ViewVC Help

View File | Revision Log | Show Annotations | Download File

/cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.16 by pcg, Tue Mar 25 18:11:58 2003 UTC vs.
Revision 1.24 by pcg, Fri Mar 28 16:14:40 2003 UTC

…		…
58		58
59	static time_t next_timecheck;	59	static time_t next_timecheck;
60		60
61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62		62
63	static const rsachallenge &	63	static u8
64	challenge_bytes ()	64	best_protocol (u8 protset)
65	{	65	{
66	static rsachallenge challenge;	66	if (protset & PROT_IPv4)
67	static tstamp challenge_ttl; // time this challenge needs to be recreated	67	return PROT_IPv4;
68		68
69	if (NOW > challenge_ttl)	69	return PROT_UDPv4;
70	{
71	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
72	challenge_ttl = NOW + CHALLENGE_TTL;
73	}
74
75	return challenge;
76	}
77
78	// caching of rsa operations really helps slow computers
79	struct rsa_entry {
80	tstamp expire;
81	rsachallenge chg;
82	RSA *key; // which key
83	rsaencrdata encr;
84
85	rsa_entry ()
86	{
87	expire = NOW + CHALLENGE_TTL;
88	}
89	};
90
91	struct rsa_cache : list<rsa_entry>
92	{
93	void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95	const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96	{
97	for (iterator i = begin (); i != end (); ++i)
98	{
99	if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100	return &i->encr;
101	}
102
103	if (cleaner.at < NOW)
104	cleaner.start (NOW + CHALLENGE_TTL);
105
106	resize (size () + 1);
107	rsa_entry *e = &(*rbegin ());
108
109	e->key = key;
110	memcpy (&e->chg, &chg, sizeof chg);
111
112	if (0 > RSA_public_encrypt (sizeof chg,
113	(unsigned char *)&chg, (unsigned char *)&e->encr,
114	key, RSA_PKCS1_OAEP_PADDING))
115	fatal ("RSA_public_encrypt error");
116
117	return &e->encr;
118	}
119
120	const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121	{
122	for (iterator i = begin (); i != end (); ++i)
123	if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124	return &i->chg;
125
126	if (cleaner.at < NOW)
127	cleaner.start (NOW + CHALLENGE_TTL);
128
129	resize (size () + 1);
130	rsa_entry *e = &(*rbegin ());
131
132	e->key = key;
133	memcpy (&e->encr, &encr, sizeof encr);
134
135	if (0 > RSA_private_decrypt (sizeof encr,
136	(unsigned char *)&encr, (unsigned char *)&e->chg,
137	key, RSA_PKCS1_OAEP_PADDING))
138	{
139	pop_back ();
140	return 0;
141	}
142
143	return &e->chg;
144	}
145
146	rsa_cache ()
147	: cleaner (this, &rsa_cache::cleaner_cb)
148	{ }
149
150	} rsa_cache;
151
152	void rsa_cache::cleaner_cb (tstamp &ts)
153	{
154	if (empty ())
155	ts = TSTAMP_CANCEL;
156	else
157	{
158	ts = NOW + 3;
159	for (iterator i = begin (); i != end (); )
160	{
161	if (i->expire >= NOW)
162	i = erase (i);
163	else
164	++i;
165	}
166	}
167	}
168
169	// run a script. yes, it's a template function. yes, c++
170	// is not a functional language. yes, this suxx.
171	template<class owner>
172	static void
173	run_script (owner *obj, const char *(owner::*setup)(), bool wait)
174	{
175	int pid;
176
177	if ((pid = fork ()) == 0)
178	{
179	char *filename;
180	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
181	execl (filename, filename, (char *) 0);
182	exit (255);
183	}
184	else if (pid > 0)
185	{
186	if (wait)
187	{
188	waitpid (pid, 0, 0);
189	/* TODO: check status */
190	}
191	}
192	}
193
194	// xor the socket address into the challenge to ensure different challenges
195	// per host. we could rely on the OAEP padding, but this doesn't hurt.
196	void
197	xor_sa (rsachallenge &k, SOCKADDR *sa)
198	{
199	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
200	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
201	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
202	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
203	}	70	}
204		71
205	struct crypto_ctx	72	struct crypto_ctx
206	{	73	{
207	EVP_CIPHER_CTX cctx;	74	EVP_CIPHER_CTX cctx;
…		…
221		88
222	crypto_ctx::~crypto_ctx ()	89	crypto_ctx::~crypto_ctx ()
223	{	90	{
224	EVP_CIPHER_CTX_cleanup (&cctx);	91	EVP_CIPHER_CTX_cleanup (&cctx);
225	HMAC_CTX_cleanup (&hctx);	92	HMAC_CTX_cleanup (&hctx);
		93	}
		94
		95	static void
		96	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
		97	{
		98	EVP_MD_CTX ctx;
		99
		100	EVP_MD_CTX_init (&ctx);
		101	EVP_DigestInit (&ctx, RSA_HASH);
		102	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
		103	EVP_DigestUpdate(&ctx, &id, sizeof id);
		104	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
		105	EVP_MD_CTX_cleanup (&ctx);
		106	}
		107
		108	struct rsa_entry {
		109	tstamp expire;
		110	rsaid id;
		111	rsachallenge chg;
		112	};
		113
		114	struct rsa_cache : list<rsa_entry>
		115	{
		116	void cleaner_cb (tstamp &ts); time_watcher cleaner;
		117
		118	bool find (const rsaid &id, rsachallenge &chg)
		119	{
		120	for (iterator i = begin (); i != end (); ++i)
		121	{
		122	if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
		123	{
		124	memcpy (&chg, &i->chg, sizeof chg);
		125
		126	erase (i);
		127	return true;
		128	}
		129	}
		130
		131	if (cleaner.at < NOW)
		132	cleaner.start (NOW + RSA_TTL);
		133
		134	return false;
		135	}
		136
		137	void gen (rsaid &id, rsachallenge &chg)
		138	{
		139	rsa_entry e;
		140
		141	RAND_bytes ((unsigned char *)&id, sizeof id);
		142	RAND_bytes ((unsigned char *)&chg, sizeof chg);
		143
		144	e.expire = NOW + RSA_TTL;
		145	e.id = id;
		146	memcpy (&e.chg, &chg, sizeof chg);
		147
		148	push_back (e);
		149
		150	if (cleaner.at < NOW)
		151	cleaner.start (NOW + RSA_TTL);
		152	}
		153
		154	rsa_cache ()
		155	: cleaner (this, &rsa_cache::cleaner_cb)
		156	{ }
		157
		158	} rsa_cache;
		159
		160	void rsa_cache::cleaner_cb (tstamp &ts)
		161	{
		162	if (empty ())
		163	ts = TSTAMP_CANCEL;
		164	else
		165	{
		166	ts = NOW + RSA_TTL;
		167
		168	for (iterator i = begin (); i != end (); )
		169	if (i->expire <= NOW)
		170	i = erase (i);
		171	else
		172	++i;
		173	}
		174	}
		175
		176	typedef callback<const char *, int> run_script_cb;
		177
		178	// run a shell script (or actually an external program).
		179	static void
		180	run_script (const run_script_cb &cb, bool wait)
		181	{
		182	int pid;
		183
		184	if ((pid = fork ()) == 0)
		185	{
		186	char *filename;
		187	asprintf (&filename, "%s/%s", confbase, cb(0));
		188	execl (filename, filename, (char *) 0);
		189	exit (255);
		190	}
		191	else if (pid > 0)
		192	{
		193	if (wait)
		194	{
		195	waitpid (pid, 0, 0);
		196	/* TODO: check status */
		197	}
		198	}
226	}	199	}
227		200
228	//////////////////////////////////////////////////////////////////////////////	201	//////////////////////////////////////////////////////////////////////////////
229		202
230	void pkt_queue::put (tap_packet *p)	203	void pkt_queue::put (tap_packet *p)
…		…
273	};	246	};
274		247
275	// only do action once every x seconds per host whole allowing bursts.	248	// only do action once every x seconds per host whole allowing bursts.
276	// this implementation ("splay list" ;) is inefficient,	249	// this implementation ("splay list" ;) is inefficient,
277	// but low on resources.	250	// but low on resources.
278	struct net_rate_limiter : private list<net_rateinfo>	251	struct net_rate_limiter : list<net_rateinfo>
279	{	252	{
280	static const double ALPHA = 1. - 1. / 90.; // allow bursts	253	static const double ALPHA = 1. - 1. / 90.; // allow bursts
281	static const double CUTOFF = 20.; // one event every CUTOFF seconds	254	static const double CUTOFF = 20.; // one event every CUTOFF seconds
282	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	255	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
283		256
		257	bool can (const sockinfo &si) { return can((u32)si.host); }
284	bool can (u32 host);	258	bool can (u32 host);
285	bool can (SOCKADDR *sa) { return can((u32)sa->sin_addr.s_addr); }
286	bool can (sockinfo &si) { return can((u32)si.host); }
287	};	259	};
288		260
289	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	261	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
290		262
291	bool net_rate_limiter::can (u32 host)	263	bool net_rate_limiter::can (u32 host)
…		…
326	bool send = ri.diff / ri.pcnt > CUTOFF;	298	bool send = ri.diff / ri.pcnt > CUTOFF;
327		299
328	if (send)	300	if (send)
329	ri.pcnt++;	301	ri.pcnt++;
330		302
331	//printf ("RATE %d %f,%f = %f > %f\n", !!send, ri.pcnt, ri.diff, ri.diff / ri.pcnt, CUTOFF);
332
333	push_front (ri);	303	push_front (ri);
334		304
335	return send;	305	return send;
336	}	306	}
337	}	307	}
…		…
345	}	315	}
346		316
347	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];	317	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
348		318
349	struct hmac_packet:net_packet	319	struct hmac_packet:net_packet
		320	{
		321	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
		322
		323	void hmac_set (crypto_ctx * ctx);
		324	bool hmac_chk (crypto_ctx * ctx);
		325
		326	private:
		327	void hmac_gen (crypto_ctx * ctx)
350	{	328	{
351	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
352
353	void hmac_set (crypto_ctx * ctx);
354	bool hmac_chk (crypto_ctx * ctx);
355
356	private:
357	void hmac_gen (crypto_ctx * ctx)
358	{
359	unsigned int xlen;	329	unsigned int xlen;
360	HMAC_CTX *hctx = &ctx->hctx;	330	HMAC_CTX *hctx = &ctx->hctx;
361		331
362	HMAC_Init_ex (hctx, 0, 0, 0, 0);	332	HMAC_Init_ex (hctx, 0, 0, 0, 0);
363	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),	333	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
364	len - sizeof (hmac_packet));	334	len - sizeof (hmac_packet));
365	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);	335	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
366	}
367	};	336	}
		337	};
368		338
369	void	339	void
370	hmac_packet::hmac_set (crypto_ctx * ctx)	340	hmac_packet::hmac_set (crypto_ctx * ctx)
371	{	341	{
372	hmac_gen (ctx);	342	hmac_gen (ctx);
…		…
388	{	358	{
389	PT_RESET = 0,	359	PT_RESET = 0,
390	PT_DATA_UNCOMPRESSED,	360	PT_DATA_UNCOMPRESSED,
391	PT_DATA_COMPRESSED,	361	PT_DATA_COMPRESSED,
392	PT_PING, PT_PONG, // wasting namespace space? ;)	362	PT_PING, PT_PONG, // wasting namespace space? ;)
393	PT_AUTH, // authentification	363	PT_AUTH_REQ, // authentification request
		364	PT_AUTH_RES, // authentification response
394	PT_CONNECT_REQ, // want other host to contact me	365	PT_CONNECT_REQ, // want other host to contact me
395	PT_CONNECT_INFO, // request connection to some node	366	PT_CONNECT_INFO, // request connection to some node
396	PT_REKEY, // rekeying (not yet implemented)
397	PT_MAX	367	PT_MAX
398	};	368	};
399		369
400	u8 type;	370	u8 type;
401	u8 srcdst, src1, dst1;	371	u8 srcdst, src1, dst1;
402		372
403	void set_hdr (ptype type, unsigned int dst);	373	void set_hdr (ptype type, unsigned int dst);
404		374
405	unsigned int src ()	375	unsigned int src () const
406	{	376	{
407	return src1 | ((srcdst >> 4) << 8);	377	return src1 | ((srcdst >> 4) << 8);
408	}	378	}
409		379
410	unsigned int dst ()	380	unsigned int dst () const
411	{	381	{
412	return dst1 | ((srcdst & 0xf) << 8);	382	return dst1 | ((srcdst & 0xf) << 8);
413	}	383	}
414		384
415	ptype typ ()	385	ptype typ () const
416	{	386	{
417	return (ptype) type;	387	return (ptype) type;
418	}	388	}
419	};	389	};
420		390
…		…
539		509
540	#if ENABLE_COMPRESSION	510	#if ENABLE_COMPRESSION
541	if (type == PT_DATA_COMPRESSED)	511	if (type == PT_DATA_COMPRESSED)
542	{	512	{
543	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];	513	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
		514
544	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;	515	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
		516	&(*p)[6 + 6], MAX_MTU)
		517	+ 6 + 6;
545	}	518	}
546	else	519	else
547	p->len = outl + (6 + 6 - DATAHDR);	520	p->len = outl + (6 + 6 - DATAHDR);
548	#endif	521	#endif
549		522
550	return p;	523	return p;
551	}	524	}
552		525
553	struct ping_packet : vpn_packet	526	struct ping_packet : vpn_packet
		527	{
		528	void setup (int dst, ptype type)
554	{	529	{
555	void setup (int dst, ptype type)
556	{
557	set_hdr (type, dst);	530	set_hdr (type, dst);
558	len = sizeof (*this) - sizeof (net_packet);	531	len = sizeof (*this) - sizeof (net_packet);
559	}
560	};	532	}
		533	};
561		534
562	struct config_packet : vpn_packet	535	struct config_packet : vpn_packet
		536	{
		537	// actually, hmaclen cannot be checked because the hmac
		538	// field comes before this data, so peers with other
		539	// hmacs simply will not work.
		540	u8 prot_major, prot_minor, randsize, hmaclen;
		541	u8 flags, challengelen, pad2, pad3;
		542	u32 cipher_nid, digest_nid, hmac_nid;
		543
		544	const u8 curflags () const
563	{	545	{
564	// actually, hmaclen cannot be checked because the hmac
565	// field comes before this data, so peers with other
566	// hmacs simply will not work.
567	u8 prot_major, prot_minor, randsize, hmaclen;
568	u8 flags, challengelen, pad2, pad3;
569	u32 cipher_nid;
570	u32 digest_nid;
571
572	const u8 curflags () const
573	{
574	return 0x80	546	return 0x80
575	| (ENABLE_COMPRESSION ? 0x01 : 0x00);	547	| (ENABLE_COMPRESSION ? 0x01 : 0x00);
576	}	548	}
577		549
578	void setup (ptype type, int dst)	550	void setup (ptype type, int dst);
579	{	551	bool chk_config () const;
		552	};
		553
		554	void config_packet::setup (ptype type, int dst)
		555	{
580	prot_major = PROTOCOL_MAJOR;	556	prot_major = PROTOCOL_MAJOR;
581	prot_minor = PROTOCOL_MINOR;	557	prot_minor = PROTOCOL_MINOR;
582	randsize = RAND_SIZE;	558	randsize = RAND_SIZE;
583	hmaclen = HMACLENGTH;	559	hmaclen = HMACLENGTH;
584	flags = curflags ();	560	flags = curflags ();
585	challengelen = sizeof (rsachallenge);	561	challengelen = sizeof (rsachallenge);
586		562
587	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));	563	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
588	digest_nid = htonl (EVP_MD_type (DIGEST));	564	digest_nid = htonl (EVP_MD_type (RSA_HASH));
		565	hmac_nid = htonl (EVP_MD_type (DIGEST));
589		566
590	len = sizeof (*this) - sizeof (net_packet);	567	len = sizeof (*this) - sizeof (net_packet);
591	set_hdr (type, dst);	568	set_hdr (type, dst);
592	}	569	}
593		570
594	bool chk_config ()	571	bool config_packet::chk_config () const
595	{	572	{
596	return prot_major == PROTOCOL_MAJOR	573	return prot_major == PROTOCOL_MAJOR
597	&& randsize == RAND_SIZE	574	&& randsize == RAND_SIZE
598	&& hmaclen == HMACLENGTH	575	&& hmaclen == HMACLENGTH
599	&& flags == curflags ()	576	&& flags == curflags ()
600	&& challengelen == sizeof (rsachallenge)	577	&& challengelen == sizeof (rsachallenge)
601	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	578	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
		579	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
602	&& digest_nid == htonl (EVP_MD_type (DIGEST));	580	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
603	}	581	}
604	};
605		582
606	struct auth_packet : config_packet	583	struct auth_req_packet : config_packet
		584	{
		585	char magic[8];
		586	u8 initiate; // false if this is just an automatic reply
		587	u8 protocols; // supported protocols (will get patches on forward)
		588	u8 pad2, pad3;
		589	rsaid id;
		590	rsaencrdata encr;
		591
		592	auth_req_packet (int dst, bool initiate_, u8 protocols_)
607	{	593	{
608	char magic[8];
609	u8 subtype;
610	u8 pad1, pad2;
611	rsaencrdata challenge;
612
613	auth_packet (int dst, auth_subtype stype)
614	{
615	config_packet::setup (PT_AUTH, dst);	594	config_packet::setup (PT_AUTH_REQ, dst);
616	subtype = stype;	595	strncpy (magic, MAGIC, 8);
		596	initiate = !!initiate_;
		597	protocols = protocols_;
		598
617	len = sizeof (*this) - sizeof (net_packet);	599	len = sizeof (*this) - sizeof (net_packet);
618	strncpy (magic, MAGIC, 8);
619	}
620	};	600	}
		601	};
		602
		603	struct auth_res_packet : config_packet
		604	{
		605	rsaid id;
		606	u8 pad1, pad2, pad3;
		607	u8 response_len; // encrypted length
		608	rsaresponse response;
		609
		610	auth_res_packet (int dst)
		611	{
		612	config_packet::setup (PT_AUTH_RES, dst);
		613
		614	len = sizeof (*this) - sizeof (net_packet);
		615	}
		616	};
621		617
622	struct connect_req_packet : vpn_packet	618	struct connect_req_packet : vpn_packet
		619	{
		620	u8 id, protocols;
		621	u8 pad1, pad2;
		622
		623	connect_req_packet (int dst, int id_, u8 protocols_)
		624	: id(id_)
		625	, protocols(protocols_)
623	{	626	{
624	u8 id;
625	u8 pad1, pad2, pad3;
626
627	connect_req_packet (int dst, int id)
628	{
629	this->id = id;
630	set_hdr (PT_CONNECT_REQ, dst);	627	set_hdr (PT_CONNECT_REQ, dst);
631	len = sizeof (*this) - sizeof (net_packet);	628	len = sizeof (*this) - sizeof (net_packet);
632	}
633	};	629	}
		630	};
634		631
635	struct connect_info_packet : vpn_packet	632	struct connect_info_packet : vpn_packet
		633	{
		634	u8 id, protocols;
		635	u8 pad1, pad2;
		636	sockinfo si;
		637
		638	connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
		639	: id(id_)
		640	, protocols(protocols_)
		641	, si(si_)
636	{	642	{
637	u8 id;
638	u8 pad1, pad2, pad3;
639	sockinfo si;
640
641	connect_info_packet (int dst, int id, sockinfo &si)
642	{
643	this->id = id;
644	this->si = si;
645	set_hdr (PT_CONNECT_INFO, dst);	643	set_hdr (PT_CONNECT_INFO, dst);
		644
646	len = sizeof (*this) - sizeof (net_packet);	645	len = sizeof (*this) - sizeof (net_packet);
647	}
648	};	646	}
		647	};
649		648
650	/////////////////////////////////////////////////////////////////////////////	649	/////////////////////////////////////////////////////////////////////////////
651		650
652	void	651	void
653	fill_sa (SOCKADDR *sa, conf_node *conf)
654	{
655	sa->sin_family = AF_INET;
656	sa->sin_port = htons (conf->port);
657	sa->sin_addr.s_addr = 0;
658
659	if (conf->hostname)
660	{
661	struct hostent *he = gethostbyname (conf->hostname);
662
663	if (he
664	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
665	{
666	//sa->sin_family = he->h_addrtype;
667	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
668	}
669	else
670	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
671	}
672	}
673
674	void
675	connection::reset_dstaddr ()	652	connection::reset_dstaddr ()
676	{	653	{
677	fill_sa (&sa, conf);	654	si.set (conf);
678	}	655	}
679		656
680	void	657	void
681	connection::send_ping (SOCKADDR *dsa, u8 pong)	658	connection::send_ping (const sockinfo &si, u8 pong)
682	{	659	{
683	ping_packet *pkt = new ping_packet;	660	ping_packet *pkt = new ping_packet;
684		661
685	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);	662	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
686	vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);	663	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
687		664
688	delete pkt;	665	delete pkt;
689	}	666	}
690		667
691	void	668	void
692	connection::send_reset (SOCKADDR *dsa)	669	connection::send_reset (const sockinfo &si)
693	{	670	{
694	if (reset_rate_limiter.can (dsa) && connectmode != conf_node::C_DISABLED)	671	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
695	{	672	{
696	config_packet *pkt = new config_packet;	673	config_packet *pkt = new config_packet;
697		674
698	pkt->setup (vpn_packet::PT_RESET, conf->id);	675	pkt->setup (vpn_packet::PT_RESET, conf->id);
699	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);	676	send_vpn_packet (pkt, si, IPTOS_MINCOST);
700		677
701	delete pkt;	678	delete pkt;
702	}	679	}
703	}	680	}
704		681
705	static rsachallenge *
706	gen_challenge (u32 seqrand, SOCKADDR *sa)
707	{
708	static rsachallenge k;
709
710	memcpy (&k, &challenge_bytes (), sizeof (k));
711	*(u32 *)&k[CHG_SEQNO] ^= seqrand;
712	xor_sa (k, sa);
713
714	return &k;
715	}
716
717	void	682	void
718	connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k)	683	connection::send_auth_request (const sockinfo &si, bool initiate)
719	{	684	{
720	if (subtype == AUTH_REPLY || auth_rate_limiter.can (sa))	685	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
721	{
722	if (!k)
723	k = gen_challenge (seqrand, sa);
724		686
725	auth_packet *pkt = new auth_packet (conf->id, subtype);	687	prot_send = best_protocol (THISNODE->protocols & conf->protocols);
726		688
727	memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata));	689	rsachallenge chg;
728		690
		691	rsa_cache.gen (pkt->id, chg);
		692
		693	if (0 > RSA_public_encrypt (sizeof chg,
		694	(unsigned char *)&chg, (unsigned char *)&pkt->encr,
		695	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
		696	fatal ("RSA_public_encrypt error");
		697
729	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));	698	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
730		699
731	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);	700	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
732		701
733	delete pkt;	702	delete pkt;
734	}	703	}
		704
		705	void
		706	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
		707	{
		708	auth_res_packet *pkt = new auth_res_packet (conf->id);
		709
		710	pkt->id = id;
		711
		712	rsa_hash (id, chg, pkt->response);
		713
		714	pkt->hmac_set (octx);
		715
		716	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
		717
		718	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
		719
		720	delete pkt;
		721	}
		722
		723	void
		724	connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
		725	{
		726	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
		727	conf->id, rid, (const char *)rsi);
		728
		729	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
		730
		731	r->hmac_set (octx);
		732	send_vpn_packet (r, si);
		733
		734	delete r;
735	}	735	}
736		736
737	void	737	void
738	connection::establish_connection_cb (tstamp &ts)	738	connection::establish_connection_cb (tstamp &ts)
739	{	739	{
740	if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER)	740	if (ictx || conf == THISNODE
		741	|| connectmode == conf_node::C_NEVER
		742	|| connectmode == conf_node::C_DISABLED)
741	ts = TSTAMP_CANCEL;	743	ts = TSTAMP_CANCEL;
742	else if (ts <= NOW)	744	else if (ts <= NOW)
743	{	745	{
744	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25;	746	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
745		747
746	if (retry_int < 3600 * 8)	748	if (retry_int < 3600 * 8)
747	retry_cnt++;	749	retry_cnt++;
748		750
749	ts = NOW + retry_int;	751	ts = NOW + retry_int;
750		752
751	if (conf->hostname)	753	if (conf->hostname)
752	{	754	{
753	reset_dstaddr ();	755	reset_dstaddr ();
754	if (sa.sin_addr.s_addr)	756	if (si.host && auth_rate_limiter.can (si))
		757	{
755	if (retry_cnt < 4)	758	if (retry_cnt < 4)
756	send_auth (AUTH_INIT, &sa);	759	send_auth_request (si, true);
757	else if (auth_rate_limiter.can (&sa))	760	else
758	send_ping (&sa, 0);	761	send_ping (si, 0);
		762	}
759	}	763	}
760	else	764	else
761	vpn->connect_request (conf->id);	765	vpn->connect_request (conf->id);
762	}	766	}
763	}	767	}
…		…
765	void	769	void
766	connection::reset_connection ()	770	connection::reset_connection ()
767	{	771	{
768	if (ictx && octx)	772	if (ictx && octx)
769	{	773	{
770	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);	774	slog (L_INFO, _("%s(%s): connection lost"),
		775	conf->nodename, (const char *)si);
771		776
772	if (::conf.script_node_down)	777	if (::conf.script_node_down)
773	run_script (this, &connection::script_node_down, false);	778	run_script (run_script_cb (this, &connection::script_node_down), false);
774	}	779	}
775		780
776	delete ictx; ictx = 0;	781	delete ictx; ictx = 0;
777	delete octx; octx = 0;	782	delete octx; octx = 0;
778		783
779	RAND_bytes ((unsigned char *)&seqrand, sizeof (u32));	784	si.host= 0;
780
781	sa.sin_port = 0;
782	sa.sin_addr.s_addr = 0;
783		785
784	last_activity = 0;	786	last_activity = 0;
		787	retry_cnt = 0;
785		788
786	rekey.reset ();	789	rekey.reset ();
787	keepalive.reset ();	790	keepalive.reset ();
788	establish_connection.reset ();	791	establish_connection.reset ();
789	}	792	}
790		793
791	void	794	void
792	connection::shutdown ()	795	connection::shutdown ()
793	{	796	{
794	if (ictx && octx)	797	if (ictx && octx)
795	send_reset (&sa);	798	send_reset (si);
796		799
797	reset_connection ();	800	reset_connection ();
798	}	801	}
799		802
800	void	803	void
…		…
805	reset_connection ();	808	reset_connection ();
806	establish_connection ();	809	establish_connection ();
807	}	810	}
808		811
809	void	812	void
810	connection::send_data_packet (tap_packet * pkt, bool broadcast)	813	connection::send_data_packet (tap_packet *pkt, bool broadcast)
811	{	814	{
812	vpndata_packet *p = new vpndata_packet;	815	vpndata_packet *p = new vpndata_packet;
813	int tos = 0;	816	int tos = 0;
814		817
815	if (conf->inherit_tos	818	if (conf->inherit_tos
816	&& (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP	819	&& (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
817	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4	820	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
818	tos = (*pkt)[15] & IPTOS_TOS_MASK;	821	tos = (*pkt)[15] & IPTOS_TOS_MASK;
819		822
820	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	823	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
821	vpn->send_vpn_packet (p, &sa, tos);	824	send_vpn_packet (p, si, tos);
822		825
823	delete p;	826	delete p;
824		827
825	if (oseqno > MAX_SEQNO)	828	if (oseqno > MAX_SEQNO)
826	rekey ();	829	rekey ();
…		…
839	establish_connection ();	842	establish_connection ();
840	}	843	}
841	}	844	}
842		845
843	void	846	void
844	connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)	847	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
845	{	848	{
846	last_activity = NOW;	849	last_activity = NOW;
847		850
848	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	851	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
849	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	852	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
850		853
851	switch (pkt->typ ())	854	switch (pkt->typ ())
852	{	855	{
853	case vpn_packet::PT_PING:	856	case vpn_packet::PT_PING:
854	// we send pings instead of auth packets after some retries,	857	// we send pings instead of auth packets after some retries,
855	// so reset the retry counter and establish a conenction	858	// so reset the retry counter and establish a connection
856	// when we receive a pong.	859	// when we receive a ping.
857	if (!ictx && !octx)	860	if (!ictx)
858	{	861	{
859	retry_cnt = 0;	862	if (auth_rate_limiter.can (rsi))
860	establish_connection.at = 0;	863	send_auth_request (rsi, true);
861	establish_connection ();
862	}	864	}
863	else	865	else
864	send_ping (ssa, 1); // pong	866	send_ping (rsi, 1); // pong
865		867
866	break;	868	break;
867		869
868	case vpn_packet::PT_PONG:	870	case vpn_packet::PT_PONG:
869	break;	871	break;
…		…
871	case vpn_packet::PT_RESET:	873	case vpn_packet::PT_RESET:
872	{	874	{
873	reset_connection ();	875	reset_connection ();
874		876
875	config_packet *p = (config_packet *) pkt;	877	config_packet *p = (config_packet *) pkt;
		878
876	if (!p->chk_config ())	879	if (!p->chk_config ())
877	{	880	{
878	slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);	881	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
		882	conf->nodename, (const char *)rsi);
879	connectmode = conf_node::C_DISABLED;	883	connectmode = conf_node::C_DISABLED;
880	}	884	}
881	else if (connectmode == conf_node::C_ALWAYS)	885	else if (connectmode == conf_node::C_ALWAYS)
882	establish_connection ();	886	establish_connection ();
883	}	887	}
884	break;	888	break;
885		889
886	case vpn_packet::PT_AUTH:	890	case vpn_packet::PT_AUTH_REQ:
		891	if (auth_rate_limiter.can (rsi))
		892	{
		893	auth_req_packet *p = (auth_req_packet *) pkt;
		894
		895	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
		896
		897	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
		898	{
		899	if (p->prot_minor != PROTOCOL_MINOR)
		900	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		901	conf->nodename, (const char *)rsi,
		902	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
		903
		904	if (p->initiate)
		905	send_auth_request (rsi, false);
		906
		907	rsachallenge k;
		908
		909	if (0 > RSA_private_decrypt (sizeof (p->encr),
		910	(unsigned char *)&p->encr, (unsigned char *)&k,
		911	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		912	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
		913	conf->nodename, (const char *)rsi);
		914	else
		915	{
		916	retry_cnt = 0;
		917	establish_connection.set (NOW + 8); //? ;)
		918	keepalive.reset ();
		919	rekey.reset ();
		920
		921	delete ictx;
		922	ictx = 0;
		923
		924	delete octx;
		925
		926	octx = new crypto_ctx (k, 1);
		927	oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
		928
		929	conf->protocols = p->protocols;
		930	send_auth_response (rsi, p->id, k);
		931
		932	break;
		933	}
		934	}
		935
		936	send_reset (rsi);
		937	}
		938
		939	break;
		940
		941	case vpn_packet::PT_AUTH_RES:
887	{	942	{
888	auth_packet *p = (auth_packet *) pkt;	943	auth_res_packet *p = (auth_res_packet *) pkt;
889		944
890	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);	945	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
891		946
892	if (p->chk_config ()	947	if (p->chk_config ())
893	&& !strncmp (p->magic, MAGIC, 8))
894	{	948	{
895	if (p->prot_minor != PROTOCOL_MINOR)	949	if (p->prot_minor != PROTOCOL_MINOR)
896	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),	950	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		951	conf->nodename, (const char *)rsi,
897	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	952	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
898		953
899	if (p->subtype == AUTH_INIT)	954	rsachallenge chg;
900	send_auth (AUTH_INITREPLY, ssa);
901		955
902	const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge);	956	if (!rsa_cache.find (p->id, chg))
903		957	slog (L_ERR, _("%s(%s): unrequested auth response"),
904	if (!k)	958	conf->nodename, (const char *)rsi);
		959	else
905	{	960	{
906	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),	961	crypto_ctx *cctx = new crypto_ctx (chg, 0);
		962
		963	if (!p->hmac_chk (cctx))
		964	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
		965	"could be an attack, or just corruption or an synchronization error"),
907	conf->nodename, (const char *)sockinfo (ssa));	966	conf->nodename, (const char *)rsi);
908	send_reset (ssa);
909	break;	967	else
910	}
911
912	retry_cnt = 0;
913	establish_connection.set (NOW + 8); //? ;)
914	keepalive.reset ();
915	rekey.reset ();
916
917	switch (p->subtype)
918	{
919	case AUTH_INIT:
920	case AUTH_INITREPLY:
921	delete ictx;
922	ictx = 0;
923
924	delete octx;
925
926	octx = new crypto_ctx (*k, 1);
927	oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
928
929	send_auth (AUTH_REPLY, ssa, k);
930	break;
931
932	case AUTH_REPLY:
933
934	if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
935	{	968	{
936	delete ictx;
937
938	ictx = new crypto_ctx (*k, 0);
939	iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
940
941	sa = *ssa;	969	rsaresponse h;
942		970
943	rekey.set (NOW + ::conf.rekey);	971	rsa_hash (p->id, chg, h);
944	keepalive.set (NOW + ::conf.keepalive);
945		972
946	// send queued packets	973	if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
947	while (tap_packet *p = queue.get ())
948	{	974	{
		975	prot_minor = p->prot_minor;
		976
		977	delete ictx; ictx = cctx;
		978
		979	iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
		980
		981	si = rsi;
		982
		983	rekey.set (NOW + ::conf.rekey);
		984	keepalive.set (NOW + ::conf.keepalive);
		985
		986	// send queued packets
		987	while (tap_packet *p = queue.get ())
		988	{
949	send_data_packet (p);	989	send_data_packet (p);
950	delete p;	990	delete p;
		991	}
		992
		993	connectmode = conf->connectmode;
		994
		995	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
		996	conf->nodename, (const char *)rsi,
		997	p->prot_major, p->prot_minor);
		998
		999	if (::conf.script_node_up)
		1000	run_script (run_script_cb (this, &connection::script_node_up), false);
		1001
		1002	break;
951	}	1003	}
952		1004	else
953	connectmode = conf->connectmode;	1005	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
954
955	slog (L_INFO, _("connection to %d (%s %s) established"),
956	conf->id, conf->nodename, (const char *)sockinfo (ssa));	1006	conf->nodename, (const char *)rsi);
957
958	if (::conf.script_node_up)
959	run_script (this, &connection::script_node_up, false);
960	}	1007	}
		1008
961	else	1009	delete cctx;
962	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
963	conf->nodename, (const char *)sockinfo (ssa));
964
965	break;
966	default:
967	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
968	conf->nodename, (const char *)sockinfo (ssa));
969	break;
970	}	1010	}
971	}	1011	}
972	else
973	send_reset (ssa);
974
975	break;
976	}	1012	}
		1013
		1014	send_reset (rsi);
		1015	break;
977		1016
978	case vpn_packet::PT_DATA_COMPRESSED:	1017	case vpn_packet::PT_DATA_COMPRESSED:
979	#if !ENABLE_COMPRESSION	1018	#if !ENABLE_COMPRESSION
980	send_reset (ssa);	1019	send_reset (rsi);
981	break;	1020	break;
982	#endif	1021	#endif
		1022
983	case vpn_packet::PT_DATA_UNCOMPRESSED:	1023	case vpn_packet::PT_DATA_UNCOMPRESSED:
984		1024
985	if (ictx && octx)	1025	if (ictx && octx)
986	{	1026	{
987	vpndata_packet *p = (vpndata_packet *)pkt;	1027	vpndata_packet *p = (vpndata_packet *)pkt;
988		1028
989	if (*ssa == sa)	1029	if (rsi == si)
990	{	1030	{
991	if (!p->hmac_chk (ictx))	1031	if (!p->hmac_chk (ictx))
992	slog (L_ERR, _("hmac authentication error, received invalid packet\n"	1032	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
993	"could be an attack, or just corruption or an synchronization error"));	1033	"could be an attack, or just corruption or an synchronization error"),
		1034	conf->nodename, (const char *)rsi);
994	else	1035	else
995	{	1036	{
996	u32 seqno;	1037	u32 seqno;
997	tap_packet *d = p->unpack (this, seqno);	1038	tap_packet *d = p->unpack (this, seqno);
998		1039
…		…
1014	break;	1055	break;
1015	}	1056	}
1016	}	1057	}
1017	}	1058	}
1018	else	1059	else
1019	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D	1060	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1020	}	1061	}
1021		1062
1022	send_reset (ssa);	1063	send_reset (rsi);
1023	break;	1064	break;
1024		1065
1025	case vpn_packet::PT_CONNECT_REQ:	1066	case vpn_packet::PT_CONNECT_REQ:
1026	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1067	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1027	{	1068	{
1028	connect_req_packet *p = (connect_req_packet *) pkt;	1069	connect_req_packet *p = (connect_req_packet *) pkt;
1029		1070
1030	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1071	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1031		1072	conf->protocols = p->protocols;
1032	connection *c = vpn->conns[p->id - 1];	1073	connection *c = vpn->conns[p->id - 1];
1033		1074
1034	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1075	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1035	conf->id, p->id, c->ictx && c->octx);	1076	conf->id, p->id, c->ictx && c->octx);
1036		1077
1037	if (c->ictx && c->octx)	1078	if (c->ictx && c->octx)
1038	{	1079	{
1039	// send connect_info packets to both sides, in case one is	1080	// send connect_info packets to both sides, in case one is
1040	// behind a nat firewall (or both ;)	1081	// behind a nat firewall (or both ;)
1041	{	1082	c->send_connect_info (conf->id, si, conf->protocols);
1042	sockinfo si(sa);	1083	send_connect_info (c->conf->id, c->si, c->conf->protocols);
1043
1044	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1045	c->conf->id, conf->id, (const char *)si);
1046
1047	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1048
1049	r->hmac_set (c->octx);
1050	vpn->send_vpn_packet (r, &c->sa);
1051
1052	delete r;
1053	}
1054
1055	{
1056	sockinfo si(c->sa);
1057
1058	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1059	conf->id, c->conf->id, (const char *)si);
1060
1061	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1062
1063	r->hmac_set (octx);
1064	vpn->send_vpn_packet (r, &sa);
1065
1066	delete r;
1067	}
1068	}	1084	}
1069	}	1085	}
1070		1086
1071	break;	1087	break;
1072		1088
1073	case vpn_packet::PT_CONNECT_INFO:	1089	case vpn_packet::PT_CONNECT_INFO:
1074	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))	1090	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1075	{	1091	{
1076	connect_info_packet *p = (connect_info_packet *) pkt;	1092	connect_info_packet *p = (connect_info_packet *) pkt;
1077		1093
1078	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1094	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1079		1095	conf->protocols = p->protocols;
1080	connection *c = vpn->conns[p->id - 1];	1096	connection *c = vpn->conns[p->id - 1];
1081		1097
1082	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1098	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1083	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1099	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1084		1100
1085	c->send_auth (AUTH_INIT, p->si.sa ());	1101	c->send_auth_request (p->si, true);
1086	}	1102	}
		1103
1087	break;	1104	break;
1088		1105
1089	default:	1106	default:
1090	send_reset (ssa);	1107	send_reset (rsi);
1091	break;	1108	break;
		1109
1092	}	1110	}
1093	}	1111	}
1094		1112
1095	void connection::keepalive_cb (tstamp &ts)	1113	void connection::keepalive_cb (tstamp &ts)
1096	{	1114	{
…		…
1100	establish_connection ();	1118	establish_connection ();
1101	}	1119	}
1102	else if (NOW < last_activity + ::conf.keepalive)	1120	else if (NOW < last_activity + ::conf.keepalive)
1103	ts = last_activity + ::conf.keepalive;	1121	ts = last_activity + ::conf.keepalive;
1104	else if (conf->connectmode != conf_node::C_ONDEMAND	1122	else if (conf->connectmode != conf_node::C_ONDEMAND
1105	|| THISNODE->connectmode != conf_node::C_ONDEMAND)	1123	|| THISNODE->connectmode != conf_node::C_ONDEMAND)
1106	{	1124	{
1107	send_ping (&sa);	1125	send_ping (si);
1108	ts = NOW + 5;	1126	ts = NOW + 5;
1109	}	1127	}
1110	else	1128	else
1111	reset_connection ();	1129	reset_connection ();
1112
1113	}	1130	}
1114		1131
1115	void connection::connect_request (int id)	1132	void connection::connect_request (int id)
1116	{	1133	{
1117	connect_req_packet *p = new connect_req_packet (conf->id, id);	1134	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1118		1135
1119	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);	1136	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1120	p->hmac_set (octx);	1137	p->hmac_set (octx);
1121	vpn->send_vpn_packet (p, &sa);	1138	send_vpn_packet (p, si);
1122		1139
1123	delete p;	1140	delete p;
1124	}	1141	}
1125		1142
1126	void connection::script_node ()	1143	void connection::script_node ()
1127	{	1144	{
1128	vpn->script_if_up ();	1145	vpn->script_if_up (0);
1129		1146
1130	char *env;	1147	char *env;
1131	asprintf (&env, "DESTID=%d", conf->id);	1148	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1132	putenv (env);
1133	asprintf (&env, "DESTNODE=%s", conf->nodename);	1149	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1134	putenv (env);	1150	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1135	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1136	putenv (env);
1137	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));	1151	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1138	putenv (env);
1139	}	1152	}
1140		1153
1141	const char *connection::script_node_up ()	1154	const char *connection::script_node_up (int)
1142	{	1155	{
1143	script_node ();	1156	script_node ();
1144		1157
1145	putenv ("STATE=up");	1158	putenv ("STATE=up");
1146		1159
1147	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";	1160	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1148	}	1161	}
1149		1162
1150	const char *connection::script_node_down ()	1163	const char *connection::script_node_down (int)
1151	{	1164	{
1152	script_node ();	1165	script_node ();
1153		1166
1154	putenv ("STATE=down");	1167	putenv ("STATE=down");
1155		1168
1156	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1169	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
		1170	}
		1171
		1172	// send a vpn packet out to other hosts
		1173	void
		1174	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		1175	{
		1176	if (prot_send & PROT_IPv4)
		1177	vpn->send_ipv4_packet (pkt, si, tos);
		1178	else
		1179	vpn->send_udpv4_packet (pkt, si, tos);
1157	}	1180	}
1158		1181
1159	connection::connection(struct vpn *vpn_)	1182	connection::connection(struct vpn *vpn_)
1160	: vpn(vpn_)	1183	: vpn(vpn_)
1161	, rekey (this, &connection::rekey_cb)	1184	, rekey (this, &connection::rekey_cb)
…		…
1174	shutdown ();	1197	shutdown ();
1175	}	1198	}
1176		1199
1177	/////////////////////////////////////////////////////////////////////////////	1200	/////////////////////////////////////////////////////////////////////////////
1178		1201
1179	const char *vpn::script_if_up ()	1202	const char *vpn::script_if_up (int)
1180	{	1203	{
1181	// the tunnel device mtu should be the physical mtu - overhead	1204	// the tunnel device mtu should be the physical mtu - overhead
1182	// the tricky part is rounding to the cipher key blocksize	1205	// the tricky part is rounding to the cipher key blocksize
1183	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	1206	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1184	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	1207	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1185	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	1208	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1186	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	1209	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1187		1210
1188	char *env;	1211	char *env;
…		…
1203		1226
1204	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	1227	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1205	}	1228	}
1206		1229
1207	int	1230	int
1208	vpn::setup (void)	1231	vpn::setup ()
1209	{	1232	{
1210	struct sockaddr_in sa;	1233	sockinfo si;
1211		1234
		1235	si.set (THISNODE);
		1236
		1237	udpv4_fd = -1;
		1238
		1239	if (THISNODE->protocols & PROT_UDPv4)
		1240	{
1212	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	1241	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1213	if (socket_fd < 0)	1242
		1243	if (udpv4_fd < 0)
1214	return -1;	1244	return -1;
1215		1245
1216	fill_sa (&sa, THISNODE);	1246	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1217		1247	{
1218	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1219	{
1220	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	1248	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1221	exit (1);	1249	exit (1);
1222	}	1250	}
1223		1251
1224	#ifdef IP_MTU_DISCOVER	1252	#ifdef IP_MTU_DISCOVER
1225	// this I really consider a linux bug. I am neither connected	1253	// this I really consider a linux bug. I am neither connected
1226	// nor do I fragment myself. Linux still sets DF and doesn't	1254	// nor do I fragment myself. Linux still sets DF and doesn't
1227	// fragment for me sometimes.	1255	// fragment for me sometimes.
1228	{	1256	{
1229	int oval = IP_PMTUDISC_DONT;	1257	int oval = IP_PMTUDISC_DONT;
1230	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	1258	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1231	}	1259	}
1232	#endif	1260	#endif
1233	{	1261
		1262	// standard daemon practise...
		1263	{
1234	int oval = 1;	1264	int oval = 1;
1235	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	1265	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1236	}	1266	}
1237		1267
1238	udp_ev_watcher.start (socket_fd, POLLIN);	1268	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
		1269	}
		1270
		1271	ipv4_fd = -1;
		1272	if (THISNODE->protocols & PROT_IPv4)
		1273	{
		1274	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		1275
		1276	if (ipv4_fd < 0)
		1277	return -1;
		1278
		1279	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		1280	{
		1281	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		1282	exit (1);
		1283	}
		1284
		1285	#ifdef IP_MTU_DISCOVER
		1286	// this I really consider a linux bug. I am neither connected
		1287	// nor do I fragment myself. Linux still sets DF and doesn't
		1288	// fragment for me sometimes.
		1289	{
		1290	int oval = IP_PMTUDISC_DONT;
		1291	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		1292	}
		1293	#endif
		1294
		1295	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		1296	}
1239		1297
1240	tap = new tap_device ();	1298	tap = new tap_device ();
1241	if (!tap) //D this, of course, never catches	1299	if (!tap) //D this, of course, never catches
1242	{	1300	{
1243	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	1301	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1244	exit (1);	1302	exit (1);
1245	}	1303	}
1246		1304
1247	run_script (this, &vpn::script_if_up, true);	1305	run_script (run_script_cb (this, &vpn::script_if_up), true);
1248		1306
1249	vpn_ev_watcher.start (tap->fd, POLLIN);	1307	tap_ev_watcher.start (tap->fd, POLLIN);
1250		1308
1251	reconnect_all ();	1309	reconnect_all ();
1252		1310
1253	return 0;	1311	return 0;
1254	}	1312	}
1255		1313
1256	void	1314	void
1257	vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos)	1315	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1258	{	1316	{
1259	setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);	1317	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1260	sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));	1318	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1261	}	1319	}
1262		1320
1263	void	1321	void
1264	vpn::shutdown_all ()	1322	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1265	{	1323	{
1266	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1324	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1267	(*c)->shutdown ();	1325	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1268	}	1326	}
1269		1327
1270	void	1328	void
1271	vpn::reconnect_all ()	1329	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1272	{	1330	{
1273	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	1331	unsigned int src = pkt->src ();
1274	delete *c;	1332	unsigned int dst = pkt->dst ();
1275		1333
1276	conns.clear ();	1334	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		1335	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1277		1336
1278	for (configuration::node_vector::iterator i = conf.nodes.begin ();	1337	if (src == 0 || src > conns.size ()
1279	i != conf.nodes.end (); ++i)	1338	|| dst > conns.size ()
1280	{	1339	|| pkt->typ () >= vpn_packet::PT_MAX)
1281	connection *conn = new connection (this);	1340	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1282		1341	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1283	conn->conf = *i;	1342	else
1284	conns.push_back (conn);
1285
1286	conn->establish_connection ();
1287	}	1343	{
1288	}	1344	connection *c = conns[src - 1];
1289		1345
1290	connection *vpn::find_router ()	1346	if (dst == 0 && !THISNODE->routerprio)
1291	{	1347	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1292	u32 prio = 0;	1348	c->conf->nodename, (const char *)rsi);
1293	connection *router = 0;	1349	else if (dst != 0 && dst != THISNODE->id)
1294		1350	// FORWARDING NEEDED ;)
1295	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)	1351	slog (L_WARN,
		1352	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		1353	dst, conns[dst - 1]->conf->nodename,
		1354	(const char *)rsi,
		1355	THISNODE->id, THISNODE->nodename);
		1356	else
		1357	c->recv_vpn_packet (pkt, rsi);
1296	{	1358	}
1297	connection *c = *i;
1298
1299	if (c->conf->routerprio > prio
1300	&& c->connectmode == conf_node::C_ALWAYS
1301	&& c->conf != THISNODE
1302	&& c->ictx && c->octx)
1303	{
1304	prio = c->conf->routerprio;
1305	router = c;
1306	}
1307	}
1308
1309	return router;
1310	}	1359	}
1311		1360
1312	void vpn::connect_request (int id)
1313	{
1314	connection *c = find_router ();
1315
1316	if (c)
1317	c->connect_request (id);
1318	//else // does not work, because all others must connect to the same router
1319	// // no router found, aggressively connect to all routers
1320	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1321	// if ((*i)->conf->routerprio)
1322	// (*i)->establish_connection ();
1323	}
1324
1325	void	1361	void
1326	vpn::udp_ev (short revents)	1362	vpn::udpv4_ev (short revents)
1327	{	1363	{
1328	if (revents & (POLLIN | POLLERR))	1364	if (revents & (POLLIN | POLLERR))
1329	{	1365	{
1330	vpn_packet *pkt = new vpn_packet;	1366	vpn_packet *pkt = new vpn_packet;
1331	struct sockaddr_in sa;	1367	struct sockaddr_in sa;
1332	socklen_t sa_len = sizeof (sa);	1368	socklen_t sa_len = sizeof (sa);
1333	int len;	1369	int len;
1334		1370
1335	len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);	1371	len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		1372
		1373	sockinfo si(sa);
1336		1374
1337	if (len > 0)	1375	if (len > 0)
1338	{	1376	{
1339	pkt->len = len;	1377	pkt->len = len;
1340		1378
1341	unsigned int src = pkt->src ();
1342	unsigned int dst = pkt->dst ();
1343
1344	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1345	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1346
1347	if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1348	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1349	pkt->typ (), pkt->src (), pkt->dst ());
1350	else if (dst == 0 && !THISNODE->routerprio)
1351	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1352	else if (dst != 0 && dst != THISNODE->id)
1353	slog (L_WARN,
1354	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1355	dst, conns[dst - 1]->conf->nodename,
1356	(const char *)sockinfo (sa),
1357	THISNODE->id, THISNODE->nodename);
1358	else if (src == 0 || src > conns.size ())
1359	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1360	else
1361	conns[src - 1]->recv_vpn_packet (pkt, &sa);	1379	recv_vpn_packet (pkt, si);
1362	}	1380	}
1363	else	1381	else
1364	{	1382	{
1365	// probably ECONNRESET or somesuch	1383	// probably ECONNRESET or somesuch
1366	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));	1384	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1367	}	1385	}
1368		1386
1369	delete pkt;	1387	delete pkt;
1370	}	1388	}
1371	else if (revents & POLLHUP)	1389	else if (revents & POLLHUP)
1372	{	1390	{
1373	// this cannot ;) happen on udp sockets	1391	// this cannot ;) happen on udp sockets
1374	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));	1392	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1375	exit (1);	1393	exit (1);
1376	}	1394	}
1377	else	1395	else
1378	{	1396	{
1379	slog (L_ERR,	1397	slog (L_ERR,
…		…
1382	exit (1);	1400	exit (1);
1383	}	1401	}
1384	}	1402	}
1385		1403
1386	void	1404	void
		1405	vpn::ipv4_ev (short revents)
		1406	{
		1407	if (revents & (POLLIN | POLLERR))
		1408	{
		1409	vpn_packet *pkt = new vpn_packet;
		1410	struct sockaddr_in sa;
		1411	socklen_t sa_len = sizeof (sa);
		1412	int len;
		1413
		1414	len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		1415
		1416	sockinfo si(sa, PROT_IPv4);
		1417
		1418	if (len > 0)
		1419	{
		1420	pkt->len = len;
		1421
		1422	// raw sockets deliver the ipv4, but don't expect it on sends
		1423	// this is slow, but...
		1424	pkt->skip_hdr (IP_OVERHEAD);
		1425
		1426	recv_vpn_packet (pkt, si);
		1427	}
		1428	else
		1429	{
		1430	// probably ECONNRESET or somesuch
		1431	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		1432	}
		1433
		1434	delete pkt;
		1435	}
		1436	else if (revents & POLLHUP)
		1437	{
		1438	// this cannot ;) happen on udp sockets
		1439	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		1440	exit (1);
		1441	}
		1442	else
		1443	{
		1444	slog (L_ERR,
		1445	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1446	revents);
		1447	exit (1);
		1448	}
		1449	}
		1450
		1451	void
1387	vpn::vpn_ev (short revents)	1452	vpn::tap_ev (short revents)
1388	{	1453	{
1389	if (revents & POLLIN)	1454	if (revents & POLLIN)
1390	{	1455	{
1391	/* process data */	1456	/* process data */
1392	tap_packet *pkt;	1457	tap_packet *pkt;
…		…
1448	{	1513	{
1449	if (events)	1514	if (events)
1450	{	1515	{
1451	if (events & EVENT_SHUTDOWN)	1516	if (events & EVENT_SHUTDOWN)
1452	{	1517	{
		1518	slog (L_INFO, _("preparing shutdown..."));
		1519
1453	shutdown_all ();	1520	shutdown_all ();
1454		1521
1455	remove_pid (pidfilename);	1522	remove_pid (pidfilename);
1456		1523
1457	slog (L_INFO, _("vped terminating"));	1524	slog (L_INFO, _("terminating"));
1458		1525
1459	exit (0);	1526	exit (0);
1460	}	1527	}
1461		1528
1462	if (events & EVENT_RECONNECT)	1529	if (events & EVENT_RECONNECT)
		1530	{
		1531	slog (L_INFO, _("forced reconnect"));
		1532
1463	reconnect_all ();	1533	reconnect_all ();
		1534	}
1464		1535
1465	events = 0;	1536	events = 0;
1466	}	1537	}
1467		1538
1468	ts = TSTAMP_CANCEL;	1539	ts = TSTAMP_CANCEL;
1469	}	1540	}
1470		1541
1471	#include <sys/time.h>//D	1542	void
		1543	vpn::shutdown_all ()
		1544	{
		1545	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1546	(*c)->shutdown ();
		1547	}
		1548
		1549	void
		1550	vpn::reconnect_all ()
		1551	{
		1552	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1553	delete *c;
		1554
		1555	conns.clear ();
		1556
		1557	auth_rate_limiter.clear ();
		1558	reset_rate_limiter.clear ();
		1559
		1560	for (configuration::node_vector::iterator i = conf.nodes.begin ();
		1561	i != conf.nodes.end (); ++i)
		1562	{
		1563	connection *conn = new connection (this);
		1564
		1565	conn->conf = *i;
		1566	conns.push_back (conn);
		1567
		1568	conn->establish_connection ();
		1569	}
		1570	}
		1571
		1572	connection *vpn::find_router ()
		1573	{
		1574	u32 prio = 0;
		1575	connection *router = 0;
		1576
		1577	for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1578	{
		1579	connection *c = *i;
		1580
		1581	if (c->conf->routerprio > prio
		1582	&& c->connectmode == conf_node::C_ALWAYS
		1583	&& c->conf != THISNODE
		1584	&& c->ictx && c->octx)
		1585	{
		1586	prio = c->conf->routerprio;
		1587	router = c;
		1588	}
		1589	}
		1590
		1591	return router;
		1592	}
		1593
		1594	void vpn::connect_request (int id)
		1595	{
		1596	connection *c = find_router ();
		1597
		1598	if (c)
		1599	c->connect_request (id);
		1600	//else // does not work, because all others must connect to the same router
		1601	// // no router found, aggressively connect to all routers
		1602	// for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
		1603	// if ((*i)->conf->routerprio)
		1604	// (*i)->establish_connection ();
		1605	}
		1606
		1607	void
		1608	connection::dump_status ()
		1609	{
		1610	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		1611	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		1612	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		1613	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		1614	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		1615	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		1616	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		1617	}
		1618
		1619	void
		1620	vpn::dump_status ()
		1621	{
		1622	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
		1623
		1624	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		1625	(*c)->dump_status ();
		1626
		1627	slog (L_NOTICE, _("END status dump"));
		1628	}
		1629
1472	vpn::vpn (void)	1630	vpn::vpn (void)
1473	: udp_ev_watcher (this, &vpn::udp_ev)	1631	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
		1632	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1474	, vpn_ev_watcher (this, &vpn::vpn_ev)	1633	, tap_ev_watcher(this, &vpn::tap_ev)
1475	, event (this, &vpn::event_cb)	1634	, event(this, &vpn::event_cb)
1476	{	1635	{
1477	}	1636	}
1478		1637
1479	vpn::~vpn ()	1638	vpn::~vpn ()
1480	{	1639	{

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines