ViewVC Help

View File | Revision Log | Show Annotations | Download File

/cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.6 by pcg, Sun Mar 9 12:40:18 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

…		…
16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA	16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	*/	17	*/
18		18
19	#include "config.h"	19	#include "config.h"
20		20
		21	#include <list>
		22
21	#include <cstdlib>	23	#include <cstdlib>
22	#include <cstring>	24	#include <cstring>
23	#include <cstdio>	25	#include <cstdio>
24		26
25	#include <sys/types.h>	27	#include <sys/types.h>
…		…
30	#include <arpa/inet.h>	32	#include <arpa/inet.h>
31	#include <errno.h>	33	#include <errno.h>
32	#include <time.h>	34	#include <time.h>
33	#include <unistd.h>	35	#include <unistd.h>
34		36
35	#include <openssl/rand.h>
36	#include <openssl/hmac.h>
37	#include <openssl/evp.h>
38	#include <openssl/rsa.h>
39	#include <openssl/err.h>
40
41	extern "C" {
42	# include "lzf/lzf.h"
43	}
44
45	#include "gettext.h"
46	#include "pidfile.h"	37	#include "pidfile.h"
47		38
48	#include "conf.h"	39	#include "connection.h"
49	#include "slog.h"	40	#include "util.h"
50	#include "device.h"
51	#include "protocol.h"	41	#include "protocol.h"
52		42
53	#if !HAVE_RAND_PSEUDO_BYTES
54	# define RAND_pseudo_bytes RAND_bytes
55	#endif
56
57	static time_t next_timecheck;
58
59	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
60
61	static const rsachallenge &
62	challenge_bytes ()
63	{
64	static rsachallenge challenge;
65	static time_t challenge_ttl; // time this challenge needs to be recreated
66
67	if (now > challenge_ttl)
68	{
69	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70	challenge_ttl = now + CHALLENGE_TTL;
71	}
72
73	return challenge;
74	}
75
76	// run a script. yes, it's a template function. yes, c++
77	// is not a functional language. yes, this suxx.
78	template<class owner>
79	static void
80	run_script (owner *obj, const char *(owner::*setup)(), bool wait)
81	{
82	int pid;
83
84	if ((pid = fork ()) == 0)
85	{
86	char *filename;
87	asprintf (&filename, "%s/%s", confbase, (obj->*setup) ());
88	execl (filename, filename, (char *) 0);
89	exit (255);
90	}
91	else if (pid > 0)
92	{
93	if (wait)
94	{
95	waitpid (pid, 0, 0);
96	/* TODO: check status */
97	}
98	}
99	}
100
101	// xor the socket address into the challenge to ensure different challenges
102	// per host. we could rely on the OAEP padding, but this doesn't hurt.
103	void
104	xor_sa (rsachallenge &k, SOCKADDR *sa)
105	{
106	((u32 *) k)[(CHG_CIPHER_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
107	((u16 *) k)[(CHG_CIPHER_KEY + 4) / 2] ^= sa->sin_port;
108	((u32 *) k)[(CHG_HMAC_KEY + 0) / 4] ^= sa->sin_addr.s_addr;
109	((u16 *) k)[(CHG_HMAC_KEY + 4) / 2] ^= sa->sin_port;
110	}
111
112	struct crypto_ctx
113	{
114	EVP_CIPHER_CTX cctx;
115	HMAC_CTX hctx;
116
117	crypto_ctx (rsachallenge &challenge, int enc);
118	~crypto_ctx ();
119	};
120
121	crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc)
122	{
123	EVP_CIPHER_CTX_init (&cctx);
124	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125	HMAC_CTX_init (&hctx);
126	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
127	}
128
129	crypto_ctx::~crypto_ctx ()
130	{
131	EVP_CIPHER_CTX_cleanup (&cctx);
132	HMAC_CTX_cleanup (&hctx);
133	}
134
135	/////////////////////////////////////////////////////////////////////////////	43	/////////////////////////////////////////////////////////////////////////////
136		44
137	static void next_wakeup (time_t next)
138	{
139	if (next_timecheck > next)
140	next_timecheck = next;
141	}
142
143	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
144
145	struct hmac_packet:net_packet
146	{
147	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
148
149	void hmac_set (crypto_ctx * ctx);
150	bool hmac_chk (crypto_ctx * ctx);
151
152	private:
153	void hmac_gen (crypto_ctx * ctx)
154	{
155	unsigned int xlen;
156	HMAC_CTX *hctx = &ctx->hctx;
157
158	HMAC_Init_ex (hctx, 0, 0, 0, 0);
159	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
160	len - sizeof (hmac_packet));
161	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
162	}
163	};
164
165	void
166	hmac_packet::hmac_set (crypto_ctx * ctx)
167	{
168	hmac_gen (ctx);
169
170	memcpy (hmac, hmac_digest, HMACLENGTH);
171	}
172
173	bool
174	hmac_packet::hmac_chk (crypto_ctx * ctx)
175	{
176	hmac_gen (ctx);
177
178	return !memcmp (hmac, hmac_digest, HMACLENGTH);
179	}
180
181	struct vpn_packet : hmac_packet
182	{
183	enum ptype
184	{
185	PT_RESET = 0,
186	PT_DATA_UNCOMPRESSED,
187	PT_DATA_COMPRESSED,
188	PT_PING, PT_PONG, // wasting namespace space? ;)
189	PT_AUTH, // authentification
190	PT_CONNECT_REQ, // want other host to contact me
191	PT_CONNECT_INFO, // request connection to some node
192	PT_REKEY, // rekeying (not yet implemented)
193	PT_MAX
194	};
195
196	u8 type;
197	u8 srcdst, src1, dst1;
198
199	void set_hdr (ptype type, unsigned int dst);
200
201	unsigned int src ()
202	{
203	return src1 | ((srcdst >> 4) << 8);
204	}
205	unsigned int dst ()
206	{
207	return dst1 | ((srcdst & 0xf) << 8);
208	}
209	ptype typ ()
210	{
211	return (ptype) type;
212	}
213	};
214
215	void vpn_packet::set_hdr (ptype type, unsigned int dst)
216	{
217	this->type = type;
218
219	int src = THISNODE->id;
220
221	src1 = src;
222	srcdst = ((src >> 8) << 4) | (dst >> 8);
223	dst1 = dst;
224	}
225
226	#define MAXVPNDATA (MAX_MTU - 6 - 6)
227	#define DATAHDR (sizeof (u32) + RAND_SIZE)
228
229	struct vpndata_packet:vpn_packet
230	{
231	u8 data[MAXVPNDATA + DATAHDR]; // seqno
232
233	void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
234	tap_packet *unpack (connection *conn, u32 &seqno);
235	private:
236
237	const u32 data_hdr_size () const
238	{
239	return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
240	}
241	};
242
243	void
244	vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
245	{
246	EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
247	int outl = 0, outl2;
248	ptype type = PT_DATA_UNCOMPRESSED;
249
250	#if ENABLE_COMPRESSION
251	u8 cdata[MAX_MTU];
252	u32 cl;
253
254	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255	if (cl)
256	{
257	//printf ("compressed packet, %d => %d\n", l, cl);//D
258	type = PT_DATA_COMPRESSED;
259	d = cdata;
260	l = cl + 2;
261
262	d[0] = cl >> 8;
263	d[1] = cl;
264	}
265	#endif
266
267	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
268
269	#if RAND_SIZE
270	struct {
271	u8 rnd[RAND_SIZE];
272	u32 seqno;
273	} datahdr;
274
275	datahdr.seqno = seqno;
276	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
277
278	EVP_EncryptUpdate (cctx,
279	(unsigned char *) data + outl, &outl2,
280	(unsigned char *) &datahdr, DATAHDR);
281	outl += outl2;
282	#else
283	EVP_EncryptUpdate (cctx,
284	(unsigned char *) data + outl, &outl2,
285	(unsigned char *) &seqno, DATAHDR);
286	outl += outl2;
287	#endif
288
289	EVP_EncryptUpdate (cctx,
290	(unsigned char *) data + outl, &outl2,
291	(unsigned char *) d, l);
292	outl += outl2;
293
294	EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
295	outl += outl2;
296
297	len = outl + data_hdr_size ();
298
299	set_hdr (type, dst);
300
301	hmac_set (conn->octx);
302	}
303
304	tap_packet *
305	vpndata_packet::unpack (connection *conn, u32 &seqno)
306	{
307	EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
308	int outl = 0, outl2;
309	tap_packet *p = new tap_packet;
310	u8 *d;
311	u32 l = len - data_hdr_size ();
312
313	EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
314
315	#if ENABLE_COMPRESSION
316	u8 cdata[MAX_MTU];
317
318	if (type == PT_DATA_COMPRESSED)
319	d = cdata;
320	else
321	#endif
322	d = &(*p)[6 + 6 - DATAHDR];
323
324	/* this overwrites part of the src mac, but we fix that later */
325	EVP_DecryptUpdate (cctx,
326	d, &outl2,
327	(unsigned char *)&data, len - data_hdr_size ());
328	outl += outl2;
329
330	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331	outl += outl2;
332
333	seqno = *(u32 *)(d + RAND_SIZE);
334
335	id2mac (dst () ? dst() : THISNODE->id, p->dst);
336	id2mac (src (), p->src);
337
338	#if ENABLE_COMPRESSION
339	if (type == PT_DATA_COMPRESSED)
340	{
341	u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
342	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343	//printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344	}
345	else
346	p->len = outl + (6 + 6 - DATAHDR);
347	#endif
348
349	return p;
350	}
351
352	struct ping_packet : vpn_packet
353	{
354	void setup (int dst, ptype type)
355	{
356	set_hdr (type, dst);
357	len = sizeof (*this) - sizeof (net_packet);
358	}
359	};
360
361	struct config_packet : vpn_packet
362	{
363	// actually, hmaclen cannot be checked because the hmac
364	// field comes before this data, so peers with other
365	// hmacs simply will not work.
366	u8 prot_major, prot_minor, randsize, hmaclen;
367	u8 flags, challengelen, pad2, pad3;
368	u32 cipher_nid;
369	u32 digest_nid;
370
371	const u8 curflags () const
372	{
373	return 0x80
374	| (ENABLE_COMPRESSION ? 0x01 : 0x00)
375	| (ENABLE_TRUST ? 0x02 : 0x00);
376	}
377
378	void setup (ptype type, int dst)
379	{
380	prot_major = PROTOCOL_MAJOR;
381	prot_minor = PROTOCOL_MINOR;
382	randsize = RAND_SIZE;
383	hmaclen = HMACLENGTH;
384	flags = curflags ();
385	challengelen = sizeof (rsachallenge);
386
387	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
388	digest_nid = htonl (EVP_MD_type (DIGEST));
389
390	len = sizeof (*this) - sizeof (net_packet);
391	set_hdr (type, dst);
392	}
393
394	bool chk_config ()
395	{
396	return prot_major == PROTOCOL_MAJOR
397	&& randsize == RAND_SIZE
398	&& hmaclen == HMACLENGTH
399	&& flags == curflags ()
400	&& challengelen == sizeof (rsachallenge)
401	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
402	&& digest_nid == htonl (EVP_MD_type (DIGEST));
403	}
404	};
405
406	struct auth_packet : config_packet
407	{
408	char magic[8];
409	u8 subtype;
410	u8 pad1, pad2;
411	rsaencrdata challenge;
412
413	auth_packet (int dst, auth_subtype stype)
414	{
415	config_packet::setup (PT_AUTH, dst);
416	subtype = stype;
417	len = sizeof (*this) - sizeof (net_packet);
418	strncpy (magic, MAGIC, 8);
419	}
420	};
421
422	struct connect_req_packet : vpn_packet
423	{
424	u8 id;
425	u8 pad1, pad2, pad3;
426
427	connect_req_packet (int dst, int id)
428	{
429	this->id = id;
430	set_hdr (PT_CONNECT_REQ, dst);
431	len = sizeof (*this) - sizeof (net_packet);
432	}
433	};
434
435	struct connect_info_packet : vpn_packet
436	{
437	u8 id;
438	u8 pad1, pad2, pad3;
439	sockinfo si;
440
441	connect_info_packet (int dst, int id, sockinfo &si)
442	{
443	this->id = id;
444	this->si = si;
445	set_hdr (PT_CONNECT_INFO, dst);
446	len = sizeof (*this) - sizeof (net_packet);
447	}
448	};
449
450	/////////////////////////////////////////////////////////////////////////////
451
452	void
453	fill_sa (SOCKADDR *sa, conf_node *conf)
454	{
455	sa->sin_family = AF_INET;
456	sa->sin_port = htons (conf->port);
457	sa->sin_addr.s_addr = 0;
458
459	if (conf->hostname)
460	{
461	struct hostent *he = gethostbyname (conf->hostname);
462
463	if (he
464	&& he->h_addrtype == AF_INET && he->h_length == 4 && he->h_addr_list[0])
465	{
466	//sa->sin_family = he->h_addrtype;
467	memcpy (&sa->sin_addr, he->h_addr_list[0], 4);
468	}
469	else
470	slog (L_NOTICE, _("unable to resolve host '%s'"), conf->hostname);
471	}
472	}
473
474	void
475	connection::reset_dstaddr ()
476	{
477	fill_sa (&sa, conf);
478	}
479
480	void
481	connection::send_ping (SOCKADDR *dsa, u8 pong)
482	{
483	ping_packet *pkt = new ping_packet;
484
485	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486	vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
487
488	delete pkt;
489	}
490
491	void
492	connection::send_reset (SOCKADDR *dsa)
493	{
494	static net_rate_limiter limiter(1);
495
496	if (limiter.can (dsa))
497	{
498	config_packet *pkt = new config_packet;
499
500	pkt->setup (vpn_packet::PT_RESET, conf->id);
501	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
502
503	delete pkt;
504	}
505	}
506
507	static rsachallenge *
508	gen_challenge (SOCKADDR *sa)
509	{
510	static rsachallenge k;
511
512	memcpy (&k, &challenge_bytes (), sizeof (k));
513	RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));
514	xor_sa (k, sa);
515
516	return &k;
517	}
518
519	void
520	connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k)
521	{
522	static net_rate_limiter limiter(2);
523
524	if (subtype != AUTH_INIT || limiter.can (sa))
525	{
526	auth_packet *pkt = new auth_packet (conf->id, subtype);
527
528	//printf ("send auth_packet subtype %d\n", subtype);//D
529
530	if (!k)
531	k = gen_challenge (sa);
532
533	#if ENABLE_TRUST
534	if (0 > RSA_public_encrypt (sizeof (*k),
535	(unsigned char *)k, (unsigned char *)&pkt->challenge,
536	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537	fatal ("RSA_public_encrypt error");
538	#else
539	# error untrusted mode not yet implemented: programemr does not know how to
540	rsaencrdata enc;
541
542	if (0 > RSA_private_encrypt (sizeof (*k),
543	(unsigned char *)k, (unsigned char *)&enc,
544	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545	fatal ("RSA_private_encrypt error");
546
547	if (0 > RSA_public_encrypt (sizeof (enc),
548	(unsigned char *)enc, (unsigned char *)&pkt->challenge,
549	conf->rsa_key, RSA_NO_PADDING))
550	fatal ("RSA_public_encrypt error");
551	#endif
552
553	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554
555	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556
557	delete pkt;
558	}
559	}
560
561	void
562	connection::establish_connection ()
563	{
564	if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER)
565	{
566	if (now >= next_retry)
567	{
568	int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569
570	if (retry_cnt < (17 << 2) | 3)
571	retry_cnt++;
572
573	if (connectmode == conf_node::C_ONDEMAND
574	&& retry_int > ::conf.keepalive)
575	retry_int = ::conf.keepalive;
576
577	next_retry = now + retry_int;
578	next_wakeup (next_retry);
579
580	if (conf->hostname)
581	{
582	reset_dstaddr ();
583	if (sa.sin_addr.s_addr)
584	if (retry_cnt < 4)
585	send_auth (AUTH_INIT, &sa);
586	else
587	send_ping (&sa, 0);
588	}
589	else
590	vpn->connect_request (conf->id);
591	}
592	}
593	}
594
595	void
596	connection::reset_connection ()
597	{
598	if (ictx && octx)
599	{
600	slog (L_INFO, _("connection to %d (%s) lost"), conf->id, conf->nodename);
601
602	if (::conf.script_node_down)
603	run_script (this, &connection::script_node_down, false);
604	}
605
606	delete ictx;
607	ictx = 0;
608
609	delete octx;
610	octx = 0;
611
612	sa.sin_port = 0;
613	sa.sin_addr.s_addr = 0;
614
615	next_retry = 0;
616	next_rekey = 0;
617	last_activity = 0;
618	}
619
620	void
621	connection::shutdown ()
622	{
623	if (ictx && octx)
624	send_reset (&sa);
625
626	reset_connection ();
627	}
628
629	void
630	connection::rekey ()
631	{
632	reset_connection ();
633	establish_connection ();
634	}
635
636	void
637	connection::send_data_packet (tap_packet * pkt, bool broadcast)
638	{
639	vpndata_packet *p = new vpndata_packet;
640	int tos = 0;
641
642	if (conf->inherit_tos
643	&& (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
644	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
645	tos = (*pkt)[15] & IPTOS_TOS_MASK;
646	printf ("%d %02x %02x %02x %02x = %02x\n", (int)conf->inherit_tos, (*pkt)[12],(*pkt)[13],(*pkt)[14],(*pkt)[15], tos);
647
648	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
649	vpn->send_vpn_packet (p, &sa, tos);
650
651	delete p;
652
653	if (oseqno > MAX_SEQNO)
654	rekey ();
655	}
656
657	void
658	connection::inject_data_packet (tap_packet *pkt, bool broadcast)
659	{
660	if (ictx && octx)
661	send_data_packet (pkt, broadcast);
662	else
663	{
664	if (!broadcast)//DDDD
665	queue.put (new tap_packet (*pkt));
666
667	establish_connection ();
668	}
669	}
670
671	void
672	connection::recv_vpn_packet (vpn_packet *pkt, SOCKADDR *ssa)
673	{
674	last_activity = now;
675
676	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
677	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
678
679	switch (pkt->typ ())
680	{
681	case vpn_packet::PT_PING:
682	send_ping (ssa, 1); // pong
683	break;
684
685	case vpn_packet::PT_PONG:
686	// we send pings instead of auth packets after some retries,
687	// so reset the retry counter and establish a conenction
688	// when we receive a pong.
689	if (!ictx && !octx)
690	{
691	retry_cnt = 0;
692	next_retry = 0;
693	establish_connection ();
694	}
695
696	break;
697
698	case vpn_packet::PT_RESET:
699	{
700	reset_connection ();
701
702	config_packet *p = (config_packet *) pkt;
703	if (p->chk_config ())
704	if (connectmode == conf_node::C_ALWAYS)
705	establish_connection ();
706
707	//D slog the protocol mismatch?
708	}
709	break;
710
711	case vpn_packet::PT_AUTH:
712	{
713	auth_packet *p = (auth_packet *) pkt;
714
715	slog (L_TRACE, "<<%d PT_AUTH(%d)", conf->id, p->subtype);
716
717	if (p->chk_config ()
718	&& !strncmp (p->magic, MAGIC, 8))
719	{
720	if (p->prot_minor != PROTOCOL_MINOR)
721	slog (L_INFO, _("protocol minor version mismatch: ours is %d, %s's is %d."),
722	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
723
724	if (p->subtype == AUTH_INIT)
725	send_auth (AUTH_INITREPLY, ssa);
726
727	rsachallenge k;
728
729	#if ENABLE_TRUST
730	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
731	(unsigned char *)&p->challenge, (unsigned char *)&k,
732	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
733	// continued below
734	#else
735	rsaencrdata j;
736
737	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
738	(unsigned char *)&p->challenge, (unsigned char *)&j,
739	::conf.rsa_key, RSA_NO_PADDING))
740	fatal ("RSA_private_decrypt error");
741
742	if (0 > RSA_public_decrypt (sizeof (k),
743	(unsigned char *)&j, (unsigned char *)&k,
744	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
745	// continued below
746	#endif
747	{
748	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),
749	conf->nodename, (const char *)sockinfo (ssa));
750	break;
751	}
752
753	retry_cnt = 0;
754	next_retry = now + 8;
755
756	switch (p->subtype)
757	{
758	case AUTH_INIT:
759	case AUTH_INITREPLY:
760	delete ictx;
761	ictx = 0;
762
763	delete octx;
764
765	octx = new crypto_ctx (k, 1);
766	oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff;
767
768	send_auth (AUTH_REPLY, ssa, &k);
769	break;
770
771	case AUTH_REPLY:
772
773	if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
774	sizeof (rsachallenge) - sizeof (u32)))
775	{
776	delete ictx;
777
778	ictx = new crypto_ctx (k, 0);
779	iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid
780	ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
781
782	sa = *ssa;
783
784	next_rekey = now + ::conf.rekey;
785	next_wakeup (next_rekey);
786
787	// send queued packets
788	while (tap_packet *p = queue.get ())
789	{
790	send_data_packet (p);
791	delete p;
792	}
793
794	connectmode = conf->connectmode;
795
796	slog (L_INFO, _("connection to %d (%s %s) established"),
797	conf->id, conf->nodename, (const char *)sockinfo (ssa));
798
799	if (::conf.script_node_up)
800	run_script (this, &connection::script_node_up, false);
801	}
802	else
803	slog (L_ERR, _("sent and received challenge do not match with (%s %s))"),
804	conf->nodename, (const char *)sockinfo (ssa));
805
806	break;
807	default:
808	slog (L_ERR, _("authentification illegal subtype error (%s %s)"),
809	conf->nodename, (const char *)sockinfo (ssa));
810	break;
811	}
812	}
813	else
814	send_reset (ssa);
815
816	break;
817	}
818
819	case vpn_packet::PT_DATA_COMPRESSED:
820	#if !ENABLE_COMPRESSION
821	send_reset (ssa);
822	break;
823	#endif
824	case vpn_packet::PT_DATA_UNCOMPRESSED:
825
826	if (ictx && octx)
827	{
828	vpndata_packet *p = (vpndata_packet *)pkt;
829
830	if (*ssa == sa)
831	{
832	if (!p->hmac_chk (ictx))
833	slog (L_ERR, _("hmac authentication error, received invalid packet\n"
834	"could be an attack, or just corruption or an synchronization error"));
835	else
836	{
837	u32 seqno;
838	tap_packet *d = p->unpack (this, seqno);
839
840	if (seqno <= iseqno - 32)
841	slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
842	"possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
843	else if (seqno > iseqno + 32)
844	slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
845	"possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
846	else
847	{
848	if (seqno > iseqno)
849	{
850	ismask <<= seqno - iseqno;
851	iseqno = seqno;
852	}
853
854	u32 mask = 1 << (iseqno - seqno);
855
856	//printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
857	if (ismask & mask)
858	slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
859	"possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
860	else
861	{
862	ismask |= mask;
863
864	vpn->tap->send (d);
865
866	if (p->dst () == 0) // re-broadcast
867	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
868	{
869	connection *c = *i;
870
871	if (c->conf != THISNODE && c->conf != conf)
872	c->inject_data_packet (d);
873	}
874
875	delete d;
876
877	break;
878	}
879	}
880	}
881	}
882	else
883	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
884	}
885
886	send_reset (ssa);
887	break;
888
889	case vpn_packet::PT_CONNECT_REQ:
890	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
891	{
892	connect_req_packet *p = (connect_req_packet *) pkt;
893
894	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
895
896	connection *c = vpn->conns[p->id - 1];
897
898	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
899	conf->id, p->id, c->ictx && c->octx);
900
901	if (c->ictx && c->octx)
902	{
903	// send connect_info packets to both sides, in case one is
904	// behind a nat firewall (or both ;)
905	{
906	sockinfo si(sa);
907
908	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
909	c->conf->id, conf->id, (const char *)si);
910
911	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
912
913	r->hmac_set (c->octx);
914	vpn->send_vpn_packet (r, &c->sa);
915
916	delete r;
917	}
918
919	{
920	sockinfo si(c->sa);
921
922	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
923	conf->id, c->conf->id, (const char *)si);
924
925	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
926
927	r->hmac_set (octx);
928	vpn->send_vpn_packet (r, &sa);
929
930	delete r;
931	}
932	}
933	}
934
935	break;
936
937	case vpn_packet::PT_CONNECT_INFO:
938	if (ictx && octx && *ssa == sa && pkt->hmac_chk (ictx))
939	{
940	connect_info_packet *p = (connect_info_packet *) pkt;
941
942	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
943
944	connection *c = vpn->conns[p->id - 1];
945
946	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
947	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
948
949	c->send_auth (AUTH_INIT, p->si.sa ());
950	}
951	break;
952
953	default:
954	send_reset (ssa);
955	break;
956	}
957	}
958
959	void connection::timer ()
960	{
961	if (conf != THISNODE)
962	{
963	if (now >= next_retry && connectmode == conf_node::C_ALWAYS)
964	establish_connection ();
965
966	if (ictx && octx)
967	{
968	if (now >= next_rekey)
969	rekey ();
970	else if (now >= last_activity + ::conf.keepalive + 30)
971	{
972	reset_connection ();
973	establish_connection ();
974	}
975	else if (now >= last_activity + ::conf.keepalive)
976	if (conf->connectmode != conf_node::C_ONDEMAND
977	|| THISNODE->connectmode != conf_node::C_ONDEMAND)
978	send_ping (&sa);
979	else
980	reset_connection ();
981
982	}
983	}
984	}
985
986	void connection::connect_request (int id)
987	{
988	connect_req_packet *p = new connect_req_packet (conf->id, id);
989
990	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
991	p->hmac_set (octx);
992	vpn->send_vpn_packet (p, &sa);
993
994	delete p;
995	}
996
997	void connection::script_node ()
998	{
999	vpn->script_if_up ();
1000
1001	char *env;
1002	asprintf (&env, "DESTID=%d", conf->id);
1003	putenv (env);
1004	asprintf (&env, "DESTNODE=%s", conf->nodename);
1005	putenv (env);
1006	asprintf (&env, "DESTIP=%s", inet_ntoa (sa.sin_addr));
1007	putenv (env);
1008	asprintf (&env, "DESTPORT=%d", ntohs (sa.sin_port));
1009	putenv (env);
1010	}
1011
1012	const char *connection::script_node_up ()
1013	{
1014	script_node ();
1015
1016	putenv ("STATE=up");
1017
1018	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1019	}
1020
1021	const char *connection::script_node_down ()
1022	{
1023	script_node ();
1024
1025	putenv ("STATE=down");
1026
1027	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1028	}
1029
1030	/////////////////////////////////////////////////////////////////////////////
1031
1032	vpn::vpn (void)
1033	{}
1034
1035	const char *vpn::script_if_up ()	45	const char *vpn::script_if_up (int)
1036	{	46	{
1037	// the tunnel device mtu should be the physical mtu - overhead	47	// the tunnel device mtu should be the physical mtu - overhead
1038	// the tricky part is rounding to the cipher key blocksize	48	// the tricky part is rounding to the cipher key blocksize
1039	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - UDP_OVERHEAD;	49	int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1040	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion	50	mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1041	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round	51	mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1042	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again	52	mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1043		53
1044	char *env;	54	char *env;
…		…
1059		69
1060	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";	70	return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1061	}	71	}
1062		72
1063	int	73	int
1064	vpn::setup (void)	74	vpn::setup ()
1065	{	75	{
1066	struct sockaddr_in sa;	76	sockinfo si;
1067		77
		78	si.set (THISNODE);
		79
		80	udpv4_fd = -1;
		81
		82	if (THISNODE->protocols & PROT_UDPv4)
		83	{
1068	socket_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	84	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1069	if (socket_fd < 0)	85
		86	if (udpv4_fd < 0)
1070	return -1;	87	return -1;
1071		88
1072	fill_sa (&sa, THISNODE);	89	if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1073		90	{
1074	if (bind (socket_fd, (sockaddr *)&sa, sizeof (sa)))
1075	{
1076	slog (L_ERR, _("can't bind to %s: %s"), (const char *)sockinfo(sa), strerror (errno));	91	slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1077	exit (1);	92	exit (1);
1078	}	93	}
1079		94
1080	#ifdef IP_MTU_DISCOVER	95	#ifdef IP_MTU_DISCOVER
1081	// this I really consider a linux bug. I am neither connected	96	// this I really consider a linux bug. I am neither connected
1082	// nor do I fragment myself. Linux still sets DF and doesn't	97	// nor do I fragment myself. Linux still sets DF and doesn't
1083	// fragment for me sometimes.	98	// fragment for me sometimes.
1084	{	99	{
1085	int oval = IP_PMTUDISC_DONT;	100	int oval = IP_PMTUDISC_DONT;
1086	setsockopt (socket_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);	101	setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1087	}	102	}
1088	#endif	103	#endif
1089	{	104
		105	// standard daemon practise...
		106	{
1090	int oval = 1;	107	int oval = 1;
1091	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	108	setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
		109	}
		110
		111	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1092	}	112	}
		113
		114	ipv4_fd = -1;
		115	if (THISNODE->protocols & PROT_IPv4)
		116	{
		117	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
		118
		119	if (ipv4_fd < 0)
		120	return -1;
		121
		122	if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
		123	{
		124	slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
		125	exit (1);
		126	}
		127
		128	#ifdef IP_MTU_DISCOVER
		129	// this I really consider a linux bug. I am neither connected
		130	// nor do I fragment myself. Linux still sets DF and doesn't
		131	// fragment for me sometimes.
		132	{
		133	int oval = IP_PMTUDISC_DONT;
		134	setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
		135	}
		136	#endif
		137
		138	ipv4_ev_watcher.start (ipv4_fd, POLLIN);
		139	}
1093		140
1094	tap = new tap_device ();	141	tap = new tap_device ();
1095	if (!tap) //D this, of course, never catches	142	if (!tap) //D this, of course, never catches
1096	{	143	{
1097	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	144	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1098	exit (1);	145	exit (1);
1099	}	146	}
1100		147
1101	run_script (this, &vpn::script_if_up, true);	148	run_script (run_script_cb (this, &vpn::script_if_up), true);
		149
		150	tap_ev_watcher.start (tap->fd, POLLIN);
		151
		152	reconnect_all ();
1102		153
1103	return 0;	154	return 0;
1104	}	155	}
1105		156
1106	void	157	void
1107	vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos)	158	vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1108	{	159	{
1109	setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);	160	setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1110	sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));	161	sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		162	}
		163
		164	void
		165	vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		166	{
		167	setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
		168	sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
		169	}
		170
		171	void
		172	vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
		173	{
		174	unsigned int src = pkt->src ();
		175	unsigned int dst = pkt->dst ();
		176
		177	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		178	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
		179
		180	if (src == 0 || src > conns.size ()
		181	|| dst > conns.size ()
		182	|| pkt->typ () >= vpn_packet::PT_MAX)
		183	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
		184	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
		185	else
		186	{
		187	connection *c = conns[src - 1];
		188
		189	if (dst == 0 && !THISNODE->routerprio)
		190	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
		191	c->conf->nodename, (const char *)rsi);
		192	else if (dst != 0 && dst != THISNODE->id)
		193	// FORWARDING NEEDED ;)
		194	slog (L_WARN,
		195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		196	dst, conns[dst - 1]->conf->nodename,
		197	(const char *)rsi,
		198	THISNODE->id, THISNODE->nodename);
		199	else
		200	c->recv_vpn_packet (pkt, rsi);
		201	}
		202	}
		203
		204	void
		205	vpn::udpv4_ev (short revents)
		206	{
		207	if (revents & (POLLIN | POLLERR))
		208	{
		209	vpn_packet *pkt = new vpn_packet;
		210	struct sockaddr_in sa;
		211	socklen_t sa_len = sizeof (sa);
		212	int len;
		213
		214	len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		215
		216	sockinfo si(sa);
		217
		218	if (len > 0)
		219	{
		220	pkt->len = len;
		221
		222	recv_vpn_packet (pkt, si);
		223	}
		224	else
		225	{
		226	// probably ECONNRESET or somesuch
		227	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		228	}
		229
		230	delete pkt;
		231	}
		232	else if (revents & POLLHUP)
		233	{
		234	// this cannot ;) happen on udp sockets
		235	slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
		236	exit (1);
		237	}
		238	else
		239	{
		240	slog (L_ERR,
		241	_("FATAL: unknown revents %08x in socket, terminating\n"),
		242	revents);
		243	exit (1);
		244	}
		245	}
		246
		247	void
		248	vpn::ipv4_ev (short revents)
		249	{
		250	if (revents & (POLLIN | POLLERR))
		251	{
		252	vpn_packet *pkt = new vpn_packet;
		253	struct sockaddr_in sa;
		254	socklen_t sa_len = sizeof (sa);
		255	int len;
		256
		257	len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
		258
		259	sockinfo si(sa, PROT_IPv4);
		260
		261	if (len > 0)
		262	{
		263	pkt->len = len;
		264
		265	// raw sockets deliver the ipv4, but don't expect it on sends
		266	// this is slow, but...
		267	pkt->skip_hdr (IP_OVERHEAD);
		268
		269	recv_vpn_packet (pkt, si);
		270	}
		271	else
		272	{
		273	// probably ECONNRESET or somesuch
		274	slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
		275	}
		276
		277	delete pkt;
		278	}
		279	else if (revents & POLLHUP)
		280	{
		281	// this cannot ;) happen on udp sockets
		282	slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
		283	exit (1);
		284	}
		285	else
		286	{
		287	slog (L_ERR,
		288	_("FATAL: unknown revents %08x in socket, terminating\n"),
		289	revents);
		290	exit (1);
		291	}
		292	}
		293
		294	void
		295	vpn::tap_ev (short revents)
		296	{
		297	if (revents & POLLIN)
		298	{
		299	/* process data */
		300	tap_packet *pkt;
		301
		302	pkt = tap->recv ();
		303
		304	int dst = mac2id (pkt->dst);
		305	int src = mac2id (pkt->src);
		306
		307	if (src != THISNODE->id)
		308	{
		309	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
		310	exit (1);
		311	}
		312
		313	if (dst == THISNODE->id)
		314	{
		315	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
		316	exit (1);
		317	}
		318
		319	if (dst > conns.size ())
		320	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
		321	else
		322	{
		323	if (dst)
		324	{
		325	// unicast
		326	if (dst != THISNODE->id)
		327	conns[dst - 1]->inject_data_packet (pkt);
		328	}
		329	else
		330	{
		331	// broadcast, first check router, then self, then english
		332	connection *router = find_router ();
		333
		334	if (router)
		335	router->inject_data_packet (pkt, true);
		336	else
		337	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
		338	if ((*c)->conf != THISNODE)
		339	(*c)->inject_data_packet (pkt);
		340	}
		341	}
		342
		343	delete pkt;
		344	}
		345	else if (revents & (POLLHUP | POLLERR))
		346	{
		347	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
		348	exit (1);
		349	}
		350	else
		351	abort ();
		352	}
		353
		354	void
		355	vpn::event_cb (tstamp &ts)
		356	{
		357	if (events)
		358	{
		359	if (events & EVENT_SHUTDOWN)
		360	{
		361	slog (L_INFO, _("preparing shutdown..."));
		362
		363	shutdown_all ();
		364
		365	remove_pid (pidfilename);
		366
		367	slog (L_INFO, _("terminating"));
		368
		369	exit (0);
		370	}
		371
		372	if (events & EVENT_RECONNECT)
		373	{
		374	slog (L_INFO, _("forced reconnect"));
		375
		376	reconnect_all ();
		377	}
		378
		379	events = 0;
		380	}
		381
		382	ts = TSTAMP_CANCEL;
1111	}	383	}
1112		384
1113	void	385	void
1114	vpn::shutdown_all ()	386	vpn::shutdown_all ()
1115	{	387	{
…		…
1122	{	394	{
1123	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	395	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1124	delete *c;	396	delete *c;
1125		397
1126	conns.clear ();	398	conns.clear ();
		399
		400	connection_init ();
1127		401
1128	for (configuration::node_vector::iterator i = conf.nodes.begin ();	402	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1129	i != conf.nodes.end (); ++i)	403	i != conf.nodes.end (); ++i)
1130	{	404	{
1131	connection *conn = new connection (this);	405	connection *conn = new connection (this);
…		…
1171	// if ((*i)->conf->routerprio)	445	// if ((*i)->conf->routerprio)
1172	// (*i)->establish_connection ();	446	// (*i)->establish_connection ();
1173	}	447	}
1174		448
1175	void	449	void
1176	vpn::main_loop ()	450	connection::dump_status ()
1177	{	451	{
1178	struct pollfd pollfd[2];	452	slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
		453	slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
		454	connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
		455	slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
		456	(long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
		457	slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
		458	(long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
		459	}
1179		460
1180	pollfd[0].fd = tap->fd;	461	void
1181	pollfd[0].events = POLLIN;	462	vpn::dump_status ()
1182	pollfd[1].fd = socket_fd;	463	{
1183	pollfd[1].events = POLLIN;	464	slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1184		465
1185	events = 0;
1186	now = time (0);
1187	next_timecheck = now + 1;
1188
1189	reconnect_all ();
1190
1191	for (;;)
1192	{
1193	int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);
1194
1195	now = time (0);
1196
1197	if (npoll > 0)
1198	{
1199	if (pollfd[1].revents)
1200	{
1201	if (pollfd[1].revents & (POLLIN | POLLERR))
1202	{
1203	vpn_packet *pkt = new vpn_packet;
1204	struct sockaddr_in sa;
1205	socklen_t sa_len = sizeof (sa);
1206	int len;
1207
1208	len = recvfrom (socket_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1209
1210	if (len > 0)
1211	{
1212	pkt->len = len;
1213
1214	unsigned int src = pkt->src ();
1215	unsigned int dst = pkt->dst ();
1216
1217	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1218	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1219
1220	if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1221	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1222	pkt->typ (), pkt->src (), pkt->dst ());
1223	else if (dst == 0 && !THISNODE->routerprio)
1224	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1225	else if (dst != 0 && dst != THISNODE->id)
1226	slog (L_WARN,
1227	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1228	dst, conns[dst - 1]->conf->nodename,
1229	(const char *)sockinfo (sa),
1230	THISNODE->id, THISNODE->nodename);
1231	else if (src == 0 || src > conns.size ())
1232	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1233	else
1234	conns[src - 1]->recv_vpn_packet (pkt, &sa);
1235	}
1236	else
1237	{
1238	// probably ECONNRESET or somesuch
1239	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1240	}
1241
1242	delete pkt;
1243	}
1244	else if (pollfd[1].revents & POLLHUP)
1245	{
1246	// this cannot ;) happen on udp sockets
1247	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
1248	exit (1);
1249	}
1250	else
1251	{
1252	slog (L_ERR,
1253	_("FATAL: unknown revents %08x in socket, terminating\n"),
1254	pollfd[1].revents);
1255	exit (1);
1256	}
1257	}
1258
1259	// I use else here to give vpn_packets absolute priority
1260	else if (pollfd[0].revents)
1261	{
1262	if (pollfd[0].revents & POLLIN)
1263	{
1264	/* process data */
1265	tap_packet *pkt;
1266
1267	pkt = tap->recv ();
1268
1269	int dst = mac2id (pkt->dst);
1270	int src = mac2id (pkt->src);
1271
1272	if (src != THISNODE->id)
1273	{
1274	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1275	exit (1);
1276	}
1277
1278	if (dst == THISNODE->id)
1279	{
1280	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1281	exit (1);
1282	}
1283
1284	if (dst > conns.size ())
1285	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1286	else
1287	{
1288	if (dst)
1289	{
1290	// unicast
1291	if (dst != THISNODE->id)
1292	conns[dst - 1]->inject_data_packet (pkt);
1293	}
1294	else
1295	{
1296	// broadcast, first check router, then self, then english
1297	connection *router = find_router ();
1298
1299	if (router)
1300	router->inject_data_packet (pkt, true);
1301	else
1302	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	466	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1303	if ((*c)->conf != THISNODE)	467	(*c)->dump_status ();
1304	(*c)->inject_data_packet (pkt);
1305	}
1306	}
1307		468
1308	delete pkt;	469	slog (L_NOTICE, _("END status dump"));
1309	}	470	}
1310	else if (pollfd[0].revents & (POLLHUP | POLLERR))
1311	{
1312	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1313	exit (1);
1314	}
1315	else
1316	abort ();
1317	}
1318	}
1319		471
1320	if (events)	472	vpn::vpn (void)
1321	{	473	: udpv4_ev_watcher(this, &vpn::udpv4_ev)
1322	if (events & EVENT_SHUTDOWN)	474	, ipv4_ev_watcher(this, &vpn::ipv4_ev)
1323	{	475	, tap_ev_watcher(this, &vpn::tap_ev)
1324	shutdown_all ();	476	, event(this, &vpn::event_cb)
1325		477	{
1326	remove_pid (pidfilename);
1327
1328	slog (L_INFO, _("vped terminating"));
1329
1330	exit (0);
1331	}
1332
1333	if (events & EVENT_RECONNECT)
1334	reconnect_all ();
1335
1336	events = 0;
1337	}
1338
1339	// very very very dumb and crude and inefficient timer handling, or maybe not?
1340	if (now >= next_timecheck)
1341	{
1342	next_timecheck = now + TIMER_GRANULARITY;
1343
1344	for (conns_vector::iterator c = conns.begin ();
1345	c != conns.end (); ++c)
1346	(*c)->timer ();
1347	}
1348	}
1349	}	478	}
1350		479
1351	vpn::~vpn ()	480	vpn::~vpn ()
1352	{}	481	{
		482	}
1353		483

Diff Legend

–	Removed lines
+	Added lines
<	Changed lines
>	Changed lines