { 1079 {
1021 // send connect_info packets to both sides, in case one is 1080 // send connect_info packets to both sides, in case one is
1022 // behind a nat firewall (or both ;) 1081 // behind a nat firewall (or both ;)
1023 { 1082 c->send_connect_info (conf->id, si, conf->protocols);
1024 sockinfo si(sa); 1083 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1025
1026 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1027 c->conf->id, conf->id, (const char *)si);
1028
1029 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1030
1031 r->hmac_set (c->octx);
1032 vpn->send_vpn_packet (r, &c->sa);
1033
1034 delete r;
1035 }
1036
1037 {
1038 sockinfo si(c->sa);
1039
1040 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1041 conf->id, c->conf->id, (const char *)si);
1042
1043 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1044
1045 r->hmac_set (octx);
1046 vpn->send_vpn_packet (r, &sa);
1047
1048 delete r;
1049 }
1050 } 1084 }
1051 } 1085 }
1052 1086
1053 break; 1087 break;
1054 1088
1055 case vpn_packet::PT_CONNECT_INFO: 1089 case vpn_packet::PT_CONNECT_INFO:
1056 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1090 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1057 { 1091 {
1058 connect_info_packet *p = (connect_info_packet *) pkt; 1092 connect_info_packet *p = (connect_info_packet *) pkt;
1059 1093
1060 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1094 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1061 1095 conf->protocols = p->protocols;
1062 connection *c = vpn->conns[p->id - 1]; 1096 connection *c = vpn->conns[p->id - 1];
1063 1097
1064 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1098 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1065 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1099 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1066 1100
1067 c->send_auth (AUTH_INIT, p->si.sa ()); 1101 c->send_auth_request (p->si, true);
1068 } 1102 }
1103
1069 break; 1104 break;
1070 1105
1071 default: 1106 default:
1072 send_reset (ssa); 1107 send_reset (rsi);
1073 break; 1108 break;
1109
1074 } 1110 }
1075} 1111}
1076 1112
1077void connection::keepalive_cb (tstamp &ts) 1113void connection::keepalive_cb (tstamp &ts)
1078{ 1114{
1082 establish_connection (); 1118 establish_connection ();
1083 } 1119 }
1084 else if (NOW < last_activity + ::conf.keepalive) 1120 else if (NOW < last_activity + ::conf.keepalive)
1085 ts = last_activity + ::conf.keepalive; 1121 ts = last_activity + ::conf.keepalive;
1086 else if (conf->connectmode != conf_node::C_ONDEMAND 1122 else if (conf->connectmode != conf_node::C_ONDEMAND
1087 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1123 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1088 { 1124 {
1089 send_ping (&sa); 1125 send_ping (si);
1090 ts = NOW + 5; 1126 ts = NOW + 5;
1091 } 1127 }
1092 else 1128 else
1093 reset_connection (); 1129 reset_connection ();
1094
1095} 1130}
1096 1131
1097void connection::connect_request (int id) 1132void connection::connect_request (int id)
1098{ 1133{
1099 connect_req_packet *p = new connect_req_packet (conf->id, id); 1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1100 1135
1101 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1102 p->hmac_set (octx); 1137 p->hmac_set (octx);
1103 vpn->send_vpn_packet (p, &sa); 1138 send_vpn_packet (p, si);
1104 1139
1105 delete p; 1140 delete p;
1106} 1141}
1107 1142
1108void connection::script_node () 1143void connection::script_node ()
1109{ 1144{
1110 vpn->script_if_up (); 1145 vpn->script_if_up (0);
1111 1146
1112 char *env; 1147 char *env;
1113 asprintf (&env, "DESTID=%d", conf->id); 1148 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1114 putenv (env);
1115 asprintf (&env, "DESTNODE=%s", conf->nodename); 1149 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1116 putenv (env); 1150 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1117 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1118 putenv (env);
1119 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1151 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1120 putenv (env);
1121} 1152}
1122 1153
1123const char *connection::script_node_up () 1154const char *connection::script_node_up (int)
1124{ 1155{
1125 script_node (); 1156 script_node ();
1126 1157
1127 putenv ("STATE=up"); 1158 putenv ("STATE=up");
1128 1159
1129 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1160 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1130} 1161}
1131 1162
1132const char *connection::script_node_down () 1163const char *connection::script_node_down (int)
1133{ 1164{
1134 script_node (); 1165 script_node ();
1135 1166
1136 putenv ("STATE=down"); 1167 putenv ("STATE=down");
1137 1168
1138 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1169 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1170}
1171
1172// send a vpn packet out to other hosts
1173void
1174connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1175{
1176 if (prot_send & PROT_IPv4)
1177 vpn->send_ipv4_packet (pkt, si, tos);
1178 else
1179 vpn->send_udpv4_packet (pkt, si, tos);
1139} 1180}
1140 1181
1141connection::connection(struct vpn *vpn_) 1182connection::connection(struct vpn *vpn_)
1142: vpn(vpn_) 1183: vpn(vpn_)
1143, rekey (this, &connection::rekey_cb) 1184, rekey (this, &connection::rekey_cb)
1156 shutdown (); 1197 shutdown ();
1157} 1198}
1158 1199
1159///////////////////////////////////////////////////////////////////////////// 1200/////////////////////////////////////////////////////////////////////////////
1160 1201
1161const char *vpn::script_if_up () 1202const char *vpn::script_if_up (int)
1162{ 1203{
1163 // the tunnel device mtu should be the physical mtu - overhead 1204 // the tunnel device mtu should be the physical mtu - overhead
1164 // the tricky part is rounding to the cipher key blocksize 1205 // the tricky part is rounding to the cipher key blocksize
1165 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1206 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1166 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1207 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1167 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1208 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1168 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1209 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1169 1210
1170 char *env; 1211 char *env;
1185 1226
1186 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1227 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1187} 1228}
1188 1229
1189int 1230int
1190vpn::setup (void) 1231vpn::setup ()
1191{ 1232{
1192 struct sockaddr_in sa; 1233 sockinfo si;
1193 1234
1235 si.set (THISNODE);
1236
1237 udpv4_fd = -1;
1238
1239 if (THISNODE->protocols & PROT_UDPv4)
1240 {
1194 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1241 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1195 if (socket_fd < 0) 1242
1243 if (udpv4_fd < 0)
1196 return -1; 1244 return -1;
1197 1245
1198 fill_sa (&sa, THISNODE); 1246 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1199 1247 {
1200 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1201 {
1202 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1248 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1203 exit (1); 1249 exit (1);
1204 } 1250 }
1205 1251
1206#ifdef IP_MTU_DISCOVER 1252#ifdef IP_MTU_DISCOVER
1207 // this I really consider a linux bug. I am neither connected 1253 // this I really consider a linux bug. I am neither connected
1208 // nor do I fragment myself. Linux still sets DF and doesn't 1254 // nor do I fragment myself. Linux still sets DF and doesn't
1209 // fragment for me sometimes. 1255 // fragment for me sometimes.
1210 { 1256 {
1211 int oval = IP_PMTUDISC_DONT; 1257 int oval = IP_PMTUDISC_DONT;
1212 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1258 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1213 } 1259 }
1214#endif 1260#endif
1215 { 1261
1262 // standard daemon practise...
1263 {
1216 int oval = 1; 1264 int oval = 1;
1217 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1265 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1218 } 1266 }
1219 1267
1220 udp_ev_watcher.start (socket_fd, POLLIN); 1268 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1269 }
1270
1271 ipv4_fd = -1;
1272 if (THISNODE->protocols & PROT_IPv4)
1273 {
1274 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1275
1276 if (ipv4_fd < 0)
1277 return -1;
1278
1279 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1280 {
1281 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1282 exit (1);
1283 }
1284
1285#ifdef IP_MTU_DISCOVER
1286 // this I really consider a linux bug. I am neither connected
1287 // nor do I fragment myself. Linux still sets DF and doesn't
1288 // fragment for me sometimes.
1289 {
1290 int oval = IP_PMTUDISC_DONT;
1291 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1292 }
1293#endif
1294
1295 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1296 }
1221 1297
1222 tap = new tap_device (); 1298 tap = new tap_device ();
1223 if (!tap) //D this, of course, never catches 1299 if (!tap) //D this, of course, never catches
1224 { 1300 {
1225 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1301 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1226 exit (1); 1302 exit (1);
1227 } 1303 }
1228 1304
1229 run_script (this, &vpn::script_if_up, true); 1305 run_script (run_script_cb (this, &vpn::script_if_up), true);
1230 1306
1231 vpn_ev_watcher.start (tap->fd, POLLIN); 1307 tap_ev_watcher.start (tap->fd, POLLIN);
1232 1308
1233 reconnect_all (); 1309 reconnect_all ();
1234 1310
1235 return 0; 1311 return 0;
1236} 1312}
1237 1313
1238void 1314void
1239vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1315vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1240{ 1316{
1241 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1317 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1242 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1318 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1243} 1319}
1244 1320
1245void 1321void
1246vpn::shutdown_all () 1322vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1247{ 1323{
1248 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1324 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1249 (*c)->shutdown (); 1325 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1250} 1326}
1251 1327
1252void 1328void
1253vpn::reconnect_all () 1329vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1254{ 1330{
1255 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1331 unsigned int src = pkt->src ();
1256 delete *c; 1332 unsigned int dst = pkt->dst ();
1257 1333
1258 conns.clear (); 1334 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1335 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1259 1336
1260 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1337 if (src == 0 || src > conns.size ()
1261 i != conf.nodes.end (); ++i) 1338 || dst > conns.size ()
1262 { 1339 || pkt->typ () >= vpn_packet::PT_MAX)
1263 connection *conn = new connection (this); 1340 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1264 1341 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1265 conn->conf = *i; 1342 else
1266 conns.push_back (conn);
1267
1268 conn->establish_connection ();
1269 } 1343 {
1270} 1344 connection *c = conns[src - 1];
1271 1345
1272connection *vpn::find_router () 1346 if (dst == 0 && !THISNODE->routerprio)
1273{ 1347 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1274 u32 prio = 0; 1348 c->conf->nodename, (const char *)rsi);
1275 connection *router = 0; 1349 else if (dst != 0 && dst != THISNODE->id)
1276 1350 // FORWARDING NEEDED ;)
1277 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 1351 slog (L_WARN,
1352 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1353 dst, conns[dst - 1]->conf->nodename,
1354 (const char *)rsi,
1355 THISNODE->id, THISNODE->nodename);
1356 else
1357 c->recv_vpn_packet (pkt, rsi);
1278 { 1358 }
1279 connection *c = *i;
1280
1281 if (c->conf->routerprio > prio
1282 && c->connectmode == conf_node::C_ALWAYS
1283 && c->conf != THISNODE
1284 && c->ictx && c->octx)
1285 {
1286 prio = c->conf->routerprio;
1287 router = c;
1288 }
1289 }
1290
1291 return router;
1292} 1359}
1293 1360
1294void vpn::connect_request (int id)
1295{
1296 connection *c = find_router ();
1297
1298 if (c)
1299 c->connect_request (id);
1300 //else // does not work, because all others must connect to the same router
1301 // // no router found, aggressively connect to all routers
1302 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1303 // if ((*i)->conf->routerprio)
1304 // (*i)->establish_connection ();
1305}
1306
1307void 1361void
1308vpn::udp_ev (short revents) 1362vpn::udpv4_ev (short revents)
1309{ 1363{
1310 if (revents & (POLLIN | POLLERR)) 1364 if (revents & (POLLIN | POLLERR))
1311 { 1365 {
1312 vpn_packet *pkt = new vpn_packet; 1366 vpn_packet *pkt = new vpn_packet;
1313 struct sockaddr_in sa; 1367 struct sockaddr_in sa;
1314 socklen_t sa_len = sizeof (sa); 1368 socklen_t sa_len = sizeof (sa);
1315 int len; 1369 int len;
1316 1370
1317 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 1371 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1372
1373 sockinfo si(sa);
1318 1374
1319 if (len > 0) 1375 if (len > 0)
1320 { 1376 {
1321 pkt->len = len; 1377 pkt->len = len;
1322 1378
1323 unsigned int src = pkt->src ();
1324 unsigned int dst = pkt->dst ();
1325
1326 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1327 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1328
1329 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1330 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1331 pkt->typ (), pkt->src (), pkt->dst ());
1332 else if (dst == 0 && !THISNODE->routerprio)
1333 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1334 else if (dst != 0 && dst != THISNODE->id)
1335 slog (L_WARN,
1336 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1337 dst, conns[dst - 1]->conf->nodename,
1338 (const char *)sockinfo (sa),
1339 THISNODE->id, THISNODE->nodename);
1340 else if (src == 0 || src > conns.size ())
1341 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1342 else
1343 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1379 recv_vpn_packet (pkt, si);
1344 } 1380 }
1345 else 1381 else
1346 { 1382 {
1347 // probably ECONNRESET or somesuch 1383 // probably ECONNRESET or somesuch
1348 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1384 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1349 } 1385 }
1350 1386
1351 delete pkt; 1387 delete pkt;
1352 } 1388 }
1353 else if (revents & POLLHUP) 1389 else if (revents & POLLHUP)
1354 { 1390 {
1355 // this cannot ;) happen on udp sockets 1391 // this cannot ;) happen on udp sockets
1356 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1392 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1357 exit (1); 1393 exit (1);
1358 } 1394 }
1359 else 1395 else
1360 { 1396 {
1361 slog (L_ERR, 1397 slog (L_ERR,
1364 exit (1); 1400 exit (1);
1365 } 1401 }
1366} 1402}
1367 1403
1368void 1404void
1405vpn::ipv4_ev (short revents)
1406{
1407 if (revents & (POLLIN | POLLERR))
1408 {
1409 vpn_packet *pkt = new vpn_packet;
1410 struct sockaddr_in sa;
1411 socklen_t sa_len = sizeof (sa);
1412 int len;
1413
1414 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1415
1416 sockinfo si(sa, PROT_IPv4);
1417
1418 if (len > 0)
1419 {
1420 pkt->len = len;
1421
1422 // raw sockets deliver the ipv4, but don't expect it on sends
1423 // this is slow, but...
1424 pkt->skip_hdr (IP_OVERHEAD);
1425
1426 recv_vpn_packet (pkt, si);
1427 }
1428 else
1429 {
1430 // probably ECONNRESET or somesuch
1431 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1432 }
1433
1434 delete pkt;
1435 }
1436 else if (revents & POLLHUP)
1437 {
1438 // this cannot ;) happen on udp sockets
1439 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1440 exit (1);
1441 }
1442 else
1443 {
1444 slog (L_ERR,
1445 _("FATAL: unknown revents %08x in socket, terminating\n"),
1446 revents);
1447 exit (1);
1448 }
1449}
1450
1451void
1369vpn::vpn_ev (short revents) 1452vpn::tap_ev (short revents)
1370{ 1453{
1371 if (revents & POLLIN) 1454 if (revents & POLLIN)
1372 { 1455 {
1373 /* process data */ 1456 /* process data */
1374 tap_packet *pkt; 1457 tap_packet *pkt;
1430{ 1513{
1431 if (events) 1514 if (events)
1432 { 1515 {
1433 if (events & EVENT_SHUTDOWN) 1516 if (events & EVENT_SHUTDOWN)
1434 { 1517 {
1518 slog (L_INFO, _("preparing shutdown..."));
1519
1435 shutdown_all (); 1520 shutdown_all ();
1436 1521
1437 remove_pid (pidfilename); 1522 remove_pid (pidfilename);
1438 1523
1439 slog (L_INFO, _("vped terminating")); 1524 slog (L_INFO, _("terminating"));
1440 1525
1441 exit (0); 1526 exit (0);
1442 } 1527 }
1443 1528
1444 if (events & EVENT_RECONNECT) 1529 if (events & EVENT_RECONNECT)
1530 {
1531 slog (L_INFO, _("forced reconnect"));
1532
1445 reconnect_all (); 1533 reconnect_all ();
1534 }
1446 1535
1447 events = 0; 1536 events = 0;
1448 } 1537 }
1449 1538
1450 ts = TSTAMP_CANCEL; 1539 ts = TSTAMP_CANCEL;
1451} 1540}
1452 1541
1542void
1543vpn::shutdown_all ()
1544{
1545 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1546 (*c)->shutdown ();
1547}
1548
1549void
1550vpn::reconnect_all ()
1551{
1552 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1553 delete *c;
1554
1555 conns.clear ();
1556
1557 auth_rate_limiter.clear ();
1558 reset_rate_limiter.clear ();
1559
1560 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1561 i != conf.nodes.end (); ++i)
1562 {
1563 connection *conn = new connection (this);
1564
1565 conn->conf = *i;
1566 conns.push_back (conn);
1567
1568 conn->establish_connection ();
1569 }
1570}
1571
1572connection *vpn::find_router ()
1573{
1574 u32 prio = 0;
1575 connection *router = 0;
1576
1577 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1578 {
1579 connection *c = *i;
1580
1581 if (c->conf->routerprio > prio
1582 && c->connectmode == conf_node::C_ALWAYS
1583 && c->conf != THISNODE
1584 && c->ictx && c->octx)
1585 {
1586 prio = c->conf->routerprio;
1587 router = c;
1588 }
1589 }
1590
1591 return router;
1592}
1593
1594void vpn::connect_request (int id)
1595{
1596 connection *c = find_router ();
1597
1598 if (c)
1599 c->connect_request (id);
1600 //else // does not work, because all others must connect to the same router
1601 // // no router found, aggressively connect to all routers
1602 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1603 // if ((*i)->conf->routerprio)
1604 // (*i)->establish_connection ();
1605}
1606
1607void
1608connection::dump_status ()
1609{
1610 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1611 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1612 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1613 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1614 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1615 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1616 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1617}
1618
1619void
1620vpn::dump_status ()
1621{
1622 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1623
1624 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1625 (*c)->dump_status ();
1626
1627 slog (L_NOTICE, _("END status dump"));
1628}
1629
1453vpn::vpn (void) 1630vpn::vpn (void)
1454: udp_ev_watcher (this, &vpn::udp_ev) 1631: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1632, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1455, vpn_ev_watcher (this, &vpn::vpn_ev) 1633, tap_ev_watcher(this, &vpn::tap_ev)
1456, event (this, &vpn::event_cb) 1634, event(this, &vpn::event_cb)
1457{ 1635{
1458} 1636}
1459 1637
1460vpn::~vpn () 1638vpn::~vpn ()
1461{ 1639{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines