ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.10 by pcg, Sat Mar 22 02:35:57 2003 UTC vs.
Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC

58 58
59static time_t next_timecheck; 59static time_t next_timecheck;
60 60
61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62 62
63static const rsachallenge &
64challenge_bytes ()
65{
66 static rsachallenge challenge;
67 static double challenge_ttl; // time this challenge needs to be recreated
68
69 if (NOW > challenge_ttl)
70 {
71 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
72 challenge_ttl = NOW + CHALLENGE_TTL;
73 }
74
75 return challenge;
76}
77
78// caching of rsa operations really helps slow computers
79struct rsa_entry {
80 tstamp expire;
81 rsachallenge chg;
82 RSA *key; // which key
83 rsaencrdata encr;
84
85 rsa_entry ()
86 {
87 expire = NOW + CHALLENGE_TTL;
88 }
89};
90
91struct rsa_cache : list<rsa_entry>
92{
93 void cleaner_cb (tstamp &ts); time_watcher cleaner;
94
95 const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg)
96 {
97 for (iterator i = begin (); i != end (); ++i)
98 {
99 if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
100 return &i->encr;
101 }
102
103 if (cleaner.at < NOW)
104 cleaner.start (NOW + CHALLENGE_TTL);
105
106 resize (size () + 1);
107 rsa_entry *e = &(*rbegin ());
108
109 e->key = key;
110 memcpy (&e->chg, &chg, sizeof chg);
111
112 if (0 > RSA_public_encrypt (sizeof chg,
113 (unsigned char *)&chg, (unsigned char *)&e->encr,
114 key, RSA_PKCS1_OAEP_PADDING))
115 fatal ("RSA_public_encrypt error");
116
117 return &e->encr;
118 }
119
120 const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr)
121 {
122 for (iterator i = begin (); i != end (); ++i)
123 if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
124 return &i->chg;
125
126 if (cleaner.at < NOW)
127 cleaner.start (NOW + CHALLENGE_TTL);
128
129 resize (size () + 1);
130 rsa_entry *e = &(*rbegin ());
131
132 e->key = key;
133 memcpy (&e->encr, &encr, sizeof encr);
134
135 if (0 > RSA_private_decrypt (sizeof encr,
136 (unsigned char *)&encr, (unsigned char *)&e->chg,
137 key, RSA_PKCS1_OAEP_PADDING))
138 {
139 pop_back ();
140 return 0;
141 }
142
143 return &e->chg;
144 }
145
146 rsa_cache ()
147 : cleaner (this, &rsa_cache::cleaner_cb)
148 { }
149
150} rsa_cache;
151
152void rsa_cache::cleaner_cb (tstamp &ts)
153{
154 if (empty ())
155 ts = TSTAMP_CANCEL;
156 else
157 {
158 ts = NOW + 3;
159 for (iterator i = begin (); i != end (); )
160 {
161 if (i->expire >= NOW)
162 i = erase (i);
163 else
164 ++i;
165 }
166 }
167}
168
169// run a script. yes, it's a template function. yes, c++
170// is not a functional language. yes, this suxx.
171template<class owner>
172static void
173run_script (owner *obj, const char *(owner::*setup)(), bool wait)
174{
175 int pid;
176
177 if ((pid = fork ()) == 0)
178 {
179 char *filename;
180 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
181 execl (filename, filename, (char *) 0);
182 exit (255);
183 }
184 else if (pid > 0)
185 {
186 if (wait)
187 {
188 waitpid (pid, 0, 0);
189 /* TODO: check status */
190 }
191 }
192}
193
194// xor the socket address into the challenge to ensure different challenges
195// per host. we could rely on the OAEP padding, but this doesn't hurt.
196void
197xor_sa (rsachallenge &k, SOCKADDR *sa)
198{
199 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
200 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
201 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
202 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
203}
204
205struct crypto_ctx 63struct crypto_ctx
206 { 64 {
207 EVP_CIPHER_CTX cctx; 65 EVP_CIPHER_CTX cctx;
208 HMAC_CTX hctx; 66 HMAC_CTX hctx;
209 67
223{ 81{
224 EVP_CIPHER_CTX_cleanup (&cctx); 82 EVP_CIPHER_CTX_cleanup (&cctx);
225 HMAC_CTX_cleanup (&hctx); 83 HMAC_CTX_cleanup (&hctx);
226} 84}
227 85
86static void
87rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88{
89 EVP_MD_CTX ctx;
90
91 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94 EVP_DigestUpdate(&ctx, &id, sizeof id);
95 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
96 EVP_MD_CTX_cleanup (&ctx);
97}
98
99struct rsa_entry {
100 tstamp expire;
101 rsaid id;
102 rsachallenge chg;
103};
104
105struct rsa_cache : list<rsa_entry>
106{
107 void cleaner_cb (tstamp &ts); time_watcher cleaner;
108
109 bool find (const rsaid &id, rsachallenge &chg)
110 {
111 for (iterator i = begin (); i != end (); ++i)
112 {
113 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
114 {
115 memcpy (&chg, &i->chg, sizeof chg);
116
117 erase (i);
118 return true;
119 }
120 }
121
122 if (cleaner.at < NOW)
123 cleaner.start (NOW + RSA_TTL);
124
125 return false;
126 }
127
128 void gen (rsaid &id, rsachallenge &chg)
129 {
130 rsa_entry e;
131
132 RAND_bytes ((unsigned char *)&id, sizeof id);
133 RAND_bytes ((unsigned char *)&chg, sizeof chg);
134
135 e.expire = NOW + RSA_TTL;
136 e.id = id;
137 memcpy (&e.chg, &chg, sizeof chg);
138
139 push_back (e);
140
141 if (cleaner.at < NOW)
142 cleaner.start (NOW + RSA_TTL);
143 }
144
145 rsa_cache ()
146 : cleaner (this, &rsa_cache::cleaner_cb)
147 { }
148
149} rsa_cache;
150
151void rsa_cache::cleaner_cb (tstamp &ts)
152{
153 if (empty ())
154 ts = TSTAMP_CANCEL;
155 else
156 {
157 ts = NOW + RSA_TTL;
158
159 for (iterator i = begin (); i != end (); )
160 if (i->expire <= NOW)
161 i = erase (i);
162 else
163 ++i;
164 }
165}
166
167typedef callback<const char *, int> run_script_cb;
168
169// run a shell script (or actually an external program).
170static void
171run_script (const run_script_cb &cb, bool wait)
172{
173 int pid;
174
175 if ((pid = fork ()) == 0)
176 {
177 char *filename;
178 asprintf (&filename, "%s/%s", confbase, cb(0));
179 execl (filename, filename, (char *) 0);
180 exit (255);
181 }
182 else if (pid > 0)
183 {
184 if (wait)
185 {
186 waitpid (pid, 0, 0);
187 /* TODO: check status */
188 }
189 }
190}
191
228////////////////////////////////////////////////////////////////////////////// 192//////////////////////////////////////////////////////////////////////////////
229 193
230void pkt_queue::put (tap_packet *p) 194void pkt_queue::put (tap_packet *p)
231{ 195{
232 if (queue[i]) 196 if (queue[i])
264{ 228{
265 for (i = QUEUEDEPTH; --i > 0; ) 229 for (i = QUEUEDEPTH; --i > 0; )
266 delete queue[i]; 230 delete queue[i];
267} 231}
268 232
233struct net_rateinfo {
234 u32 host;
235 double pcnt, diff;
236 tstamp last;
237};
238
269// only do action once every x seconds per host. 239// only do action once every x seconds per host whole allowing bursts.
270// currently this is quite a slow implementation, 240// this implementation ("splay list" ;) is inefficient,
271// but suffices for normal operation. 241// but low on resources.
272struct u32_rate_limiter : private map<u32, tstamp> 242struct net_rate_limiter : list<net_rateinfo>
273 { 243{
274 tstamp every; 244 static const double ALPHA = 1. - 1. / 90.; // allow bursts
245 static const double CUTOFF = 20.; // one event every CUTOFF seconds
246 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
275 247
248 bool can (const sockinfo &si) { return can((u32)si.host); }
276 bool can (u32 host); 249 bool can (u32 host);
277
278 u32_rate_limiter (tstamp every = 1)
279 {
280 this->every = every;
281 }
282 }; 250};
283 251
284struct net_rate_limiter : u32_rate_limiter 252net_rate_limiter auth_rate_limiter, reset_rate_limiter;
285 {
286 bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
287 bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
288 253
289 net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
290 };
291
292bool u32_rate_limiter::can (u32 host) 254bool net_rate_limiter::can (u32 host)
293{ 255{
294 iterator i; 256 iterator i;
295 257
296 for (i = begin (); i != end (); ) 258 for (i = begin (); i != end (); )
297 if (i->second <= NOW) 259 if (i->host == host)
298 { 260 break;
261 else if (i->last < NOW - EXPIRE)
299 erase (i); 262 i = erase (i);
300 i = begin ();
301 }
302 else 263 else
303 ++i; 264 i++;
304 265
305 i = find (host);
306
307 if (i != end ()) 266 if (i == end ())
308 return false; 267 {
268 net_rateinfo ri;
309 269
310 insert (value_type (host, NOW + every)); 270 ri.host = host;
271 ri.pcnt = 1.;
272 ri.diff = CUTOFF * (1. / (1. - ALPHA));
273 ri.last = NOW;
311 274
275 push_front (ri);
276
312 return true; 277 return true;
278 }
279 else
280 {
281 net_rateinfo ri (*i);
282 erase (i);
283
284 ri.pcnt = ri.pcnt * ALPHA;
285 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
286
287 ri.last = NOW;
288
289 bool send = ri.diff / ri.pcnt > CUTOFF;
290
291 if (send)
292 ri.pcnt++;
293
294 push_front (ri);
295
296 return send;
297 }
313} 298}
314 299
315///////////////////////////////////////////////////////////////////////////// 300/////////////////////////////////////////////////////////////////////////////
316 301
317static void next_wakeup (time_t next) 302static void next_wakeup (time_t next)
321} 306}
322 307
323static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 308static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
324 309
325struct hmac_packet:net_packet 310struct hmac_packet:net_packet
311{
312 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
313
314 void hmac_set (crypto_ctx * ctx);
315 bool hmac_chk (crypto_ctx * ctx);
316
317private:
318 void hmac_gen (crypto_ctx * ctx)
326 { 319 {
327 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
328
329 void hmac_set (crypto_ctx * ctx);
330 bool hmac_chk (crypto_ctx * ctx);
331
332private:
333 void hmac_gen (crypto_ctx * ctx)
334 {
335 unsigned int xlen; 320 unsigned int xlen;
336 HMAC_CTX *hctx = &ctx->hctx; 321 HMAC_CTX *hctx = &ctx->hctx;
337 322
338 HMAC_Init_ex (hctx, 0, 0, 0, 0); 323 HMAC_Init_ex (hctx, 0, 0, 0, 0);
339 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 324 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
340 len - sizeof (hmac_packet)); 325 len - sizeof (hmac_packet));
341 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 326 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
342 }
343 }; 327 }
328};
344 329
345void 330void
346hmac_packet::hmac_set (crypto_ctx * ctx) 331hmac_packet::hmac_set (crypto_ctx * ctx)
347{ 332{
348 hmac_gen (ctx); 333 hmac_gen (ctx);
364 { 349 {
365 PT_RESET = 0, 350 PT_RESET = 0,
366 PT_DATA_UNCOMPRESSED, 351 PT_DATA_UNCOMPRESSED,
367 PT_DATA_COMPRESSED, 352 PT_DATA_COMPRESSED,
368 PT_PING, PT_PONG, // wasting namespace space? ;) 353 PT_PING, PT_PONG, // wasting namespace space? ;)
369 PT_AUTH, // authentification 354 PT_AUTH_REQ, // authentification request
355 PT_AUTH_RES, // authentification response
370 PT_CONNECT_REQ, // want other host to contact me 356 PT_CONNECT_REQ, // want other host to contact me
371 PT_CONNECT_INFO, // request connection to some node 357 PT_CONNECT_INFO, // request connection to some node
372 PT_REKEY, // rekeying (not yet implemented)
373 PT_MAX 358 PT_MAX
374 }; 359 };
375 360
376 u8 type; 361 u8 type;
377 u8 srcdst, src1, dst1; 362 u8 srcdst, src1, dst1;
378 363
379 void set_hdr (ptype type, unsigned int dst); 364 void set_hdr (ptype type, unsigned int dst);
380 365
381 unsigned int src () 366 unsigned int src () const
382 { 367 {
383 return src1 | ((srcdst >> 4) << 8); 368 return src1 | ((srcdst >> 4) << 8);
384 } 369 }
385 370
386 unsigned int dst () 371 unsigned int dst () const
387 { 372 {
388 return dst1 | ((srcdst & 0xf) << 8); 373 return dst1 | ((srcdst & 0xf) << 8);
389 } 374 }
390 375
391 ptype typ () 376 ptype typ () const
392 { 377 {
393 return (ptype) type; 378 return (ptype) type;
394 } 379 }
395 }; 380 };
396 381
445 } 430 }
446#endif 431#endif
447 432
448 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 433 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
449 434
435 struct {
450#if RAND_SIZE 436#if RAND_SIZE
451 struct {
452 u8 rnd[RAND_SIZE]; 437 u8 rnd[RAND_SIZE];
438#endif
453 u32 seqno; 439 u32 seqno;
454 } datahdr; 440 } datahdr;
455 441
456 datahdr.seqno = seqno; 442 datahdr.seqno = ntohl (seqno);
443#if RAND_SIZE
457 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 444 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
445#endif
458 446
459 EVP_EncryptUpdate (cctx, 447 EVP_EncryptUpdate (cctx,
460 (unsigned char *) data + outl, &outl2, 448 (unsigned char *) data + outl, &outl2,
461 (unsigned char *) &datahdr, DATAHDR); 449 (unsigned char *) &datahdr, DATAHDR);
462 outl += outl2; 450 outl += outl2;
463#else
464 EVP_EncryptUpdate (cctx,
465 (unsigned char *) data + outl, &outl2,
466 (unsigned char *) &seqno, DATAHDR);
467 outl += outl2;
468#endif
469 451
470 EVP_EncryptUpdate (cctx, 452 EVP_EncryptUpdate (cctx,
471 (unsigned char *) data + outl, &outl2, 453 (unsigned char *) data + outl, &outl2,
472 (unsigned char *) d, l); 454 (unsigned char *) d, l);
473 outl += outl2; 455 outl += outl2;
509 outl += outl2; 491 outl += outl2;
510 492
511 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 493 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
512 outl += outl2; 494 outl += outl2;
513 495
514 seqno = *(u32 *)(d + RAND_SIZE); 496 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
515 497
516 id2mac (dst () ? dst() : THISNODE->id, p->dst); 498 id2mac (dst () ? dst() : THISNODE->id, p->dst);
517 id2mac (src (), p->src); 499 id2mac (src (), p->src);
518 500
519#if ENABLE_COMPRESSION 501#if ENABLE_COMPRESSION
520 if (type == PT_DATA_COMPRESSED) 502 if (type == PT_DATA_COMPRESSED)
521 { 503 {
522 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 504 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
505
523 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 506 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
507 &(*p)[6 + 6], MAX_MTU)
508 + 6 + 6;
524 } 509 }
525 else 510 else
526 p->len = outl + (6 + 6 - DATAHDR); 511 p->len = outl + (6 + 6 - DATAHDR);
527#endif 512#endif
528 513
529 return p; 514 return p;
530} 515}
531 516
532struct ping_packet : vpn_packet 517struct ping_packet : vpn_packet
518{
519 void setup (int dst, ptype type)
533 { 520 {
534 void setup (int dst, ptype type)
535 {
536 set_hdr (type, dst); 521 set_hdr (type, dst);
537 len = sizeof (*this) - sizeof (net_packet); 522 len = sizeof (*this) - sizeof (net_packet);
538 }
539 }; 523 }
524};
540 525
541struct config_packet : vpn_packet 526struct config_packet : vpn_packet
527{
528 // actually, hmaclen cannot be checked because the hmac
529 // field comes before this data, so peers with other
530 // hmacs simply will not work.
531 u8 prot_major, prot_minor, randsize, hmaclen;
532 u8 flags, challengelen, pad2, pad3;
533 u32 cipher_nid, digest_nid, hmac_nid;
534
535 const u8 curflags () const
542 { 536 {
543 // actually, hmaclen cannot be checked because the hmac
544 // field comes before this data, so peers with other
545 // hmacs simply will not work.
546 u8 prot_major, prot_minor, randsize, hmaclen;
547 u8 flags, challengelen, pad2, pad3;
548 u32 cipher_nid;
549 u32 digest_nid;
550
551 const u8 curflags () const
552 {
553 return 0x80 537 return 0x80
554 | 0x02
555#if PROTOCOL_MAJOR != 2
556#error hi
557#endif
558 | (ENABLE_COMPRESSION ? 0x01 : 0x00); 538 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
559 } 539 }
560 540
561 void setup (ptype type, int dst) 541 void setup (ptype type, int dst);
562 { 542 bool chk_config () const;
543};
544
545void config_packet::setup (ptype type, int dst)
546{
563 prot_major = PROTOCOL_MAJOR; 547 prot_major = PROTOCOL_MAJOR;
564 prot_minor = PROTOCOL_MINOR; 548 prot_minor = PROTOCOL_MINOR;
565 randsize = RAND_SIZE; 549 randsize = RAND_SIZE;
566 hmaclen = HMACLENGTH; 550 hmaclen = HMACLENGTH;
567 flags = curflags (); 551 flags = curflags ();
568 challengelen = sizeof (rsachallenge); 552 challengelen = sizeof (rsachallenge);
569 553
570 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 554 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
571 digest_nid = htonl (EVP_MD_type (DIGEST)); 555 digest_nid = htonl (EVP_MD_type (RSA_HASH));
556 hmac_nid = htonl (EVP_MD_type (DIGEST));
572 557
573 len = sizeof (*this) - sizeof (net_packet); 558 len = sizeof (*this) - sizeof (net_packet);
574 set_hdr (type, dst); 559 set_hdr (type, dst);
575 } 560}
576 561
577 bool chk_config () 562bool config_packet::chk_config () const
578 { 563{
579 return prot_major == PROTOCOL_MAJOR 564 return prot_major == PROTOCOL_MAJOR
580 && randsize == RAND_SIZE 565 && randsize == RAND_SIZE
581 && hmaclen == HMACLENGTH 566 && hmaclen == HMACLENGTH
582 && flags == curflags () 567 && flags == curflags ()
583 && challengelen == sizeof (rsachallenge) 568 && challengelen == sizeof (rsachallenge)
584 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 569 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
570 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
585 && digest_nid == htonl (EVP_MD_type (DIGEST)); 571 && hmac_nid == htonl (EVP_MD_type (DIGEST));
586 } 572}
587 };
588 573
589struct auth_packet : config_packet 574struct auth_req_packet : config_packet
575{
576 char magic[8];
577 u8 initiate; // false if this is just an automatic reply
578 u8 protocols; // supported protocols (will get patches on forward)
579 u8 pad2, pad3;
580 rsaid id;
581 rsaencrdata encr;
582
583 auth_req_packet (int dst, bool initiate_, u8 protocols_)
590 { 584 {
591 char magic[8];
592 u8 subtype;
593 u8 pad1, pad2;
594 rsaencrdata challenge;
595
596 auth_packet (int dst, auth_subtype stype)
597 {
598 config_packet::setup (PT_AUTH, dst); 585 config_packet::setup (PT_AUTH_REQ, dst);
599 subtype = stype; 586 strncpy (magic, MAGIC, 8);
587 initiate = !!initiate_;
588 protocols = protocols_;
589
600 len = sizeof (*this) - sizeof (net_packet); 590 len = sizeof (*this) - sizeof (net_packet);
601 strncpy (magic, MAGIC, 8);
602 }
603 }; 591 }
592};
593
594struct auth_res_packet : config_packet
595{
596 rsaid id;
597 u8 pad1, pad2, pad3;
598 u8 response_len; // encrypted length
599 rsaresponse response;
600
601 auth_res_packet (int dst)
602 {
603 config_packet::setup (PT_AUTH_RES, dst);
604
605 len = sizeof (*this) - sizeof (net_packet);
606 }
607};
604 608
605struct connect_req_packet : vpn_packet 609struct connect_req_packet : vpn_packet
610{
611 u8 id, protocols;
612 u8 pad1, pad2;
613
614 connect_req_packet (int dst, int id_, u8 protocols_)
615 : id(id_)
616 , protocols(protocols_)
606 { 617 {
607 u8 id;
608 u8 pad1, pad2, pad3;
609
610 connect_req_packet (int dst, int id)
611 {
612 this->id = id;
613 set_hdr (PT_CONNECT_REQ, dst); 618 set_hdr (PT_CONNECT_REQ, dst);
614 len = sizeof (*this) - sizeof (net_packet); 619 len = sizeof (*this) - sizeof (net_packet);
615 }
616 }; 620 }
621};
617 622
618struct connect_info_packet : vpn_packet 623struct connect_info_packet : vpn_packet
624{
625 u8 id, protocols;
626 u8 pad1, pad2;
627 sockinfo si;
628
629 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
630 : id(id_)
631 , protocols(protocols_)
632 , si(si_)
619 { 633 {
620 u8 id;
621 u8 pad1, pad2, pad3;
622 sockinfo si;
623
624 connect_info_packet (int dst, int id, sockinfo &si)
625 {
626 this->id = id;
627 this->si = si;
628 set_hdr (PT_CONNECT_INFO, dst); 634 set_hdr (PT_CONNECT_INFO, dst);
635
629 len = sizeof (*this) - sizeof (net_packet); 636 len = sizeof (*this) - sizeof (net_packet);
630 }
631 }; 637 }
638};
632 639
633///////////////////////////////////////////////////////////////////////////// 640/////////////////////////////////////////////////////////////////////////////
634 641
635void 642void
636fill_sa (SOCKADDR *sa, conf_node *conf)
637{
638 sa->sin_family = AF_INET;
639 sa->sin_port = htons (conf->port);
640 sa->sin_addr.s_addr = 0;
641
642 if (conf->hostname)
643 {
644 struct hostent *he = gethostbyname (conf->hostname);
645
646 if (he
647 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
648 {
649 //sa->sin_family = he->h_addrtype;
650 memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
651 }
652 else
653 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
654 }
655}
656
657void
658connection::reset_dstaddr () 643connection::reset_dstaddr ()
659{ 644{
660 fill_sa (&sa, conf); 645 si.set (conf);
661} 646}
662 647
663void 648void
664connection::send_ping (SOCKADDR *dsa, u8 pong) 649connection::send_ping (const sockinfo &si, u8 pong)
665{ 650{
666 ping_packet *pkt = new ping_packet; 651 ping_packet *pkt = new ping_packet;
667 652
668 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
669 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); 654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
670 655
671 delete pkt; 656 delete pkt;
672} 657}
673 658
674void 659void
675connection::send_reset (SOCKADDR *dsa) 660connection::send_reset (const sockinfo &si)
676{ 661{
677 static net_rate_limiter limiter(1);
678
679 if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED) 662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
680 { 663 {
681 config_packet *pkt = new config_packet; 664 config_packet *pkt = new config_packet;
682 665
683 pkt->setup (vpn_packet::PT_RESET, conf->id); 666 pkt->setup (vpn_packet::PT_RESET, conf->id);
684 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); 667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
685 668
686 delete pkt; 669 delete pkt;
687 } 670 }
688} 671}
689 672
690static rsachallenge *
691gen_challenge (u32 seqrand, SOCKADDR *sa)
692{
693 static rsachallenge k;
694
695 memcpy (&k, &challenge_bytes (), sizeof (k));
696 *(u32 *)&k[CHG_SEQNO] ^= seqrand;
697 xor_sa (k, sa);
698
699 return &k;
700}
701
702void 673void
703connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k) 674connection::send_auth_request (const sockinfo &si, bool initiate)
704{ 675{
705 static net_rate_limiter limiter(0.2); 676 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
706 677
707 if (subtype != AUTH_INIT || limiter.can (sa)) 678 protocol = best_protocol (THISNODE->protocols & conf->protocols);
708 {
709 if (!k)
710 k = gen_challenge (seqrand, sa);
711 679
712 auth_packet *pkt = new auth_packet (conf->id, subtype); 680 rsachallenge chg;
713 681
714 memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata)); 682 rsa_cache.gen (pkt->id, chg);
715 683
684 if (0 > RSA_public_encrypt (sizeof chg,
685 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
686 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
687 fatal ("RSA_public_encrypt error");
688
716 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 689 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
717 690
718 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); 691 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
719 692
720 delete pkt; 693 delete pkt;
721 } 694}
695
696void
697connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
698{
699 auth_res_packet *pkt = new auth_res_packet (conf->id);
700
701 pkt->id = id;
702
703 rsa_hash (id, chg, pkt->response);
704
705 pkt->hmac_set (octx);
706
707 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
708
709 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
710
711 delete pkt;
712}
713
714void
715connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
716{
717 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
718 conf->id, rid, (const char *)rsi);
719
720 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
721
722 r->hmac_set (octx);
723 send_vpn_packet (r, si);
724
725 delete r;
722} 726}
723 727
724void 728void
725connection::establish_connection_cb (tstamp &ts) 729connection::establish_connection_cb (tstamp &ts)
726{ 730{
727 if (ictx || conf == THISNODE || connectmode == conf_node::C_NEVER) 731 if (ictx || conf == THISNODE
732 || connectmode == conf_node::C_NEVER
733 || connectmode == conf_node::C_DISABLED)
728 ts = TSTAMP_CANCEL; 734 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW) 735 else if (ts <= NOW)
730 { 736 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; 737 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732 738
733 if (retry_int < 3600 * 8) 739 if (retry_int < 3600 * 8)
734 retry_cnt++; 740 retry_cnt++;
735 741
736 if (connectmode == conf_node::C_ONDEMAND
737 && retry_int > ::conf.keepalive)
738 retry_int = ::conf.keepalive;
739
740 ts = NOW + retry_int; 742 ts = NOW + retry_int;
741 743
742 if (conf->hostname) 744 if (conf->hostname)
743 { 745 {
744 reset_dstaddr (); 746 reset_dstaddr ();
745 if (sa.sin_addr.s_addr) 747 if (si.host && auth_rate_limiter.can (si))
748 {
746 if (retry_cnt < 4) 749 if (retry_cnt < 4)
747 send_auth (AUTH_INIT, &sa); 750 send_auth_request (si, true);
748 else 751 else
749 send_ping (&sa, 0); 752 send_ping (si, 0);
753 }
750 } 754 }
751 else 755 else
752 vpn->connect_request (conf->id); 756 vpn->connect_request (conf->id);
753 } 757 }
754} 758}
756void 760void
757connection::reset_connection () 761connection::reset_connection ()
758{ 762{
759 if (ictx && octx) 763 if (ictx && octx)
760 { 764 {
761 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 765 slog (L_INFO, _("%s(%s): connection lost"),
766 conf->nodename, (const char *)si);
762 767
763 if (::conf.script_node_down) 768 if (::conf.script_node_down)
764 run_script (this, &connection::script_node_down, false); 769 run_script (run_script_cb (this, &connection::script_node_down), false);
765 } 770 }
766 771
767 delete ictx; ictx = 0; 772 delete ictx; ictx = 0;
768 delete octx; octx = 0; 773 delete octx; octx = 0;
769 774
770 RAND_bytes ((unsigned char *)&seqrand, sizeof (u32)); 775 si.host= 0;
771
772 sa.sin_port = 0;
773 sa.sin_addr.s_addr = 0;
774 776
775 last_activity = 0; 777 last_activity = 0;
778 retry_cnt = 0;
776 779
777 rekey.reset (); 780 rekey.reset ();
778 keepalive.reset (); 781 keepalive.reset ();
779 establish_connection.reset (); 782 establish_connection.reset ();
780} 783}
781 784
782void 785void
783connection::shutdown () 786connection::shutdown ()
784{ 787{
785 if (ictx && octx) 788 if (ictx && octx)
786 send_reset (&sa); 789 send_reset (si);
787 790
788 reset_connection (); 791 reset_connection ();
789} 792}
790 793
791void 794void
796 reset_connection (); 799 reset_connection ();
797 establish_connection (); 800 establish_connection ();
798} 801}
799 802
800void 803void
801connection::send_data_packet (tap_packet * pkt, bool broadcast) 804connection::send_data_packet (tap_packet *pkt, bool broadcast)
802{ 805{
803 vpndata_packet *p = new vpndata_packet; 806 vpndata_packet *p = new vpndata_packet;
804 int tos = 0; 807 int tos = 0;
805 808
806 if (conf->inherit_tos 809 if (conf->inherit_tos
807 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
808 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
809 tos = (*pkt)[15] & IPTOS_TOS_MASK; 812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
810 813
811 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
812 vpn->send_vpn_packet (p, &sa, tos); 815 send_vpn_packet (p, si, tos);
813 816
814 delete p; 817 delete p;
815 818
816 if (oseqno > MAX_SEQNO) 819 if (oseqno > MAX_SEQNO)
817 rekey (); 820 rekey ();
830 establish_connection (); 833 establish_connection ();
831 } 834 }
832} 835}
833 836
834void 837void
835connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 838connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
836{ 839{
837 last_activity = NOW; 840 last_activity = NOW;
838 841
839 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 842 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
840 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 843 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
841 844
842 switch (pkt->typ ()) 845 switch (pkt->typ ())
843 { 846 {
844 case vpn_packet::PT_PING: 847 case vpn_packet::PT_PING:
848 // we send pings instead of auth packets after some retries,
849 // so reset the retry counter and establish a connection
850 // when we receive a ping.
851 if (!ictx)
852 {
853 if (auth_rate_limiter.can (rsi))
854 send_auth_request (rsi, true);
855 }
856 else
845 send_ping (ssa, 1); // pong 857 send_ping (rsi, 1); // pong
858
846 break; 859 break;
847 860
848 case vpn_packet::PT_PONG: 861 case vpn_packet::PT_PONG:
849 // we send pings instead of auth packets after some retries,
850 // so reset the retry counter and establish a conenction
851 // when we receive a pong.
852 if (!ictx && !octx)
853 {
854 retry_cnt = 0;
855 establish_connection.at = 0;
856 establish_connection ();
857 }
858
859 break; 862 break;
860 863
861 case vpn_packet::PT_RESET: 864 case vpn_packet::PT_RESET:
862 { 865 {
863 reset_connection (); 866 reset_connection ();
864 867
865 config_packet *p = (config_packet *) pkt; 868 config_packet *p = (config_packet *) pkt;
869
866 if (!p->chk_config ()) 870 if (!p->chk_config ())
867 { 871 {
868 slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); 872 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
873 conf->nodename, (const char *)rsi);
869 connectmode = conf_node::C_DISABLED; 874 connectmode = conf_node::C_DISABLED;
870 } 875 }
871 else if (connectmode == conf_node::C_ALWAYS) 876 else if (connectmode == conf_node::C_ALWAYS)
872 establish_connection (); 877 establish_connection ();
873 } 878 }
874 break; 879 break;
875 880
876 case vpn_packet::PT_AUTH: 881 case vpn_packet::PT_AUTH_REQ:
882 if (auth_rate_limiter.can (rsi))
883 {
884 auth_req_packet *p = (auth_req_packet *) pkt;
885
886 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
887
888 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
889 {
890 if (p->prot_minor != PROTOCOL_MINOR)
891 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
892 conf->nodename, (const char *)rsi,
893 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
894
895 if (p->initiate)
896 send_auth_request (rsi, false);
897
898 rsachallenge k;
899
900 if (0 > RSA_private_decrypt (sizeof (p->encr),
901 (unsigned char *)&p->encr, (unsigned char *)&k,
902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
904 conf->nodename, (const char *)rsi);
905 else
906 {
907 retry_cnt = 0;
908 establish_connection.set (NOW + 8); //? ;)
909 keepalive.reset ();
910 rekey.reset ();
911
912 delete ictx;
913 ictx = 0;
914
915 delete octx;
916
917 octx = new crypto_ctx (k, 1);
918 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
919
920 conf->protocols = p->protocols;
921 send_auth_response (rsi, p->id, k);
922
923 break;
924 }
925 }
926
927 send_reset (rsi);
928 }
929
930 break;
931
932 case vpn_packet::PT_AUTH_RES:
877 { 933 {
878 auth_packet *p = (auth_packet *) pkt; 934 auth_res_packet *p = (auth_res_packet *) pkt;
879 935
880 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 936 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
881 937
882 if (p->chk_config () 938 if (p->chk_config ())
883 && !strncmp (p->magic, MAGIC, 8))
884 { 939 {
885 if (p->prot_minor != PROTOCOL_MINOR) 940 if (p->prot_minor != PROTOCOL_MINOR)
886 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 941 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
942 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 943 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888 944
889 if (p->subtype == AUTH_INIT) 945 rsachallenge chg;
890 send_auth (AUTH_INITREPLY, ssa);
891 946
892 const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge); 947 if (!rsa_cache.find (p->id, chg))
893 948 slog (L_ERR, _("%s(%s): unrequested auth response"),
894 if (!k) 949 conf->nodename, (const char *)rsi);
950 else
895 { 951 {
896 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 952 crypto_ctx *cctx = new crypto_ctx (chg, 0);
953
954 if (!p->hmac_chk (cctx))
955 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
956 "could be an attack, or just corruption or an synchronization error"),
897 conf->nodename, (const char *)sockinfo (ssa)); 957 conf->nodename, (const char *)rsi);
898 break; 958 else
899 }
900
901 retry_cnt = 0;
902 establish_connection.set (NOW + 8); //? ;)
903 keepalive.reset ();
904 rekey.reset ();
905
906 switch (p->subtype)
907 {
908 case AUTH_INIT:
909 case AUTH_INITREPLY:
910 delete ictx;
911 ictx = 0;
912
913 delete octx;
914
915 octx = new crypto_ctx (*k, 1);
916 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
917
918 send_auth (AUTH_REPLY, ssa, k);
919 break;
920
921 case AUTH_REPLY:
922
923 if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge)))
924 { 959 {
925 delete ictx;
926
927 ictx = new crypto_ctx (*k, 0);
928 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
929
930 sa = *ssa; 960 rsaresponse h;
931 961
932 rekey.set (NOW + ::conf.rekey); 962 rsa_hash (p->id, chg, h);
933 keepalive.set (NOW + ::conf.keepalive);
934 963
935 // send queued packets 964 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
936 while (tap_packet *p = queue.get ())
937 { 965 {
966 prot_minor = p->prot_minor;
967
968 delete ictx; ictx = cctx;
969
970 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
971
972 si = rsi;
973
974 rekey.set (NOW + ::conf.rekey);
975 keepalive.set (NOW + ::conf.keepalive);
976
977 // send queued packets
978 while (tap_packet *p = queue.get ())
979 {
938 send_data_packet (p); 980 send_data_packet (p);
939 delete p; 981 delete p;
982 }
983
984 connectmode = conf->connectmode;
985
986 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
987 conf->nodename, (const char *)rsi,
988 strprotocol (protocol),
989 p->prot_major, p->prot_minor);
990
991 if (::conf.script_node_up)
992 run_script (run_script_cb (this, &connection::script_node_up), false);
993
994 break;
940 } 995 }
941 996 else
942 connectmode = conf->connectmode; 997 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
943
944 slog (L_INFO, _("connection to %d (%s %s) established"),
945 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 998 conf->nodename, (const char *)rsi);
946
947 if (::conf.script_node_up)
948 run_script (this, &connection::script_node_up, false);
949 } 999 }
1000
950 else 1001 delete cctx;
951 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
952 conf->nodename, (const char *)sockinfo (ssa));
953
954 break;
955 default:
956 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
957 conf->nodename, (const char *)sockinfo (ssa));
958 break;
959 } 1002 }
960 } 1003 }
961 else
962 send_reset (ssa);
963
964 break;
965 } 1004 }
1005
1006 send_reset (rsi);
1007 break;
966 1008
967 case vpn_packet::PT_DATA_COMPRESSED: 1009 case vpn_packet::PT_DATA_COMPRESSED:
968#if !ENABLE_COMPRESSION 1010#if !ENABLE_COMPRESSION
969 send_reset (ssa); 1011 send_reset (rsi);
970 break; 1012 break;
971#endif 1013#endif
1014
972 case vpn_packet::PT_DATA_UNCOMPRESSED: 1015 case vpn_packet::PT_DATA_UNCOMPRESSED:
973 1016
974 if (ictx && octx) 1017 if (ictx && octx)
975 { 1018 {
976 vpndata_packet *p = (vpndata_packet *)pkt; 1019 vpndata_packet *p = (vpndata_packet *)pkt;
977 1020
978 if (*ssa == sa) 1021 if (rsi == si)
979 { 1022 {
980 if (!p->hmac_chk (ictx)) 1023 if (!p->hmac_chk (ictx))
981 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1024 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
982 "could be an attack, or just corruption or an synchronization error")); 1025 "could be an attack, or just corruption or an synchronization error"),
1026 conf->nodename, (const char *)rsi);
983 else 1027 else
984 { 1028 {
985 u32 seqno; 1029 u32 seqno;
986 tap_packet *d = p->unpack (this, seqno); 1030 tap_packet *d = p->unpack (this, seqno);
987 1031
1003 break; 1047 break;
1004 } 1048 }
1005 } 1049 }
1006 } 1050 }
1007 else 1051 else
1008 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1052 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1009 } 1053 }
1010 1054
1011 send_reset (ssa); 1055 send_reset (rsi);
1012 break; 1056 break;
1013 1057
1014 case vpn_packet::PT_CONNECT_REQ: 1058 case vpn_packet::PT_CONNECT_REQ:
1015 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1059 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1016 { 1060 {
1017 connect_req_packet *p = (connect_req_packet *) pkt; 1061 connect_req_packet *p = (connect_req_packet *) pkt;
1018 1062
1019 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1063 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1020 1064 conf->protocols = p->protocols;
1021 connection *c = vpn->conns[p->id - 1]; 1065 connection *c = vpn->conns[p->id - 1];
1022 1066
1023 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1067 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1024 conf->id, p->id, c->ictx && c->octx); 1068 conf->id, p->id, c->ictx && c->octx);
1025 1069
1026 if (c->ictx && c->octx) 1070 if (c->ictx && c->octx)
1027 { 1071 {
1028 // send connect_info packets to both sides, in case one is 1072 // send connect_info packets to both sides, in case one is
1029 // behind a nat firewall (or both ;) 1073 // behind a nat firewall (or both ;)
1030 { 1074 c->send_connect_info (conf->id, si, conf->protocols);
1031 sockinfo si(sa); 1075 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1032
1033 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1034 c->conf->id, conf->id, (const char *)si);
1035
1036 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
1037
1038 r->hmac_set (c->octx);
1039 vpn->send_vpn_packet (r, &c->sa);
1040
1041 delete r;
1042 }
1043
1044 {
1045 sockinfo si(c->sa);
1046
1047 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1048 conf->id, c->conf->id, (const char *)si);
1049
1050 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
1051
1052 r->hmac_set (octx);
1053 vpn->send_vpn_packet (r, &sa);
1054
1055 delete r;
1056 }
1057 } 1076 }
1058 } 1077 }
1059 1078
1060 break; 1079 break;
1061 1080
1062 case vpn_packet::PT_CONNECT_INFO: 1081 case vpn_packet::PT_CONNECT_INFO:
1063 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1064 { 1083 {
1065 connect_info_packet *p = (connect_info_packet *) pkt; 1084 connect_info_packet *p = (connect_info_packet *) pkt;
1066 1085
1067 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1068 1087 conf->protocols = p->protocols;
1069 connection *c = vpn->conns[p->id - 1]; 1088 connection *c = vpn->conns[p->id - 1];
1070 1089
1071 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1090 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1072 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1091 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1073 1092
1074 c->send_auth (AUTH_INIT, p->si.sa ()); 1093 c->send_auth_request (p->si, true);
1075 } 1094 }
1095
1076 break; 1096 break;
1077 1097
1078 default: 1098 default:
1079 send_reset (ssa); 1099 send_reset (rsi);
1080 break; 1100 break;
1101
1081 } 1102 }
1082} 1103}
1083 1104
1084void connection::keepalive_cb (tstamp &ts) 1105void connection::keepalive_cb (tstamp &ts)
1085{ 1106{
1089 establish_connection (); 1110 establish_connection ();
1090 } 1111 }
1091 else if (NOW < last_activity + ::conf.keepalive) 1112 else if (NOW < last_activity + ::conf.keepalive)
1092 ts = last_activity + ::conf.keepalive; 1113 ts = last_activity + ::conf.keepalive;
1093 else if (conf->connectmode != conf_node::C_ONDEMAND 1114 else if (conf->connectmode != conf_node::C_ONDEMAND
1094 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1115 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1095 { 1116 {
1096 send_ping (&sa); 1117 send_ping (si);
1097 ts = NOW + 5; 1118 ts = NOW + 5;
1098 } 1119 }
1099 else 1120 else
1100 reset_connection (); 1121 reset_connection ();
1101
1102} 1122}
1103 1123
1104void connection::connect_request (int id) 1124void connection::connect_request (int id)
1105{ 1125{
1106 connect_req_packet *p = new connect_req_packet (conf->id, id); 1126 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1107 1127
1108 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1128 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1109 p->hmac_set (octx); 1129 p->hmac_set (octx);
1110 vpn->send_vpn_packet (p, &sa); 1130 send_vpn_packet (p, si);
1111 1131
1112 delete p; 1132 delete p;
1113} 1133}
1114 1134
1115void connection::script_node () 1135void connection::script_node ()
1116{ 1136{
1117 vpn->script_if_up (); 1137 vpn->script_if_up (0);
1118 1138
1119 char *env; 1139 char *env;
1120 asprintf (&env, "DESTID=%d", conf->id); 1140 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1121 putenv (env);
1122 asprintf (&env, "DESTNODE=%s", conf->nodename); 1141 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1123 putenv (env); 1142 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1124 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1125 putenv (env);
1126 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1143 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1127 putenv (env);
1128} 1144}
1129 1145
1130const char *connection::script_node_up () 1146const char *connection::script_node_up (int)
1131{ 1147{
1132 script_node (); 1148 script_node ();
1133 1149
1134 putenv ("STATE=up"); 1150 putenv ("STATE=up");
1135 1151
1136 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1152 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1137} 1153}
1138 1154
1139const char *connection::script_node_down () 1155const char *connection::script_node_down (int)
1140{ 1156{
1141 script_node (); 1157 script_node ();
1142 1158
1143 putenv ("STATE=down"); 1159 putenv ("STATE=down");
1144 1160
1145 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1161 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1162}
1163
1164// send a vpn packet out to other hosts
1165void
1166connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1167{
1168 if (protocol & PROT_IPv4)
1169 vpn->send_ipv4_packet (pkt, si, tos);
1170 else
1171 vpn->send_udpv4_packet (pkt, si, tos);
1146} 1172}
1147 1173
1148connection::connection(struct vpn *vpn_) 1174connection::connection(struct vpn *vpn_)
1149: vpn(vpn_) 1175: vpn(vpn_)
1150, rekey (this, &connection::rekey_cb) 1176, rekey (this, &connection::rekey_cb)
1163 shutdown (); 1189 shutdown ();
1164} 1190}
1165 1191
1166///////////////////////////////////////////////////////////////////////////// 1192/////////////////////////////////////////////////////////////////////////////
1167 1193
1168const char *vpn::script_if_up () 1194const char *vpn::script_if_up (int)
1169{ 1195{
1170 // the tunnel device mtu should be the physical mtu - overhead 1196 // the tunnel device mtu should be the physical mtu - overhead
1171 // the tricky part is rounding to the cipher key blocksize 1197 // the tricky part is rounding to the cipher key blocksize
1172 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1198 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1173 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1199 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1174 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1200 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1175 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1201 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1176 1202
1177 char *env; 1203 char *env;
1192 1218
1193 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1219 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1194} 1220}
1195 1221
1196int 1222int
1197vpn::setup (void) 1223vpn::setup ()
1198{ 1224{
1199 struct sockaddr_in sa; 1225 sockinfo si;
1200 1226
1227 si.set (THISNODE);
1228
1229 udpv4_fd = -1;
1230
1231 if (THISNODE->protocols & PROT_UDPv4)
1232 {
1201 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1233 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1202 if (socket_fd < 0) 1234
1235 if (udpv4_fd < 0)
1203 return -1; 1236 return -1;
1204 1237
1205 fill_sa (&sa, THISNODE); 1238 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1206 1239 {
1207 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1208 {
1209 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1240 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1210 exit (1); 1241 exit (1);
1211 } 1242 }
1212 1243
1213#ifdef IP_MTU_DISCOVER 1244#ifdef IP_MTU_DISCOVER
1214 // this I really consider a linux bug. I am neither connected 1245 // this I really consider a linux bug. I am neither connected
1215 // nor do I fragment myself. Linux still sets DF and doesn't 1246 // nor do I fragment myself. Linux still sets DF and doesn't
1216 // fragment for me sometimes. 1247 // fragment for me sometimes.
1217 { 1248 {
1218 int oval = IP_PMTUDISC_DONT; 1249 int oval = IP_PMTUDISC_DONT;
1219 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1250 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1220 } 1251 }
1221#endif 1252#endif
1222 { 1253
1254 // standard daemon practise...
1255 {
1223 int oval = 1; 1256 int oval = 1;
1224 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1257 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1225 } 1258 }
1226 1259
1227 udp_ev_watcher.start (socket_fd, POLLIN); 1260 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1261 }
1262
1263 ipv4_fd = -1;
1264 if (THISNODE->protocols & PROT_IPv4)
1265 {
1266 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1267
1268 if (ipv4_fd < 0)
1269 return -1;
1270
1271 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1272 {
1273 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1274 exit (1);
1275 }
1276
1277#ifdef IP_MTU_DISCOVER
1278 // this I really consider a linux bug. I am neither connected
1279 // nor do I fragment myself. Linux still sets DF and doesn't
1280 // fragment for me sometimes.
1281 {
1282 int oval = IP_PMTUDISC_DONT;
1283 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1284 }
1285#endif
1286
1287 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1288 }
1228 1289
1229 tap = new tap_device (); 1290 tap = new tap_device ();
1230 if (!tap) //D this, of course, never catches 1291 if (!tap) //D this, of course, never catches
1231 { 1292 {
1232 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1293 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1233 exit (1); 1294 exit (1);
1234 } 1295 }
1235 1296
1236 run_script (this, &vpn::script_if_up, true); 1297 run_script (run_script_cb (this, &vpn::script_if_up), true);
1237 1298
1238 vpn_ev_watcher.start (tap->fd, POLLIN); 1299 tap_ev_watcher.start (tap->fd, POLLIN);
1239 1300
1240 reconnect_all (); 1301 reconnect_all ();
1241 1302
1242 return 0; 1303 return 0;
1243} 1304}
1244 1305
1245void 1306void
1246vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) 1307vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1247{ 1308{
1248 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); 1309 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1249 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1310 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1250} 1311}
1251 1312
1252void 1313void
1253vpn::shutdown_all () 1314vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1254{ 1315{
1255 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1316 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1256 (*c)->shutdown (); 1317 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1257} 1318}
1258 1319
1259void 1320void
1260vpn::reconnect_all () 1321vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1261{ 1322{
1262 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1323 unsigned int src = pkt->src ();
1263 delete *c; 1324 unsigned int dst = pkt->dst ();
1264 1325
1265 conns.clear (); 1326 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1327 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1266 1328
1267 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1329 if (src == 0 || src > conns.size ()
1268 i != conf.nodes.end (); ++i) 1330 || dst > conns.size ()
1269 { 1331 || pkt->typ () >= vpn_packet::PT_MAX)
1270 connection *conn = new connection (this); 1332 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1271 1333 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1272 conn->conf = *i; 1334 else
1273 conns.push_back (conn);
1274
1275 conn->establish_connection ();
1276 } 1335 {
1277} 1336 connection *c = conns[src - 1];
1278 1337
1279connection *vpn::find_router () 1338 if (dst == 0 && !THISNODE->routerprio)
1280{ 1339 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1281 u32 prio = 0; 1340 c->conf->nodename, (const char *)rsi);
1282 connection *router = 0; 1341 else if (dst != 0 && dst != THISNODE->id)
1283 1342 // FORWARDING NEEDED ;)
1284 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 1343 slog (L_WARN,
1344 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1345 dst, conns[dst - 1]->conf->nodename,
1346 (const char *)rsi,
1347 THISNODE->id, THISNODE->nodename);
1348 else
1349 c->recv_vpn_packet (pkt, rsi);
1285 { 1350 }
1286 connection *c = *i;
1287
1288 if (c->conf->routerprio > prio
1289 && c->connectmode == conf_node::C_ALWAYS
1290 && c->conf != THISNODE
1291 && c->ictx && c->octx)
1292 {
1293 prio = c->conf->routerprio;
1294 router = c;
1295 }
1296 }
1297
1298 return router;
1299} 1351}
1300 1352
1301void vpn::connect_request (int id)
1302{
1303 connection *c = find_router ();
1304
1305 if (c)
1306 c->connect_request (id);
1307 //else // does not work, because all others must connect to the same router
1308 // // no router found, aggressively connect to all routers
1309 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1310 // if ((*i)->conf->routerprio)
1311 // (*i)->establish_connection ();
1312}
1313
1314void 1353void
1315vpn::udp_ev (short revents) 1354vpn::udpv4_ev (short revents)
1316{ 1355{
1317 if (revents & (POLLIN | POLLERR)) 1356 if (revents & (POLLIN | POLLERR))
1318 { 1357 {
1319 vpn_packet *pkt = new vpn_packet; 1358 vpn_packet *pkt = new vpn_packet;
1320 struct sockaddr_in sa; 1359 struct sockaddr_in sa;
1321 socklen_t sa_len = sizeof (sa); 1360 socklen_t sa_len = sizeof (sa);
1322 int len; 1361 int len;
1323 1362
1324 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len); 1363 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1364
1365 sockinfo si(sa);
1325 1366
1326 if (len > 0) 1367 if (len > 0)
1327 { 1368 {
1328 pkt->len = len; 1369 pkt->len = len;
1329 1370
1330 unsigned int src = pkt->src ();
1331 unsigned int dst = pkt->dst ();
1332
1333 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1334 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1335
1336 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1337 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1338 pkt->typ (), pkt->src (), pkt->dst ());
1339 else if (dst == 0 && !THISNODE->routerprio)
1340 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1341 else if (dst != 0 && dst != THISNODE->id)
1342 slog (L_WARN,
1343 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1344 dst, conns[dst - 1]->conf->nodename,
1345 (const char *)sockinfo (sa),
1346 THISNODE->id, THISNODE->nodename);
1347 else if (src == 0 || src > conns.size ())
1348 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1349 else
1350 conns[src - 1]->recv_vpn_packet (pkt, &sa); 1371 recv_vpn_packet (pkt, si);
1351 } 1372 }
1352 else 1373 else
1353 { 1374 {
1354 // probably ECONNRESET or somesuch 1375 // probably ECONNRESET or somesuch
1355 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1376 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1356 } 1377 }
1357 1378
1358 delete pkt; 1379 delete pkt;
1359 } 1380 }
1360 else if (revents & POLLHUP) 1381 else if (revents & POLLHUP)
1361 { 1382 {
1362 // this cannot ;) happen on udp sockets 1383 // this cannot ;) happen on udp sockets
1363 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating.")); 1384 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1364 exit (1); 1385 exit (1);
1365 } 1386 }
1366 else 1387 else
1367 { 1388 {
1368 slog (L_ERR, 1389 slog (L_ERR,
1371 exit (1); 1392 exit (1);
1372 } 1393 }
1373} 1394}
1374 1395
1375void 1396void
1397vpn::ipv4_ev (short revents)
1398{
1399 if (revents & (POLLIN | POLLERR))
1400 {
1401 vpn_packet *pkt = new vpn_packet;
1402 struct sockaddr_in sa;
1403 socklen_t sa_len = sizeof (sa);
1404 int len;
1405
1406 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1407
1408 sockinfo si(sa, PROT_IPv4);
1409
1410 if (len > 0)
1411 {
1412 pkt->len = len;
1413
1414 // raw sockets deliver the ipv4, but don't expect it on sends
1415 // this is slow, but...
1416 pkt->skip_hdr (IP_OVERHEAD);
1417
1418 recv_vpn_packet (pkt, si);
1419 }
1420 else
1421 {
1422 // probably ECONNRESET or somesuch
1423 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1424 }
1425
1426 delete pkt;
1427 }
1428 else if (revents & POLLHUP)
1429 {
1430 // this cannot ;) happen on udp sockets
1431 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1432 exit (1);
1433 }
1434 else
1435 {
1436 slog (L_ERR,
1437 _("FATAL: unknown revents %08x in socket, terminating\n"),
1438 revents);
1439 exit (1);
1440 }
1441}
1442
1443void
1376vpn::vpn_ev (short revents) 1444vpn::tap_ev (short revents)
1377{ 1445{
1378 if (revents & POLLIN) 1446 if (revents & POLLIN)
1379 { 1447 {
1380 /* process data */ 1448 /* process data */
1381 tap_packet *pkt; 1449 tap_packet *pkt;
1437{ 1505{
1438 if (events) 1506 if (events)
1439 { 1507 {
1440 if (events & EVENT_SHUTDOWN) 1508 if (events & EVENT_SHUTDOWN)
1441 { 1509 {
1510 slog (L_INFO, _("preparing shutdown..."));
1511
1442 shutdown_all (); 1512 shutdown_all ();
1443 1513
1444 remove_pid (pidfilename); 1514 remove_pid (pidfilename);
1445 1515
1446 slog (L_INFO, _("vped terminating")); 1516 slog (L_INFO, _("terminating"));
1447 1517
1448 exit (0); 1518 exit (0);
1449 } 1519 }
1450 1520
1451 if (events & EVENT_RECONNECT) 1521 if (events & EVENT_RECONNECT)
1522 {
1523 slog (L_INFO, _("forced reconnect"));
1524
1452 reconnect_all (); 1525 reconnect_all ();
1526 }
1453 1527
1454 events = 0; 1528 events = 0;
1455 } 1529 }
1456 1530
1457 ts = TSTAMP_CANCEL; 1531 ts = TSTAMP_CANCEL;
1458} 1532}
1459 1533
1534void
1535vpn::shutdown_all ()
1536{
1537 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1538 (*c)->shutdown ();
1539}
1540
1541void
1542vpn::reconnect_all ()
1543{
1544 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1545 delete *c;
1546
1547 conns.clear ();
1548
1549 auth_rate_limiter.clear ();
1550 reset_rate_limiter.clear ();
1551
1552 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1553 i != conf.nodes.end (); ++i)
1554 {
1555 connection *conn = new connection (this);
1556
1557 conn->conf = *i;
1558 conns.push_back (conn);
1559
1560 conn->establish_connection ();
1561 }
1562}
1563
1564connection *vpn::find_router ()
1565{
1566 u32 prio = 0;
1567 connection *router = 0;
1568
1569 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1570 {
1571 connection *c = *i;
1572
1573 if (c->conf->routerprio > prio
1574 && c->connectmode == conf_node::C_ALWAYS
1575 && c->conf != THISNODE
1576 && c->ictx && c->octx)
1577 {
1578 prio = c->conf->routerprio;
1579 router = c;
1580 }
1581 }
1582
1583 return router;
1584}
1585
1586void vpn::connect_request (int id)
1587{
1588 connection *c = find_router ();
1589
1590 if (c)
1591 c->connect_request (id);
1592 //else // does not work, because all others must connect to the same router
1593 // // no router found, aggressively connect to all routers
1594 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1595 // if ((*i)->conf->routerprio)
1596 // (*i)->establish_connection ();
1597}
1598
1599void
1600connection::dump_status ()
1601{
1602 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1603 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1604 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1605 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1606 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1607 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1608 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1609}
1610
1611void
1612vpn::dump_status ()
1613{
1614 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1615
1616 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1617 (*c)->dump_status ();
1618
1619 slog (L_NOTICE, _("END status dump"));
1620}
1621
1460vpn::vpn (void) 1622vpn::vpn (void)
1461: udp_ev_watcher (this, &vpn::udp_ev) 1623: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1624, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1462, vpn_ev_watcher (this, &vpn::vpn_ev) 1625, tap_ev_watcher(this, &vpn::tap_ev)
1463, event (this, &vpn::event_cb) 1626, event(this, &vpn::event_cb)
1464{ 1627{
1465} 1628}
1466 1629
1467vpn::~vpn () 1630vpn::~vpn ()
1468{ 1631{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines