ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.3 by pcg, Mon Mar 3 06:03:40 2003 UTC vs.
Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC

16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17*/ 17*/
18 18
19#include "config.h" 19#include "config.h"
20 20
21#include <list>
22
21#include <cstdlib> 23#include <cstdlib>
22#include <cstring> 24#include <cstring>
23#include <cstdio> 25#include <cstdio>
24 26
25#include <sys/types.h> 27#include <sys/types.h>
56 58
57static time_t next_timecheck; 59static time_t next_timecheck;
58 60
59#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60 62
61static const rsachallenge &
62challenge_bytes ()
63{
64 static rsachallenge challenge;
65 static time_t challenge_ttl; // time this challenge needs to be recreated
66
67 if (now > challenge_ttl)
68 {
69 RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70 challenge_ttl = now + CHALLENGE_TTL;
71 }
72
73 return challenge;
74}
75
76// run a script. yes, it's a template function. yes, c++
77// is not a functional language. yes, this suxx.
78template<class owner>
79static void
80run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81{
82 int pid;
83
84 if ((pid = fork ()) == 0)
85 {
86 char *filename;
87 asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88 execl (filename, filename, (char *) 0);
89 exit (255);
90 }
91 else if (pid > 0)
92 {
93 if (wait)
94 {
95 waitpid (pid, 0, 0);
96 /* TODO: check status */
97 }
98 }
99}
100
101// xor the socket address into the challenge to ensure different challenges
102// per host. we could rely on the OAEP padding, but this doesn't hurt.
103void
104xor_sa (rsachallenge &k, SOCKADDR *sa)
105{
106 ((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107 ((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108 ((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109 ((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110}
111
112struct crypto_ctx 63struct crypto_ctx
113 { 64 {
114 EVP_CIPHER_CTX cctx; 65 EVP_CIPHER_CTX cctx;
115 HMAC_CTX hctx; 66 HMAC_CTX hctx;
116 67
117 crypto_ctx (rsachallenge &challenge, int enc); 68 crypto_ctx (const rsachallenge &challenge, int enc);
118 ~crypto_ctx (); 69 ~crypto_ctx ();
119 }; 70 };
120 71
121crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) 72crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122{ 73{
123 EVP_CIPHER_CTX_init (&cctx); 74 EVP_CIPHER_CTX_init (&cctx);
124 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 75 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125 HMAC_CTX_init (&hctx); 76 HMAC_CTX_init (&hctx);
126 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 77 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
130{ 81{
131 EVP_CIPHER_CTX_cleanup (&cctx); 82 EVP_CIPHER_CTX_cleanup (&cctx);
132 HMAC_CTX_cleanup (&hctx); 83 HMAC_CTX_cleanup (&hctx);
133} 84}
134 85
86static void
87rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88{
89 EVP_MD_CTX ctx;
90
91 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94 EVP_DigestUpdate(&ctx, &id, sizeof id);
95 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
96 EVP_MD_CTX_cleanup (&ctx);
97}
98
99struct rsa_entry {
100 tstamp expire;
101 rsaid id;
102 rsachallenge chg;
103};
104
105struct rsa_cache : list<rsa_entry>
106{
107 void cleaner_cb (tstamp &ts); time_watcher cleaner;
108
109 bool find (const rsaid &id, rsachallenge &chg)
110 {
111 for (iterator i = begin (); i != end (); ++i)
112 {
113 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
114 {
115 memcpy (&chg, &i->chg, sizeof chg);
116
117 erase (i);
118 return true;
119 }
120 }
121
122 if (cleaner.at < NOW)
123 cleaner.start (NOW + RSA_TTL);
124
125 return false;
126 }
127
128 void gen (rsaid &id, rsachallenge &chg)
129 {
130 rsa_entry e;
131
132 RAND_bytes ((unsigned char *)&id, sizeof id);
133 RAND_bytes ((unsigned char *)&chg, sizeof chg);
134
135 e.expire = NOW + RSA_TTL;
136 e.id = id;
137 memcpy (&e.chg, &chg, sizeof chg);
138
139 push_back (e);
140
141 if (cleaner.at < NOW)
142 cleaner.start (NOW + RSA_TTL);
143 }
144
145 rsa_cache ()
146 : cleaner (this, &rsa_cache::cleaner_cb)
147 { }
148
149} rsa_cache;
150
151void rsa_cache::cleaner_cb (tstamp &ts)
152{
153 if (empty ())
154 ts = TSTAMP_CANCEL;
155 else
156 {
157 ts = NOW + RSA_TTL;
158
159 for (iterator i = begin (); i != end (); )
160 if (i->expire <= NOW)
161 i = erase (i);
162 else
163 ++i;
164 }
165}
166
167typedef callback<const char *, int> run_script_cb;
168
169// run a shell script (or actually an external program).
170static void
171run_script (const run_script_cb &cb, bool wait)
172{
173 int pid;
174
175 if ((pid = fork ()) == 0)
176 {
177 char *filename;
178 asprintf (&filename, "%s/%s", confbase, cb(0));
179 execl (filename, filename, (char *) 0);
180 exit (255);
181 }
182 else if (pid > 0)
183 {
184 if (wait)
185 {
186 waitpid (pid, 0, 0);
187 /* TODO: check status */
188 }
189 }
190}
191
192//////////////////////////////////////////////////////////////////////////////
193
194void pkt_queue::put (tap_packet *p)
195{
196 if (queue[i])
197 {
198 delete queue[i];
199 j = (j + 1) % QUEUEDEPTH;
200 }
201
202 queue[i] = p;
203
204 i = (i + 1) % QUEUEDEPTH;
205}
206
207tap_packet *pkt_queue::get ()
208{
209 tap_packet *p = queue[j];
210
211 if (p)
212 {
213 queue[j] = 0;
214 j = (j + 1) % QUEUEDEPTH;
215 }
216
217 return p;
218}
219
220pkt_queue::pkt_queue ()
221{
222 memset (queue, 0, sizeof (queue));
223 i = 0;
224 j = 0;
225}
226
227pkt_queue::~pkt_queue ()
228{
229 for (i = QUEUEDEPTH; --i > 0; )
230 delete queue[i];
231}
232
233struct net_rateinfo {
234 u32 host;
235 double pcnt, diff;
236 tstamp last;
237};
238
239// only do action once every x seconds per host whole allowing bursts.
240// this implementation ("splay list" ;) is inefficient,
241// but low on resources.
242struct net_rate_limiter : list<net_rateinfo>
243{
244 static const double ALPHA = 1. - 1. / 90.; // allow bursts
245 static const double CUTOFF = 20.; // one event every CUTOFF seconds
246 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
247
248 bool can (const sockinfo &si) { return can((u32)si.host); }
249 bool can (u32 host);
250};
251
252net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253
254bool net_rate_limiter::can (u32 host)
255{
256 iterator i;
257
258 for (i = begin (); i != end (); )
259 if (i->host == host)
260 break;
261 else if (i->last < NOW - EXPIRE)
262 i = erase (i);
263 else
264 i++;
265
266 if (i == end ())
267 {
268 net_rateinfo ri;
269
270 ri.host = host;
271 ri.pcnt = 1.;
272 ri.diff = CUTOFF * (1. / (1. - ALPHA));
273 ri.last = NOW;
274
275 push_front (ri);
276
277 return true;
278 }
279 else
280 {
281 net_rateinfo ri (*i);
282 erase (i);
283
284 ri.pcnt = ri.pcnt * ALPHA;
285 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
286
287 ri.last = NOW;
288
289 bool send = ri.diff / ri.pcnt > CUTOFF;
290
291 if (send)
292 ri.pcnt++;
293
294 push_front (ri);
295
296 return send;
297 }
298}
299
135///////////////////////////////////////////////////////////////////////////// 300/////////////////////////////////////////////////////////////////////////////
136 301
137static void next_wakeup (time_t next) 302static void next_wakeup (time_t next)
138{ 303{
139 if (next_timecheck > next) 304 if (next_timecheck > next)
141} 306}
142 307
143static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 308static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144 309
145struct hmac_packet:net_packet 310struct hmac_packet:net_packet
311{
312 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
313
314 void hmac_set (crypto_ctx * ctx);
315 bool hmac_chk (crypto_ctx * ctx);
316
317private:
318 void hmac_gen (crypto_ctx * ctx)
146 { 319 {
147 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149 void hmac_set (crypto_ctx * ctx);
150 bool hmac_chk (crypto_ctx * ctx);
151
152private:
153 void hmac_gen (crypto_ctx * ctx)
154 {
155 unsigned int xlen; 320 unsigned int xlen;
156 HMAC_CTX *hctx = &ctx->hctx; 321 HMAC_CTX *hctx = &ctx->hctx;
157 322
158 HMAC_Init_ex (hctx, 0, 0, 0, 0); 323 HMAC_Init_ex (hctx, 0, 0, 0, 0);
159 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), 324 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160 len - sizeof (hmac_packet)); 325 len - sizeof (hmac_packet));
161 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen); 326 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162 }
163 }; 327 }
328};
164 329
165void 330void
166hmac_packet::hmac_set (crypto_ctx * ctx) 331hmac_packet::hmac_set (crypto_ctx * ctx)
167{ 332{
168 hmac_gen (ctx); 333 hmac_gen (ctx);
184 { 349 {
185 PT_RESET = 0, 350 PT_RESET = 0,
186 PT_DATA_UNCOMPRESSED, 351 PT_DATA_UNCOMPRESSED,
187 PT_DATA_COMPRESSED, 352 PT_DATA_COMPRESSED,
188 PT_PING, PT_PONG, // wasting namespace space? ;) 353 PT_PING, PT_PONG, // wasting namespace space? ;)
189 PT_AUTH, // authentification 354 PT_AUTH_REQ, // authentification request
355 PT_AUTH_RES, // authentification response
190 PT_CONNECT_REQ, // want other host to contact me 356 PT_CONNECT_REQ, // want other host to contact me
191 PT_CONNECT_INFO, // request connection to some node 357 PT_CONNECT_INFO, // request connection to some node
192 PT_REKEY, // rekeying (not yet implemented)
193 PT_MAX 358 PT_MAX
194 }; 359 };
195 360
196 u8 type; 361 u8 type;
197 u8 srcdst, src1, dst1; 362 u8 srcdst, src1, dst1;
198 363
199 void set_hdr (ptype type, unsigned int dst); 364 void set_hdr (ptype type, unsigned int dst);
200 365
201 unsigned int src () 366 unsigned int src () const
202 { 367 {
203 return src1 | ((srcdst >> 4) << 8); 368 return src1 | ((srcdst >> 4) << 8);
204 } 369 }
370
205 unsigned int dst () 371 unsigned int dst () const
206 { 372 {
207 return dst1 | ((srcdst & 0xf) << 8); 373 return dst1 | ((srcdst & 0xf) << 8);
208 } 374 }
375
209 ptype typ () 376 ptype typ () const
210 { 377 {
211 return (ptype) type; 378 return (ptype) type;
212 } 379 }
213 }; 380 };
214 381
252 u32 cl; 419 u32 cl;
253 420
254 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 421 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255 if (cl) 422 if (cl)
256 { 423 {
257 //printf ("compressed packet, %d => %d\n", l, cl);//D
258 type = PT_DATA_COMPRESSED; 424 type = PT_DATA_COMPRESSED;
259 d = cdata; 425 d = cdata;
260 l = cl + 2; 426 l = cl + 2;
261 427
262 d[0] = cl >> 8; 428 d[0] = cl >> 8;
264 } 430 }
265#endif 431#endif
266 432
267 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 433 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268 434
435 struct {
269#if RAND_SIZE 436#if RAND_SIZE
270 struct {
271 u8 rnd[RAND_SIZE]; 437 u8 rnd[RAND_SIZE];
438#endif
272 u32 seqno; 439 u32 seqno;
273 } datahdr; 440 } datahdr;
274 441
275 datahdr.seqno = seqno; 442 datahdr.seqno = ntohl (seqno);
443#if RAND_SIZE
276 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 444 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
445#endif
277 446
278 EVP_EncryptUpdate (cctx, 447 EVP_EncryptUpdate (cctx,
279 (unsigned char *) data + outl, &outl2, 448 (unsigned char *) data + outl, &outl2,
280 (unsigned char *) &datahdr, DATAHDR); 449 (unsigned char *) &datahdr, DATAHDR);
281 outl += outl2; 450 outl += outl2;
282#else
283 EVP_EncryptUpdate (cctx,
284 (unsigned char *) data + outl, &outl2,
285 (unsigned char *) &seqno, DATAHDR);
286 outl += outl2;
287#endif
288 451
289 EVP_EncryptUpdate (cctx, 452 EVP_EncryptUpdate (cctx,
290 (unsigned char *) data + outl, &outl2, 453 (unsigned char *) data + outl, &outl2,
291 (unsigned char *) d, l); 454 (unsigned char *) d, l);
292 outl += outl2; 455 outl += outl2;
328 outl += outl2; 491 outl += outl2;
329 492
330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 493 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331 outl += outl2; 494 outl += outl2;
332 495
333 seqno = *(u32 *)(d + RAND_SIZE); 496 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
334 497
335 id2mac (dst () ? dst() : THISNODE->id, p->dst); 498 id2mac (dst () ? dst() : THISNODE->id, p->dst);
336 id2mac (src (), p->src); 499 id2mac (src (), p->src);
337 500
338#if ENABLE_COMPRESSION 501#if ENABLE_COMPRESSION
339 if (type == PT_DATA_COMPRESSED) 502 if (type == PT_DATA_COMPRESSED)
340 { 503 {
341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 504 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
505
342 p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6; 506 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
343 //printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D 507 &(*p)[6 + 6], MAX_MTU)
508 + 6 + 6;
344 } 509 }
345 else 510 else
346 p->len = outl + (6 + 6 - DATAHDR); 511 p->len = outl + (6 + 6 - DATAHDR);
347#endif 512#endif
348 513
349 return p; 514 return p;
350} 515}
351 516
352struct ping_packet : vpn_packet 517struct ping_packet : vpn_packet
518{
519 void setup (int dst, ptype type)
353 { 520 {
354 void setup (int dst, ptype type)
355 {
356 set_hdr (type, dst); 521 set_hdr (type, dst);
357 len = sizeof (*this) - sizeof (net_packet); 522 len = sizeof (*this) - sizeof (net_packet);
358 }
359 }; 523 }
524};
360 525
361struct config_packet : vpn_packet 526struct config_packet : vpn_packet
527{
528 // actually, hmaclen cannot be checked because the hmac
529 // field comes before this data, so peers with other
530 // hmacs simply will not work.
531 u8 prot_major, prot_minor, randsize, hmaclen;
532 u8 flags, challengelen, pad2, pad3;
533 u32 cipher_nid, digest_nid, hmac_nid;
534
535 const u8 curflags () const
362 { 536 {
363 // actually, hmaclen cannot be checked because the hmac
364 // field comes before this data, so peers with other
365 // hmacs simply will not work.
366 u8 prot_major, prot_minor, randsize, hmaclen;
367 u8 flags, challengelen, pad2, pad3;
368 u32 cipher_nid;
369 u32 digest_nid;
370
371 const u8 curflags () const
372 {
373 return 0x80 537 return 0x80
374 | (ENABLE_COMPRESSION ? 0x01 : 0x00) 538 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
375 | (ENABLE_TRUST ? 0x02 : 0x00);
376 } 539 }
377 540
378 void setup (ptype type, int dst) 541 void setup (ptype type, int dst);
379 { 542 bool chk_config () const;
543};
544
545void config_packet::setup (ptype type, int dst)
546{
380 prot_major = PROTOCOL_MAJOR; 547 prot_major = PROTOCOL_MAJOR;
381 prot_minor = PROTOCOL_MINOR; 548 prot_minor = PROTOCOL_MINOR;
382 randsize = RAND_SIZE; 549 randsize = RAND_SIZE;
383 hmaclen = HMACLENGTH; 550 hmaclen = HMACLENGTH;
384 flags = curflags (); 551 flags = curflags ();
385 challengelen = sizeof (rsachallenge); 552 challengelen = sizeof (rsachallenge);
386 553
387 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 554 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388 digest_nid = htonl (EVP_MD_type (DIGEST)); 555 digest_nid = htonl (EVP_MD_type (RSA_HASH));
556 hmac_nid = htonl (EVP_MD_type (DIGEST));
389 557
390 len = sizeof (*this) - sizeof (net_packet); 558 len = sizeof (*this) - sizeof (net_packet);
391 set_hdr (type, dst); 559 set_hdr (type, dst);
392 } 560}
393 561
394 bool chk_config () 562bool config_packet::chk_config () const
395 { 563{
396 return prot_major == PROTOCOL_MAJOR 564 return prot_major == PROTOCOL_MAJOR
397 && randsize == RAND_SIZE 565 && randsize == RAND_SIZE
398 && hmaclen == HMACLENGTH 566 && hmaclen == HMACLENGTH
399 && flags == curflags () 567 && flags == curflags ()
400 && challengelen == sizeof (rsachallenge) 568 && challengelen == sizeof (rsachallenge)
401 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 569 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
570 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
402 && digest_nid == htonl (EVP_MD_type (DIGEST)); 571 && hmac_nid == htonl (EVP_MD_type (DIGEST));
403 } 572}
404 };
405 573
406struct auth_packet : config_packet 574struct auth_req_packet : config_packet
575{
576 char magic[8];
577 u8 initiate; // false if this is just an automatic reply
578 u8 protocols; // supported protocols (will get patches on forward)
579 u8 pad2, pad3;
580 rsaid id;
581 rsaencrdata encr;
582
583 auth_req_packet (int dst, bool initiate_, u8 protocols_)
407 { 584 {
408 char magic[8];
409 u8 subtype;
410 u8 pad1, pad2;
411 rsaencrdata challenge;
412
413 auth_packet (int dst, auth_subtype stype)
414 {
415 config_packet::setup (PT_AUTH, dst); 585 config_packet::setup (PT_AUTH_REQ, dst);
416 subtype = stype; 586 strncpy (magic, MAGIC, 8);
587 initiate = !!initiate_;
588 protocols = protocols_;
589
417 len = sizeof (*this) - sizeof (net_packet); 590 len = sizeof (*this) - sizeof (net_packet);
418 strncpy (magic, MAGIC, 8);
419 }
420 }; 591 }
592};
593
594struct auth_res_packet : config_packet
595{
596 rsaid id;
597 u8 pad1, pad2, pad3;
598 u8 response_len; // encrypted length
599 rsaresponse response;
600
601 auth_res_packet (int dst)
602 {
603 config_packet::setup (PT_AUTH_RES, dst);
604
605 len = sizeof (*this) - sizeof (net_packet);
606 }
607};
421 608
422struct connect_req_packet : vpn_packet 609struct connect_req_packet : vpn_packet
610{
611 u8 id, protocols;
612 u8 pad1, pad2;
613
614 connect_req_packet (int dst, int id_, u8 protocols_)
615 : id(id_)
616 , protocols(protocols_)
423 { 617 {
424 u8 id;
425 u8 pad1, pad2, pad3;
426
427 connect_req_packet (int dst, int id)
428 {
429 this->id = id;
430 set_hdr (PT_CONNECT_REQ, dst); 618 set_hdr (PT_CONNECT_REQ, dst);
431 len = sizeof (*this) - sizeof (net_packet); 619 len = sizeof (*this) - sizeof (net_packet);
432 }
433 }; 620 }
621};
434 622
435struct connect_info_packet : vpn_packet 623struct connect_info_packet : vpn_packet
624{
625 u8 id, protocols;
626 u8 pad1, pad2;
627 sockinfo si;
628
629 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
630 : id(id_)
631 , protocols(protocols_)
632 , si(si_)
436 { 633 {
437 u8 id;
438 u8 pad1, pad2, pad3;
439 sockinfo si;
440
441 connect_info_packet (int dst, int id, sockinfo &si)
442 {
443 this->id = id;
444 this->si = si;
445 set_hdr (PT_CONNECT_INFO, dst); 634 set_hdr (PT_CONNECT_INFO, dst);
635
446 len = sizeof (*this) - sizeof (net_packet); 636 len = sizeof (*this) - sizeof (net_packet);
447 }
448 }; 637 }
638};
449 639
450///////////////////////////////////////////////////////////////////////////// 640/////////////////////////////////////////////////////////////////////////////
451 641
452void 642void
453fill_sa (SOCKADDR *sa, conf_node *conf) 643connection::reset_dstaddr ()
454{ 644{
455 sa->sin_family = AF_INET; 645 si.set (conf);
456 sa->sin_port = htons (conf->port); 646}
457 sa->sin_addr.s_addr = 0;
458 647
648void
649connection::send_ping (const sockinfo &si, u8 pong)
650{
651 ping_packet *pkt = new ping_packet;
652
653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
655
656 delete pkt;
657}
658
659void
660connection::send_reset (const sockinfo &si)
661{
662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
663 {
664 config_packet *pkt = new config_packet;
665
666 pkt->setup (vpn_packet::PT_RESET, conf->id);
667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
668
669 delete pkt;
670 }
671}
672
673void
674connection::send_auth_request (const sockinfo &si, bool initiate)
675{
676 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
677
678 protocol = best_protocol (THISNODE->protocols & conf->protocols);
679
680 rsachallenge chg;
681
682 rsa_cache.gen (pkt->id, chg);
683
684 if (0 > RSA_public_encrypt (sizeof chg,
685 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
686 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
687 fatal ("RSA_public_encrypt error");
688
689 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
690
691 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
692
693 delete pkt;
694}
695
696void
697connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
698{
699 auth_res_packet *pkt = new auth_res_packet (conf->id);
700
701 pkt->id = id;
702
703 rsa_hash (id, chg, pkt->response);
704
705 pkt->hmac_set (octx);
706
707 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
708
709 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
710
711 delete pkt;
712}
713
714void
715connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
716{
717 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
718 conf->id, rid, (const char *)rsi);
719
720 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
721
722 r->hmac_set (octx);
723 send_vpn_packet (r, si);
724
725 delete r;
726}
727
728void
729connection::establish_connection_cb (tstamp &ts)
730{
731 if (ictx || conf == THISNODE
732 || connectmode == conf_node::C_NEVER
733 || connectmode == conf_node::C_DISABLED)
734 ts = TSTAMP_CANCEL;
735 else if (ts <= NOW)
736 {
737 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
738
739 if (retry_int < 3600 * 8)
740 retry_cnt++;
741
742 ts = NOW + retry_int;
743
459 if (conf->hostname) 744 if (conf->hostname)
460 { 745 {
461 struct hostent *he = gethostbyname (conf->hostname); 746 reset_dstaddr ();
462 747 if (si.host && auth_rate_limiter.can (si))
463 if (he
464 && he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465 { 748 {
466 //sa->sin_family = he->h_addrtype; 749 if (retry_cnt < 4)
467 memcpy (&sa->sin_addr, he->h_addr_list[0], 4); 750 send_auth_request (si, true);
751 else
752 send_ping (si, 0);
753 }
468 } 754 }
469 else 755 else
470 slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471 }
472}
473
474void
475connection::reset_dstaddr ()
476{
477 fill_sa (&sa, conf);
478}
479
480void
481connection::send_ping (SOCKADDR *dsa, u8 pong)
482{
483 ping_packet *pkt = new ping_packet;
484
485 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486 vpn->send_vpn_packet (pkt, dsa);
487
488 delete pkt;
489}
490
491void
492connection::send_reset (SOCKADDR *dsa)
493{
494 static net_rate_limiter limiter(1);
495
496 if (limiter.can (dsa))
497 {
498 config_packet *pkt = new config_packet;
499
500 pkt->setup (vpn_packet::PT_RESET, conf->id);
501 vpn->send_vpn_packet (pkt, dsa);
502
503 delete pkt;
504 }
505}
506
507static rsachallenge *
508gen_challenge (SOCKADDR *sa)
509{
510 static rsachallenge k;
511
512 memcpy (&k, &challenge_bytes (), sizeof (k));
513 RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514 xor_sa (k, sa);
515
516 return &k;
517}
518
519void
520connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k)
521{
522 static net_rate_limiter limiter(2);
523
524 if (subtype != AUTH_INIT || limiter.can (sa))
525 {
526 auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528 //printf ("send auth_packet subtype %d\n", subtype);//D
529
530 if (!k)
531 k = gen_challenge (sa);
532
533#if ENABLE_TRUST
534 if (0 > RSA_public_encrypt (sizeof (*k),
535 (unsigned char *)k, (unsigned char *)&pkt->challenge,
536 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537 fatal ("RSA_public_encrypt error");
538#else
539# error untrusted mode not yet implemented: programemr does not know how to
540 rsaencrdata enc;
541
542 if (0 > RSA_private_encrypt (sizeof (*k),
543 (unsigned char *)k, (unsigned char *)&enc,
544 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545 fatal ("RSA_private_encrypt error");
546
547 if (0 > RSA_public_encrypt (sizeof (enc),
548 (unsigned char *)enc, (unsigned char *)&pkt->challenge,
549 conf->rsa_key, RSA_NO_PADDING))
550 fatal ("RSA_public_encrypt error");
551#endif
552
553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555 vpn->send_vpn_packet (pkt, sa);
556
557 delete pkt;
558 }
559}
560
561void
562connection::establish_connection ()
563{
564 if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER)
565 {
566 if (now >= next_retry)
567 {
568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570 if (retry_cnt < (17 << 2) | 3)
571 retry_cnt++;
572
573 if (conf->connectmode == conf_node::C_ONDEMAND
574 && retry_int > ::conf.keepalive)
575 retry_int = ::conf.keepalive;
576
577 next_retry = now + retry_int;
578 next_wakeup (next_retry);
579
580 if (conf->hostname)
581 {
582 reset_dstaddr ();
583 if (sa.sin_addr.s_addr)
584 if (retry_cnt < 4)
585 send_auth (AUTH_INIT, &sa);
586 else
587 send_ping (&sa, 0);
588 }
589 else
590 vpn->connect_request (conf->id); 756 vpn->connect_request (conf->id);
591 }
592 } 757 }
593} 758}
594 759
595void 760void
596connection::reset_connection () 761connection::reset_connection ()
597{ 762{
598 if (ictx && octx) 763 if (ictx && octx)
599 { 764 {
600 slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename); 765 slog (L_INFO, _("%s(%s): connection lost"),
766 conf->nodename, (const char *)si);
601 767
602 if (::conf.script_node_down) 768 if (::conf.script_node_down)
603 run_script (this, &connection::script_node_down, false); 769 run_script (run_script_cb (this, &connection::script_node_down), false);
604 } 770 }
605 771
606 delete ictx; 772 delete ictx; ictx = 0;
607 ictx = 0; 773 delete octx; octx = 0;
608 774
609 delete octx; 775 si.host= 0;
610 octx = 0;
611 776
612 sa.sin_port = 0;
613 sa.sin_addr.s_addr = 0;
614
615 next_retry = 0;
616 next_rekey = 0;
617 last_activity = 0; 777 last_activity = 0;
778 retry_cnt = 0;
779
780 rekey.reset ();
781 keepalive.reset ();
782 establish_connection.reset ();
618} 783}
619 784
620void 785void
621connection::shutdown () 786connection::shutdown ()
622{ 787{
623 if (ictx && octx) 788 if (ictx && octx)
624 send_reset (&sa); 789 send_reset (si);
625 790
626 reset_connection (); 791 reset_connection ();
627} 792}
628 793
629void 794void
630connection::rekey () 795connection::rekey_cb (tstamp &ts)
631{ 796{
797 ts = TSTAMP_CANCEL;
798
632 reset_connection (); 799 reset_connection ();
633 establish_connection (); 800 establish_connection ();
634} 801}
635 802
636void 803void
637connection::send_data_packet (tap_packet * pkt, bool broadcast) 804connection::send_data_packet (tap_packet *pkt, bool broadcast)
638{ 805{
639 vpndata_packet *p = new vpndata_packet; 806 vpndata_packet *p = new vpndata_packet;
807 int tos = 0;
808
809 if (conf->inherit_tos
810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
640 813
641 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642 vpn->send_vpn_packet (p, &sa); 815 send_vpn_packet (p, si, tos);
643 816
644 delete p; 817 delete p;
645 818
646 if (oseqno > MAX_SEQNO) 819 if (oseqno > MAX_SEQNO)
647 rekey (); 820 rekey ();
660 establish_connection (); 833 establish_connection ();
661 } 834 }
662} 835}
663 836
664void 837void
665connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa) 838connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
666{ 839{
667 last_activity = now; 840 last_activity = NOW;
668 841
669 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 842 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
670 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 843 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
671 844
672 switch (pkt->typ ()) 845 switch (pkt->typ ())
673 { 846 {
674 case vpn_packet::PT_PING: 847 case vpn_packet::PT_PING:
848 // we send pings instead of auth packets after some retries,
849 // so reset the retry counter and establish a connection
850 // when we receive a ping.
851 if (!ictx)
852 {
853 if (auth_rate_limiter.can (rsi))
854 send_auth_request (rsi, true);
855 }
856 else
675 send_ping (ssa, 1); // pong 857 send_ping (rsi, 1); // pong
858
676 break; 859 break;
677 860
678 case vpn_packet::PT_PONG: 861 case vpn_packet::PT_PONG:
679 // we send pings instead of auth packets after some retries,
680 // so reset the retry counter and establish a conenction
681 // when we receive a pong.
682 if (!ictx && !octx)
683 {
684 retry_cnt = 0;
685 next_retry = 0;
686 establish_connection ();
687 }
688
689 break; 862 break;
690 863
691 case vpn_packet::PT_RESET: 864 case vpn_packet::PT_RESET:
692 { 865 {
693 reset_connection (); 866 reset_connection ();
694 867
695 config_packet *p = (config_packet *) pkt; 868 config_packet *p = (config_packet *) pkt;
869
696 if (p->chk_config ()) 870 if (!p->chk_config ())
871 {
872 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
873 conf->nodename, (const char *)rsi);
874 connectmode = conf_node::C_DISABLED;
875 }
697 if (conf->connectmode == conf_node::C_ALWAYS) 876 else if (connectmode == conf_node::C_ALWAYS)
698 establish_connection (); 877 establish_connection ();
699
700 //D slog the protocol mismatch?
701 } 878 }
702 break; 879 break;
703 880
704 case vpn_packet::PT_AUTH: 881 case vpn_packet::PT_AUTH_REQ:
882 if (auth_rate_limiter.can (rsi))
883 {
884 auth_req_packet *p = (auth_req_packet *) pkt;
885
886 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
887
888 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
889 {
890 if (p->prot_minor != PROTOCOL_MINOR)
891 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
892 conf->nodename, (const char *)rsi,
893 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
894
895 if (p->initiate)
896 send_auth_request (rsi, false);
897
898 rsachallenge k;
899
900 if (0 > RSA_private_decrypt (sizeof (p->encr),
901 (unsigned char *)&p->encr, (unsigned char *)&k,
902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
904 conf->nodename, (const char *)rsi);
905 else
906 {
907 retry_cnt = 0;
908 establish_connection.set (NOW + 8); //? ;)
909 keepalive.reset ();
910 rekey.reset ();
911
912 delete ictx;
913 ictx = 0;
914
915 delete octx;
916
917 octx = new crypto_ctx (k, 1);
918 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
919
920 conf->protocols = p->protocols;
921 send_auth_response (rsi, p->id, k);
922
923 break;
924 }
925 }
926
927 send_reset (rsi);
928 }
929
930 break;
931
932 case vpn_packet::PT_AUTH_RES:
705 { 933 {
706 auth_packet *p = (auth_packet *) pkt; 934 auth_res_packet *p = (auth_res_packet *) pkt;
707 935
708 slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype); 936 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
709 937
710 if (p->chk_config () 938 if (p->chk_config ())
711 && !strncmp (p->magic, MAGIC, 8))
712 { 939 {
713 if (p->prot_minor != PROTOCOL_MINOR) 940 if (p->prot_minor != PROTOCOL_MINOR)
714 slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."), 941 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
942 conf->nodename, (const char *)rsi,
715 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 943 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
716 944
717 if (p->subtype == AUTH_INIT)
718 send_auth (AUTH_INITREPLY, ssa);
719
720 rsachallenge k; 945 rsachallenge chg;
721 946
722#if ENABLE_TRUST 947 if (!rsa_cache.find (p->id, chg))
723 if (0 > RSA_private_decrypt (sizeof (rsaencrdata), 948 slog (L_ERR, _("%s(%s): unrequested auth response"),
724 (unsigned char *)&p->challenge, (unsigned char *)&k, 949 conf->nodename, (const char *)rsi);
725 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
726 // continued below
727#else
728 rsaencrdata j;
729 950 else
730 if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731 (unsigned char *)&p->challenge, (unsigned char *)&j,
732 ::conf.rsa_key, RSA_NO_PADDING))
733 fatal ("RSA_private_decrypt error");
734
735 if (0 > RSA_public_decrypt (sizeof (k),
736 (unsigned char *)&j, (unsigned char *)&k,
737 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
738 // continued below
739#endif
740 { 951 {
741 slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), 952 crypto_ctx *cctx = new crypto_ctx (chg, 0);
953
954 if (!p->hmac_chk (cctx))
955 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
956 "could be an attack, or just corruption or an synchronization error"),
742 conf->nodename, (const char *)sockinfo (ssa)); 957 conf->nodename, (const char *)rsi);
743 break; 958 else
744 }
745
746 retry_cnt = 0;
747 next_retry = now + 8;
748
749 switch (p->subtype)
750 {
751 case AUTH_INIT:
752 case AUTH_INITREPLY:
753 delete ictx;
754 ictx = 0;
755
756 delete octx;
757
758 octx = new crypto_ctx (k, 1);
759 oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
760
761 send_auth (AUTH_REPLY, ssa, &k);
762 break;
763
764 case AUTH_REPLY:
765
766 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
767 sizeof (rsachallenge) - sizeof (u32)))
768 { 959 {
769 delete ictx;
770
771 ictx = new crypto_ctx (k, 0);
772 iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid
773 ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774
775 sa = *ssa; 960 rsaresponse h;
776 961
777 next_rekey = now + ::conf.rekey; 962 rsa_hash (p->id, chg, h);
778 next_wakeup (next_rekey);
779 963
780 // send queued packets 964 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
781 while (tap_packet *p = queue.get ())
782 { 965 {
966 prot_minor = p->prot_minor;
967
968 delete ictx; ictx = cctx;
969
970 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
971
972 si = rsi;
973
974 rekey.set (NOW + ::conf.rekey);
975 keepalive.set (NOW + ::conf.keepalive);
976
977 // send queued packets
978 while (tap_packet *p = queue.get ())
979 {
783 send_data_packet (p); 980 send_data_packet (p);
784 delete p; 981 delete p;
982 }
983
984 connectmode = conf->connectmode;
985
986 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
987 conf->nodename, (const char *)rsi,
988 strprotocol (protocol),
989 p->prot_major, p->prot_minor);
990
991 if (::conf.script_node_up)
992 run_script (run_script_cb (this, &connection::script_node_up), false);
993
994 break;
785 } 995 }
786 996 else
787 slog (L_INFO, _("connection to %d (%s %s) established"), 997 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
788 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 998 conf->nodename, (const char *)rsi);
789
790 if (::conf.script_node_up)
791 run_script (this, &connection::script_node_up, false);
792 } 999 }
1000
793 else 1001 delete cctx;
794 slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
795 conf->nodename, (const char *)sockinfo (ssa));
796
797 break;
798 default:
799 slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
800 conf->nodename, (const char *)sockinfo (ssa));
801 break;
802 } 1002 }
803 } 1003 }
804 else
805 send_reset (ssa);
806
807 break;
808 } 1004 }
1005
1006 send_reset (rsi);
1007 break;
809 1008
810 case vpn_packet::PT_DATA_COMPRESSED: 1009 case vpn_packet::PT_DATA_COMPRESSED:
811#if !ENABLE_COMPRESSION 1010#if !ENABLE_COMPRESSION
812 send_reset (ssa); 1011 send_reset (rsi);
813 break; 1012 break;
814#endif 1013#endif
1014
815 case vpn_packet::PT_DATA_UNCOMPRESSED: 1015 case vpn_packet::PT_DATA_UNCOMPRESSED:
816 1016
817 if (ictx && octx) 1017 if (ictx && octx)
818 { 1018 {
819 vpndata_packet *p = (vpndata_packet *)pkt; 1019 vpndata_packet *p = (vpndata_packet *)pkt;
820 1020
821 if (*ssa == sa) 1021 if (rsi == si)
822 { 1022 {
823 if (!p->hmac_chk (ictx)) 1023 if (!p->hmac_chk (ictx))
824 slog (L_ERR, _("hmac authentication error, received invalid packet\n" 1024 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
825 "could be an attack, or just corruption or an synchronization error")); 1025 "could be an attack, or just corruption or an synchronization error"),
1026 conf->nodename, (const char *)rsi);
826 else 1027 else
827 { 1028 {
828 u32 seqno; 1029 u32 seqno;
829 tap_packet *d = p->unpack (this, seqno); 1030 tap_packet *d = p->unpack (this, seqno);
830 1031
831 if (seqno <= iseqno - 32) 1032 if (iseqno.recv_ok (seqno))
832 slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
833 "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
834 else if (seqno > iseqno + 32)
835 slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
836 "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
837 else
838 { 1033 {
839 if (seqno > iseqno)
840 {
841 ismask <<= seqno - iseqno;
842 iseqno = seqno;
843 }
844
845 u32 mask = 1 << (iseqno - seqno);
846
847 //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
848 if (ismask & mask)
849 slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
850 "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
851 else
852 {
853 ismask |= mask;
854
855 vpn->tap->send (d); 1034 vpn->tap->send (d);
856 1035
857 if (p->dst () == 0) // re-broadcast 1036 if (p->dst () == 0) // re-broadcast
858 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) 1037 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
859 { 1038 {
860 connection *c = *i; 1039 connection *c = *i;
861 1040
862 if (c->conf != THISNODE && c->conf != conf) 1041 if (c->conf != THISNODE && c->conf != conf)
863 c->inject_data_packet (d); 1042 c->inject_data_packet (d);
864 }
865
866 delete d;
867
868 break;
869 } 1043 }
1044
1045 delete d;
1046
1047 break;
870 } 1048 }
871 } 1049 }
872 } 1050 }
873 else 1051 else
874 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 1052 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
875 } 1053 }
876 1054
877 send_reset (ssa); 1055 send_reset (rsi);
878 break; 1056 break;
879 1057
880 case vpn_packet::PT_CONNECT_REQ: 1058 case vpn_packet::PT_CONNECT_REQ:
881 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1059 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
882 { 1060 {
883 connect_req_packet *p = (connect_req_packet *) pkt; 1061 connect_req_packet *p = (connect_req_packet *) pkt;
884 1062
885 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1063 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
886 1064 conf->protocols = p->protocols;
887 connection *c = vpn->conns[p->id - 1]; 1065 connection *c = vpn->conns[p->id - 1];
888 1066
889 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1067 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
890 conf->id, p->id, c->ictx && c->octx); 1068 conf->id, p->id, c->ictx && c->octx);
891 1069
892 if (c->ictx && c->octx) 1070 if (c->ictx && c->octx)
893 { 1071 {
894 sockinfo si(sa); 1072 // send connect_info packets to both sides, in case one is
895 1073 // behind a nat firewall (or both ;)
896 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 1074 c->send_connect_info (conf->id, si, conf->protocols);
897 c->conf->id, p->id, (const char *)si); 1075 send_connect_info (c->conf->id, c->si, c->conf->protocols);
898
899 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
900
901 r->hmac_set (c->octx);
902 vpn->send_vpn_packet (r, &c->sa);
903
904 delete r;
905 } 1076 }
906 } 1077 }
907 1078
908 break; 1079 break;
909 1080
910 case vpn_packet::PT_CONNECT_INFO: 1081 case vpn_packet::PT_CONNECT_INFO:
911 if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx)) 1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
912 { 1083 {
913 connect_info_packet *p = (connect_info_packet *) pkt; 1084 connect_info_packet *p = (connect_info_packet *) pkt;
914 1085
915 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
916 1087 conf->protocols = p->protocols;
917 connection *c = vpn->conns[p->id - 1]; 1088 connection *c = vpn->conns[p->id - 1];
918 1089
919 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1090 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
920 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1091 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
921 1092
922 c->send_auth (AUTH_INIT, p->si.sa ()); 1093 c->send_auth_request (p->si, true);
923 } 1094 }
1095
924 break; 1096 break;
925 1097
926 default: 1098 default:
927 send_reset (ssa); 1099 send_reset (rsi);
928 break; 1100 break;
929 }
930}
931 1101
932void connection::timer ()
933{
934 if (conf != THISNODE)
935 { 1102 }
936 if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS) 1103}
1104
1105void connection::keepalive_cb (tstamp &ts)
1106{
1107 if (NOW >= last_activity + ::conf.keepalive + 30)
1108 {
1109 reset_connection ();
937 establish_connection (); 1110 establish_connection ();
938 1111 }
939 if (ictx && octx)
940 {
941 if (now >= next_rekey)
942 rekey ();
943 else if (now >= last_activity + ::conf.keepalive + 30)
944 {
945 reset_connection ();
946 establish_connection ();
947 }
948 else if (now >= last_activity + ::conf.keepalive) 1112 else if (NOW < last_activity + ::conf.keepalive)
1113 ts = last_activity + ::conf.keepalive;
949 if (conf->connectmode != conf_node::C_ONDEMAND 1114 else if (conf->connectmode != conf_node::C_ONDEMAND
950 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1115 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1116 {
951 send_ping (&sa); 1117 send_ping (si);
952 else 1118 ts = NOW + 5;
1119 }
1120 else
953 reset_connection (); 1121 reset_connection ();
954
955 }
956 }
957} 1122}
958 1123
959void connection::connect_request (int id) 1124void connection::connect_request (int id)
960{ 1125{
961 connect_req_packet *p = new connect_req_packet (conf->id, id); 1126 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
962 1127
963 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id); 1128 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
964 p->hmac_set (octx); 1129 p->hmac_set (octx);
965 vpn->send_vpn_packet (p, &sa); 1130 send_vpn_packet (p, si);
966 1131
967 delete p; 1132 delete p;
968} 1133}
969 1134
970void connection::script_node () 1135void connection::script_node ()
971{ 1136{
972 vpn->script_if_up (); 1137 vpn->script_if_up (0);
973 1138
974 char *env; 1139 char *env;
975 asprintf (&env, "DESTID=%d", conf->id); 1140 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
976 putenv (env);
977 asprintf (&env, "DESTNODE=%s", conf->nodename); 1141 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
978 putenv (env); 1142 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
979 asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
980 putenv (env);
981 asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port)); 1143 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
982 putenv (env);
983} 1144}
984 1145
985const char *connection::script_node_up () 1146const char *connection::script_node_up (int)
986{ 1147{
987 script_node (); 1148 script_node ();
988 1149
989 putenv ("STATE=up"); 1150 putenv ("STATE=up");
990 1151
991 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1152 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
992} 1153}
993 1154
994const char *connection::script_node_down () 1155const char *connection::script_node_down (int)
995{ 1156{
996 script_node (); 1157 script_node ();
997 1158
998 putenv ("STATE=down"); 1159 putenv ("STATE=down");
999 1160
1000 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1161 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1001} 1162}
1002 1163
1164// send a vpn packet out to other hosts
1165void
1166connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1167{
1168 if (protocol & PROT_IPv4)
1169 vpn->send_ipv4_packet (pkt, si, tos);
1170 else
1171 vpn->send_udpv4_packet (pkt, si, tos);
1172}
1173
1174connection::connection(struct vpn *vpn_)
1175: vpn(vpn_)
1176, rekey (this, &connection::rekey_cb)
1177, keepalive (this, &connection::keepalive_cb)
1178, establish_connection (this, &connection::establish_connection_cb)
1179{
1180 octx = ictx = 0;
1181 retry_cnt = 0;
1182
1183 connectmode = conf_node::C_ALWAYS; // initial setting
1184 reset_connection ();
1185}
1186
1187connection::~connection ()
1188{
1189 shutdown ();
1190}
1191
1003///////////////////////////////////////////////////////////////////////////// 1192/////////////////////////////////////////////////////////////////////////////
1004 1193
1005vpn::vpn (void)
1006{}
1007
1008const char *vpn::script_if_up () 1194const char *vpn::script_if_up (int)
1009{ 1195{
1010 // the tunnel device mtu should be the physical mtu - overhead 1196 // the tunnel device mtu should be the physical mtu - overhead
1011 // the tricky part is rounding to the cipher key blocksize 1197 // the tricky part is rounding to the cipher key blocksize
1012 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD; 1198 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1013 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion 1199 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1014 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round 1200 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1015 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again 1201 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1016 1202
1017 char *env; 1203 char *env;
1032 1218
1033 return ::conf.script_if_up ? ::conf.script_if_up : "if-up"; 1219 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1034} 1220}
1035 1221
1036int 1222int
1037vpn::setup (void) 1223vpn::setup ()
1038{ 1224{
1039 struct sockaddr_in sa; 1225 sockinfo si;
1040 1226
1227 si.set (THISNODE);
1228
1229 udpv4_fd = -1;
1230
1231 if (THISNODE->protocols & PROT_UDPv4)
1232 {
1041 socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP); 1233 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1042 if (socket_fd < 0) 1234
1235 if (udpv4_fd < 0)
1043 return -1; 1236 return -1;
1044 1237
1045 fill_sa (&sa, THISNODE); 1238 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1046 1239 {
1047 if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1048 {
1049 slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno)); 1240 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1050 exit (1); 1241 exit (1);
1051 } 1242 }
1052 1243
1053#ifdef IP_MTU_DISCOVER 1244#ifdef IP_MTU_DISCOVER
1054 // this I really consider a linux bug. I am neither connected 1245 // this I really consider a linux bug. I am neither connected
1055 // nor do I fragment myself. Linux still sets DF and doesn't 1246 // nor do I fragment myself. Linux still sets DF and doesn't
1056 // fragment for me sometimes. 1247 // fragment for me sometimes.
1057 { 1248 {
1058 int oval = IP_PMTUDISC_DONT; 1249 int oval = IP_PMTUDISC_DONT;
1059 setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval); 1250 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1060 } 1251 }
1061#endif 1252#endif
1062 { 1253
1254 // standard daemon practise...
1255 {
1063 int oval = 1; 1256 int oval = 1;
1064 setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval); 1257 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1258 }
1259
1260 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1065 } 1261 }
1262
1263 ipv4_fd = -1;
1264 if (THISNODE->protocols & PROT_IPv4)
1265 {
1266 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1267
1268 if (ipv4_fd < 0)
1269 return -1;
1270
1271 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1272 {
1273 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1274 exit (1);
1275 }
1276
1277#ifdef IP_MTU_DISCOVER
1278 // this I really consider a linux bug. I am neither connected
1279 // nor do I fragment myself. Linux still sets DF and doesn't
1280 // fragment for me sometimes.
1281 {
1282 int oval = IP_PMTUDISC_DONT;
1283 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1284 }
1285#endif
1286
1287 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1288 }
1066 1289
1067 tap = new tap_device (); 1290 tap = new tap_device ();
1068 if (!tap) //D this, of course, never catches 1291 if (!tap) //D this, of course, never catches
1069 { 1292 {
1070 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname); 1293 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1071 exit (1); 1294 exit (1);
1072 } 1295 }
1073 1296
1074 run_script (this, &vpn::script_if_up, true); 1297 run_script (run_script_cb (this, &vpn::script_if_up), true);
1298
1299 tap_ev_watcher.start (tap->fd, POLLIN);
1300
1301 reconnect_all ();
1075 1302
1076 return 0; 1303 return 0;
1077} 1304}
1078 1305
1079void 1306void
1080vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) 1307vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1081{ 1308{
1082 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1309 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1310 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1311}
1312
1313void
1314vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1315{
1316 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1317 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1318}
1319
1320void
1321vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1322{
1323 unsigned int src = pkt->src ();
1324 unsigned int dst = pkt->dst ();
1325
1326 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1327 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1328
1329 if (src == 0 || src > conns.size ()
1330 || dst > conns.size ()
1331 || pkt->typ () >= vpn_packet::PT_MAX)
1332 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1333 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1334 else
1335 {
1336 connection *c = conns[src - 1];
1337
1338 if (dst == 0 && !THISNODE->routerprio)
1339 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1340 c->conf->nodename, (const char *)rsi);
1341 else if (dst != 0 && dst != THISNODE->id)
1342 // FORWARDING NEEDED ;)
1343 slog (L_WARN,
1344 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1345 dst, conns[dst - 1]->conf->nodename,
1346 (const char *)rsi,
1347 THISNODE->id, THISNODE->nodename);
1348 else
1349 c->recv_vpn_packet (pkt, rsi);
1350 }
1351}
1352
1353void
1354vpn::udpv4_ev (short revents)
1355{
1356 if (revents & (POLLIN | POLLERR))
1357 {
1358 vpn_packet *pkt = new vpn_packet;
1359 struct sockaddr_in sa;
1360 socklen_t sa_len = sizeof (sa);
1361 int len;
1362
1363 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1364
1365 sockinfo si(sa);
1366
1367 if (len > 0)
1368 {
1369 pkt->len = len;
1370
1371 recv_vpn_packet (pkt, si);
1372 }
1373 else
1374 {
1375 // probably ECONNRESET or somesuch
1376 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1377 }
1378
1379 delete pkt;
1380 }
1381 else if (revents & POLLHUP)
1382 {
1383 // this cannot ;) happen on udp sockets
1384 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1385 exit (1);
1386 }
1387 else
1388 {
1389 slog (L_ERR,
1390 _("FATAL: unknown revents %08x in socket, terminating\n"),
1391 revents);
1392 exit (1);
1393 }
1394}
1395
1396void
1397vpn::ipv4_ev (short revents)
1398{
1399 if (revents & (POLLIN | POLLERR))
1400 {
1401 vpn_packet *pkt = new vpn_packet;
1402 struct sockaddr_in sa;
1403 socklen_t sa_len = sizeof (sa);
1404 int len;
1405
1406 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1407
1408 sockinfo si(sa, PROT_IPv4);
1409
1410 if (len > 0)
1411 {
1412 pkt->len = len;
1413
1414 // raw sockets deliver the ipv4, but don't expect it on sends
1415 // this is slow, but...
1416 pkt->skip_hdr (IP_OVERHEAD);
1417
1418 recv_vpn_packet (pkt, si);
1419 }
1420 else
1421 {
1422 // probably ECONNRESET or somesuch
1423 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1424 }
1425
1426 delete pkt;
1427 }
1428 else if (revents & POLLHUP)
1429 {
1430 // this cannot ;) happen on udp sockets
1431 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1432 exit (1);
1433 }
1434 else
1435 {
1436 slog (L_ERR,
1437 _("FATAL: unknown revents %08x in socket, terminating\n"),
1438 revents);
1439 exit (1);
1440 }
1441}
1442
1443void
1444vpn::tap_ev (short revents)
1445{
1446 if (revents & POLLIN)
1447 {
1448 /* process data */
1449 tap_packet *pkt;
1450
1451 pkt = tap->recv ();
1452
1453 int dst = mac2id (pkt->dst);
1454 int src = mac2id (pkt->src);
1455
1456 if (src != THISNODE->id)
1457 {
1458 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1459 exit (1);
1460 }
1461
1462 if (dst == THISNODE->id)
1463 {
1464 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1465 exit (1);
1466 }
1467
1468 if (dst > conns.size ())
1469 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1470 else
1471 {
1472 if (dst)
1473 {
1474 // unicast
1475 if (dst != THISNODE->id)
1476 conns[dst - 1]->inject_data_packet (pkt);
1477 }
1478 else
1479 {
1480 // broadcast, first check router, then self, then english
1481 connection *router = find_router ();
1482
1483 if (router)
1484 router->inject_data_packet (pkt, true);
1485 else
1486 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1487 if ((*c)->conf != THISNODE)
1488 (*c)->inject_data_packet (pkt);
1489 }
1490 }
1491
1492 delete pkt;
1493 }
1494 else if (revents & (POLLHUP | POLLERR))
1495 {
1496 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1497 exit (1);
1498 }
1499 else
1500 abort ();
1501}
1502
1503void
1504vpn::event_cb (tstamp &ts)
1505{
1506 if (events)
1507 {
1508 if (events & EVENT_SHUTDOWN)
1509 {
1510 slog (L_INFO, _("preparing shutdown..."));
1511
1512 shutdown_all ();
1513
1514 remove_pid (pidfilename);
1515
1516 slog (L_INFO, _("terminating"));
1517
1518 exit (0);
1519 }
1520
1521 if (events & EVENT_RECONNECT)
1522 {
1523 slog (L_INFO, _("forced reconnect"));
1524
1525 reconnect_all ();
1526 }
1527
1528 events = 0;
1529 }
1530
1531 ts = TSTAMP_CANCEL;
1083} 1532}
1084 1533
1085void 1534void
1086vpn::shutdown_all () 1535vpn::shutdown_all ()
1087{ 1536{
1095 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1544 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1096 delete *c; 1545 delete *c;
1097 1546
1098 conns.clear (); 1547 conns.clear ();
1099 1548
1549 auth_rate_limiter.clear ();
1550 reset_rate_limiter.clear ();
1551
1100 for (configuration::node_vector::iterator i = conf.nodes.begin (); 1552 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1101 i != conf.nodes.end (); ++i) 1553 i != conf.nodes.end (); ++i)
1102 { 1554 {
1103 connection *conn = new connection (this); 1555 connection *conn = new connection (this);
1104 1556
1105 conn->conf = *i; 1557 conn->conf = *i;
1106 conns.push_back (conn); 1558 conns.push_back (conn);
1107 1559
1108 if (conn->conf->connectmode == conf_node::C_ALWAYS)
1109 conn->establish_connection (); 1560 conn->establish_connection ();
1110 } 1561 }
1111} 1562}
1112 1563
1113connection *vpn::find_router () 1564connection *vpn::find_router ()
1114{ 1565{
1118 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 1569 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1119 { 1570 {
1120 connection *c = *i; 1571 connection *c = *i;
1121 1572
1122 if (c->conf->routerprio > prio 1573 if (c->conf->routerprio > prio
1123 && c->conf->connectmode == conf_node::C_ALWAYS 1574 && c->connectmode == conf_node::C_ALWAYS
1124 && c->conf != THISNODE 1575 && c->conf != THISNODE
1125 && c->ictx && c->octx) 1576 && c->ictx && c->octx)
1126 { 1577 {
1127 prio = c->conf->routerprio; 1578 prio = c->conf->routerprio;
1128 router = c; 1579 router = c;
1144 // if ((*i)->conf->routerprio) 1595 // if ((*i)->conf->routerprio)
1145 // (*i)->establish_connection (); 1596 // (*i)->establish_connection ();
1146} 1597}
1147 1598
1148void 1599void
1149vpn::main_loop () 1600connection::dump_status ()
1150{ 1601{
1151 struct pollfd pollfd[2]; 1602 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1603 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1604 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1605 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1606 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1607 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1608 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1609}
1152 1610
1153 pollfd[0].fd = tap->fd; 1611void
1154 pollfd[0].events = POLLIN; 1612vpn::dump_status ()
1155 pollfd[1].fd = socket_fd; 1613{
1156 pollfd[1].events = POLLIN; 1614 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1157 1615
1158 events = 0;
1159 now = time (0);
1160 next_timecheck = now + 1;
1161
1162 reconnect_all ();
1163
1164 for (;;)
1165 {
1166 int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1167
1168 now = time (0);
1169
1170 if (npoll > 0)
1171 {
1172 if (pollfd[1].revents)
1173 {
1174 if (pollfd[1].revents & (POLLIN | POLLERR))
1175 {
1176 vpn_packet *pkt = new vpn_packet;
1177 struct sockaddr_in sa;
1178 socklen_t sa_len = sizeof (sa);
1179 int len;
1180
1181 len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1182
1183 if (len > 0)
1184 {
1185 pkt->len = len;
1186
1187 unsigned int src = pkt->src ();
1188 unsigned int dst = pkt->dst ();
1189
1190 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1191 (const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1192
1193 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1194 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1195 pkt->typ (), pkt->src (), pkt->dst ());
1196 else if (dst == 0 && !THISNODE->routerprio)
1197 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1198 else if (dst != 0 && dst != THISNODE->id)
1199 slog (L_WARN,
1200 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1201 dst, conns[dst - 1]->conf->nodename,
1202 (const char *)sockinfo (sa),
1203 THISNODE->id, THISNODE->nodename);
1204 else if (src == 0 || src > conns.size ())
1205 slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1206 else
1207 conns[src - 1]->recv_vpn_packet (pkt, &sa);
1208 }
1209 else
1210 {
1211 // probably ECONNRESET or somesuch
1212 slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1213 }
1214
1215 delete pkt;
1216 }
1217 else if (pollfd[1].revents & POLLHUP)
1218 {
1219 // this cannot ;) happen on udp sockets
1220 slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1221 exit (1);
1222 }
1223 else
1224 {
1225 slog (L_ERR,
1226 _("FATAL: unknown revents %08x in socket, terminating\n"),
1227 pollfd[1].revents);
1228 exit (1);
1229 }
1230 }
1231
1232 // I use else here to give vpn_packets absolute priority
1233 else if (pollfd[0].revents)
1234 {
1235 if (pollfd[0].revents & POLLIN)
1236 {
1237 /* process data */
1238 tap_packet *pkt;
1239
1240 pkt = tap->recv ();
1241
1242 int dst = mac2id (pkt->dst);
1243 int src = mac2id (pkt->src);
1244
1245 if (src != THISNODE->id)
1246 {
1247 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1248 exit (1);
1249 }
1250
1251 if (dst == THISNODE->id)
1252 {
1253 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1254 exit (1);
1255 }
1256
1257 if (dst > conns.size ())
1258 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1259 else
1260 {
1261 if (dst)
1262 {
1263 // unicast
1264 if (dst != THISNODE->id)
1265 conns[dst - 1]->inject_data_packet (pkt);
1266 }
1267 else
1268 {
1269 // broadcast, first check router, then self, then english
1270 connection *router = find_router ();
1271
1272 if (router)
1273 router->inject_data_packet (pkt, true);
1274 else
1275 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c) 1616 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1276 if ((*c)->conf != THISNODE) 1617 (*c)->dump_status ();
1277 (*c)->inject_data_packet (pkt);
1278 }
1279 }
1280 1618
1281 delete pkt; 1619 slog (L_NOTICE, _("END status dump"));
1282 } 1620}
1283 else if (pollfd[0].revents & (POLLHUP | POLLERR))
1284 {
1285 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1286 exit (1);
1287 }
1288 else
1289 abort ();
1290 }
1291 }
1292 1621
1293 if (events) 1622vpn::vpn (void)
1294 { 1623: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1295 if (events & EVENT_SHUTDOWN) 1624, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1296 { 1625, tap_ev_watcher(this, &vpn::tap_ev)
1297 shutdown_all (); 1626, event(this, &vpn::event_cb)
1298 1627{
1299 remove_pid (pidfilename);
1300
1301 slog (L_INFO, _("vped terminating"));
1302
1303 exit (0);
1304 }
1305
1306 if (events & EVENT_RECONNECT)
1307 reconnect_all ();
1308
1309 events = 0;
1310 }
1311
1312 // very very very dumb and crude and inefficient timer handling, or maybe not?
1313 if (now >= next_timecheck)
1314 {
1315 next_timecheck = now + TIMER_GRANULARITY;
1316
1317 for (conns_vector::iterator c = conns.begin ();
1318 c != conns.end (); ++c)
1319 (*c)->timer ();
1320 }
1321 }
1322} 1628}
1323 1629
1324vpn::~vpn () 1630vpn::~vpn ()
1325{} 1631{
1632}
1326 1633

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines