ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
Revision: 1.22
Committed: Fri Mar 28 04:27:33 2003 UTC (21 years, 2 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.21: +1 -1 lines
Log Message: 
*** empty log message ***

File Contents

# Content
1 /*
2 protocol.C -- handle the protocol, encryption, handshaking etc.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18
19 #include "config.h"
20
21 #include <list>
22
23 #include <cstdlib>
24 #include <cstring>
25 #include <cstdio>
26
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <sys/poll.h>
30 #include <sys/wait.h>
31 #include <netinet/in.h>
32 #include <arpa/inet.h>
33 #include <errno.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include <openssl/rand.h>
38 #include <openssl/hmac.h>
39 #include <openssl/evp.h>
40 #include <openssl/rsa.h>
41 #include <openssl/err.h>
42
43 extern "C" {
44 # include "lzf/lzf.h"
45 }
46
47 #include "gettext.h"
48 #include "pidfile.h"
49
50 #include "conf.h"
51 #include "slog.h"
52 #include "device.h"
53 #include "protocol.h"
54
55 #if !HAVE_RAND_PSEUDO_BYTES
56 # define RAND_pseudo_bytes RAND_bytes
57 #endif
58
59 static time_t next_timecheck;
60
61 #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63 static u8
64 best_protocol (u8 protset)
65 {
66 if (protset & PROT_IPv4)
67 return PROT_IPv4;
68
69 return PROT_UDPv4;
70 }
71
72 struct crypto_ctx
73 {
74 EVP_CIPHER_CTX cctx;
75 HMAC_CTX hctx;
76
77 crypto_ctx (const rsachallenge &challenge, int enc);
78 ~crypto_ctx ();
79 };
80
81 crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
82 {
83 EVP_CIPHER_CTX_init (&cctx);
84 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
85 HMAC_CTX_init (&hctx);
86 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
87 }
88
89 crypto_ctx::~crypto_ctx ()
90 {
91 EVP_CIPHER_CTX_cleanup (&cctx);
92 HMAC_CTX_cleanup (&hctx);
93 }
94
95 static void
96 rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97 {
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106 }
107
108 struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112 };
113
114 struct rsa_cache : list<rsa_entry>
115 {
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158 } rsa_cache;
159
160 void rsa_cache::cleaner_cb (tstamp &ts)
161 {
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174 }
175
176 typedef callback<const char *, int> run_script_cb;
177
178 // run a shell script (or actually an external program).
179 static void
180 run_script (const run_script_cb &cb, bool wait)
181 {
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199 }
200
201 //////////////////////////////////////////////////////////////////////////////
202
203 void pkt_queue::put (tap_packet *p)
204 {
205 if (queue[i])
206 {
207 delete queue[i];
208 j = (j + 1) % QUEUEDEPTH;
209 }
210
211 queue[i] = p;
212
213 i = (i + 1) % QUEUEDEPTH;
214 }
215
216 tap_packet *pkt_queue::get ()
217 {
218 tap_packet *p = queue[j];
219
220 if (p)
221 {
222 queue[j] = 0;
223 j = (j + 1) % QUEUEDEPTH;
224 }
225
226 return p;
227 }
228
229 pkt_queue::pkt_queue ()
230 {
231 memset (queue, 0, sizeof (queue));
232 i = 0;
233 j = 0;
234 }
235
236 pkt_queue::~pkt_queue ()
237 {
238 for (i = QUEUEDEPTH; --i > 0; )
239 delete queue[i];
240 }
241
242 struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246 };
247
248 // only do action once every x seconds per host whole allowing bursts.
249 // this implementation ("splay list" ;) is inefficient,
250 // but low on resources.
251 struct net_rate_limiter : list<net_rateinfo>
252 {
253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
258 bool can (u32 host);
259 };
260
261 net_rate_limiter auth_rate_limiter, reset_rate_limiter;
262
263 bool net_rate_limiter::can (u32 host)
264 {
265 iterator i;
266
267 for (i = begin (); i != end (); )
268 if (i->host == host)
269 break;
270 else if (i->last < NOW - EXPIRE)
271 i = erase (i);
272 else
273 i++;
274
275 if (i == end ())
276 {
277 net_rateinfo ri;
278
279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
283
284 push_front (ri);
285
286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
307 }
308
309 /////////////////////////////////////////////////////////////////////////////
310
311 static void next_wakeup (time_t next)
312 {
313 if (next_timecheck > next)
314 next_timecheck = next;
315 }
316
317 static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
318
319 struct hmac_packet:net_packet
320 {
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326 private:
327 void hmac_gen (crypto_ctx * ctx)
328 {
329 unsigned int xlen;
330 HMAC_CTX *hctx = &ctx->hctx;
331
332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
334 len - sizeof (hmac_packet));
335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
336 }
337 };
338
339 void
340 hmac_packet::hmac_set (crypto_ctx * ctx)
341 {
342 hmac_gen (ctx);
343
344 memcpy (hmac, hmac_digest, HMACLENGTH);
345 }
346
347 bool
348 hmac_packet::hmac_chk (crypto_ctx * ctx)
349 {
350 hmac_gen (ctx);
351
352 return !memcmp (hmac, hmac_digest, HMACLENGTH);
353 }
354
355 struct vpn_packet : hmac_packet
356 {
357 enum ptype
358 {
359 PT_RESET = 0,
360 PT_DATA_UNCOMPRESSED,
361 PT_DATA_COMPRESSED,
362 PT_PING, PT_PONG, // wasting namespace space? ;)
363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
365 PT_CONNECT_REQ, // want other host to contact me
366 PT_CONNECT_INFO, // request connection to some node
367 PT_MAX
368 };
369
370 u8 type;
371 u8 srcdst, src1, dst1;
372
373 void set_hdr (ptype type, unsigned int dst);
374
375 unsigned int src () const
376 {
377 return src1 | ((srcdst >> 4) << 8);
378 }
379
380 unsigned int dst () const
381 {
382 return dst1 | ((srcdst & 0xf) << 8);
383 }
384
385 ptype typ () const
386 {
387 return (ptype) type;
388 }
389 };
390
391 void vpn_packet::set_hdr (ptype type, unsigned int dst)
392 {
393 this->type = type;
394
395 int src = THISNODE->id;
396
397 src1 = src;
398 srcdst = ((src >> 8) << 4) | (dst >> 8);
399 dst1 = dst;
400 }
401
402 #define MAXVPNDATA (MAX_MTU - 6 - 6)
403 #define DATAHDR (sizeof (u32) + RAND_SIZE)
404
405 struct vpndata_packet:vpn_packet
406 {
407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
408
409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410 tap_packet *unpack (connection *conn, u32 &seqno);
411 private:
412
413 const u32 data_hdr_size () const
414 {
415 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416 }
417 };
418
419 void
420 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
421 {
422 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423 int outl = 0, outl2;
424 ptype type = PT_DATA_UNCOMPRESSED;
425
426 #if ENABLE_COMPRESSION
427 u8 cdata[MAX_MTU];
428 u32 cl;
429
430 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
431 if (cl)
432 {
433 type = PT_DATA_COMPRESSED;
434 d = cdata;
435 l = cl + 2;
436
437 d[0] = cl >> 8;
438 d[1] = cl;
439 }
440 #endif
441
442 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
443
444 struct {
445 #if RAND_SIZE
446 u8 rnd[RAND_SIZE];
447 #endif
448 u32 seqno;
449 } datahdr;
450
451 datahdr.seqno = ntohl (seqno);
452 #if RAND_SIZE
453 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454 #endif
455
456 EVP_EncryptUpdate (cctx,
457 (unsigned char *) data + outl, &outl2,
458 (unsigned char *) &datahdr, DATAHDR);
459 outl += outl2;
460
461 EVP_EncryptUpdate (cctx,
462 (unsigned char *) data + outl, &outl2,
463 (unsigned char *) d, l);
464 outl += outl2;
465
466 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
467 outl += outl2;
468
469 len = outl + data_hdr_size ();
470
471 set_hdr (type, dst);
472
473 hmac_set (conn->octx);
474 }
475
476 tap_packet *
477 vpndata_packet::unpack (connection *conn, u32 &seqno)
478 {
479 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
480 int outl = 0, outl2;
481 tap_packet *p = new tap_packet;
482 u8 *d;
483 u32 l = len - data_hdr_size ();
484
485 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
486
487 #if ENABLE_COMPRESSION
488 u8 cdata[MAX_MTU];
489
490 if (type == PT_DATA_COMPRESSED)
491 d = cdata;
492 else
493 #endif
494 d = &(*p)[6 + 6 - DATAHDR];
495
496 /* this overwrites part of the src mac, but we fix that later */
497 EVP_DecryptUpdate (cctx,
498 d, &outl2,
499 (unsigned char *)&data, len - data_hdr_size ());
500 outl += outl2;
501
502 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
503 outl += outl2;
504
505 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
506
507 id2mac (dst () ? dst() : THISNODE->id, p->dst);
508 id2mac (src (), p->src);
509
510 #if ENABLE_COMPRESSION
511 if (type == PT_DATA_COMPRESSED)
512 {
513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
518 }
519 else
520 p->len = outl + (6 + 6 - DATAHDR);
521 #endif
522
523 return p;
524 }
525
526 struct ping_packet : vpn_packet
527 {
528 void setup (int dst, ptype type)
529 {
530 set_hdr (type, dst);
531 len = sizeof (*this) - sizeof (net_packet);
532 }
533 };
534
535 struct config_packet : vpn_packet
536 {
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
545 {
546 return 0x80
547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
548 }
549
550 void setup (ptype type, int dst);
551 bool chk_config () const;
552 };
553
554 void config_packet::setup (ptype type, int dst)
555 {
556 prot_major = PROTOCOL_MAJOR;
557 prot_minor = PROTOCOL_MINOR;
558 randsize = RAND_SIZE;
559 hmaclen = HMACLENGTH;
560 flags = curflags ();
561 challengelen = sizeof (rsachallenge);
562
563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
566
567 len = sizeof (*this) - sizeof (net_packet);
568 set_hdr (type, dst);
569 }
570
571 bool config_packet::chk_config () const
572 {
573 return prot_major == PROTOCOL_MAJOR
574 && randsize == RAND_SIZE
575 && hmaclen == HMACLENGTH
576 && flags == curflags ()
577 && challengelen == sizeof (rsachallenge)
578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
581 }
582
583 struct auth_req_packet : config_packet
584 {
585 char magic[8];
586 u8 initiate, can_recv; // false if this is just an automatic reply
587 u8 pad2, pad3;
588 rsaid id;
589 rsaencrdata encr;
590
591 auth_req_packet (int dst, bool initiate_, u8 can_recv_)
592 {
593 config_packet::setup (PT_AUTH_REQ, dst);
594 strncpy (magic, MAGIC, 8);
595 initiate = !!initiate_;
596 can_recv = can_recv_;
597
598 len = sizeof (*this) - sizeof (net_packet);
599 }
600 };
601
602 struct auth_res_packet : config_packet
603 {
604 rsaid id;
605 u8 pad1, pad2, pad3;
606 u8 response_len; // encrypted length
607 rsaresponse response;
608
609 auth_res_packet (int dst)
610 {
611 config_packet::setup (PT_AUTH_RES, dst);
612
613 len = sizeof (*this) - sizeof (net_packet);
614 }
615 };
616
617 struct connect_req_packet : vpn_packet
618 {
619 u8 id;
620 u8 pad1, pad2, pad3;
621
622 connect_req_packet (int dst, int id_)
623 {
624 id = id_;
625 set_hdr (PT_CONNECT_REQ, dst);
626 len = sizeof (*this) - sizeof (net_packet);
627 }
628 };
629
630 struct connect_info_packet : vpn_packet
631 {
632 u8 id, can_recv;
633 u8 pad1, pad2;
634 sockinfo si;
635
636 connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
637 {
638 id = id_;
639 can_recv = can_recv_;
640 si = si_;
641 set_hdr (PT_CONNECT_INFO, dst);
642
643 len = sizeof (*this) - sizeof (net_packet);
644 }
645 };
646
647 /////////////////////////////////////////////////////////////////////////////
648
649 void
650 connection::reset_dstaddr ()
651 {
652 si.set (conf);
653 }
654
655 void
656 connection::send_ping (const sockinfo &si, u8 pong)
657 {
658 ping_packet *pkt = new ping_packet;
659
660 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
661 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
662
663 delete pkt;
664 }
665
666 void
667 connection::send_reset (const sockinfo &si)
668 {
669 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
670 {
671 config_packet *pkt = new config_packet;
672
673 pkt->setup (vpn_packet::PT_RESET, conf->id);
674 send_vpn_packet (pkt, si, IPTOS_MINCOST);
675
676 delete pkt;
677 }
678 }
679
680 void
681 connection::send_auth_request (const sockinfo &si, bool initiate)
682 {
683 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
684
685 // the next line is very conservative
686 prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
687
688 rsachallenge chg;
689
690 rsa_cache.gen (pkt->id, chg);
691
692 if (0 > RSA_public_encrypt (sizeof chg,
693 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
694 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
695 fatal ("RSA_public_encrypt error");
696
697 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
698
699 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
700
701 delete pkt;
702 }
703
704 void
705 connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706 {
707 auth_res_packet *pkt = new auth_res_packet (conf->id);
708
709 pkt->id = id;
710
711 rsa_hash (id, chg, pkt->response);
712
713 pkt->hmac_set (octx);
714
715 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
716
717 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
718
719 delete pkt;
720 }
721
722 void
723 connection::establish_connection_cb (tstamp &ts)
724 {
725 if (ictx || conf == THISNODE
726 || connectmode == conf_node::C_NEVER
727 || connectmode == conf_node::C_DISABLED)
728 ts = TSTAMP_CANCEL;
729 else if (ts <= NOW)
730 {
731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732
733 if (retry_int < 3600 * 8)
734 retry_cnt++;
735
736 ts = NOW + retry_int;
737
738 if (conf->hostname)
739 {
740 reset_dstaddr ();
741 if (si.host && auth_rate_limiter.can (si))
742 {
743 if (retry_cnt < 4)
744 send_auth_request (si, true);
745 else
746 send_ping (si, 0);
747 }
748 }
749 else
750 vpn->connect_request (conf->id);
751 }
752 }
753
754 void
755 connection::reset_connection ()
756 {
757 if (ictx && octx)
758 {
759 slog (L_INFO, _("%s(%s): connection lost"),
760 conf->nodename, (const char *)si);
761
762 if (::conf.script_node_down)
763 run_script (run_script_cb (this, &connection::script_node_down), false);
764 }
765
766 delete ictx; ictx = 0;
767 delete octx; octx = 0;
768
769 si.host= 0;
770
771 last_activity = 0;
772 retry_cnt = 0;
773
774 rekey.reset ();
775 keepalive.reset ();
776 establish_connection.reset ();
777 }
778
779 void
780 connection::shutdown ()
781 {
782 if (ictx && octx)
783 send_reset (si);
784
785 reset_connection ();
786 }
787
788 void
789 connection::rekey_cb (tstamp &ts)
790 {
791 ts = TSTAMP_CANCEL;
792
793 reset_connection ();
794 establish_connection ();
795 }
796
797 void
798 connection::send_data_packet (tap_packet *pkt, bool broadcast)
799 {
800 vpndata_packet *p = new vpndata_packet;
801 int tos = 0;
802
803 if (conf->inherit_tos
804 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
805 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
807
808 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
809 send_vpn_packet (p, si, tos);
810
811 delete p;
812
813 if (oseqno > MAX_SEQNO)
814 rekey ();
815 }
816
817 void
818 connection::inject_data_packet (tap_packet *pkt, bool broadcast)
819 {
820 if (ictx && octx)
821 send_data_packet (pkt, broadcast);
822 else
823 {
824 if (!broadcast)//DDDD
825 queue.put (new tap_packet (*pkt));
826
827 establish_connection ();
828 }
829 }
830
831 void
832 connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
833 {
834 last_activity = NOW;
835
836 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
837 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
838
839 switch (pkt->typ ())
840 {
841 case vpn_packet::PT_PING:
842 // we send pings instead of auth packets after some retries,
843 // so reset the retry counter and establish a connection
844 // when we receive a ping.
845 if (!ictx)
846 {
847 if (auth_rate_limiter.can (rsi))
848 send_auth_request (rsi, true);
849 }
850 else
851 send_ping (rsi, 1); // pong
852
853 break;
854
855 case vpn_packet::PT_PONG:
856 break;
857
858 case vpn_packet::PT_RESET:
859 {
860 reset_connection ();
861
862 config_packet *p = (config_packet *) pkt;
863
864 if (!p->chk_config ())
865 {
866 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867 conf->nodename, (const char *)rsi);
868 connectmode = conf_node::C_DISABLED;
869 }
870 else if (connectmode == conf_node::C_ALWAYS)
871 establish_connection ();
872 }
873 break;
874
875 case vpn_packet::PT_AUTH_REQ:
876 if (auth_rate_limiter.can (rsi))
877 {
878 auth_req_packet *p = (auth_req_packet *) pkt;
879
880 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
881
882 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
883 {
884 if (p->prot_minor != PROTOCOL_MINOR)
885 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886 conf->nodename, (const char *)rsi,
887 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888
889 if (p->initiate)
890 send_auth_request (rsi, false);
891
892 rsachallenge k;
893
894 if (0 > RSA_private_decrypt (sizeof (p->encr),
895 (unsigned char *)&p->encr, (unsigned char *)&k,
896 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
897 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
898 conf->nodename, (const char *)rsi);
899 else
900 {
901 retry_cnt = 0;
902 establish_connection.set (NOW + 8); //? ;)
903 keepalive.reset ();
904 rekey.reset ();
905
906 delete ictx;
907 ictx = 0;
908
909 delete octx;
910
911 octx = new crypto_ctx (k, 1);
912 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
913
914 conf->can_recv = p->can_recv;
915 send_auth_response (rsi, p->id, k);
916
917 break;
918 }
919 }
920
921 send_reset (rsi);
922 }
923
924 break;
925
926 case vpn_packet::PT_AUTH_RES:
927 {
928 auth_res_packet *p = (auth_res_packet *) pkt;
929
930 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
931
932 if (p->chk_config ())
933 {
934 if (p->prot_minor != PROTOCOL_MINOR)
935 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936 conf->nodename, (const char *)rsi,
937 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
938
939 rsachallenge chg;
940
941 if (!rsa_cache.find (p->id, chg))
942 slog (L_ERR, _("%s(%s): unrequested auth response"),
943 conf->nodename, (const char *)rsi);
944 else
945 {
946 crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948 if (!p->hmac_chk (cctx))
949 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950 "could be an attack, or just corruption or an synchronization error"),
951 conf->nodename, (const char *)rsi);
952 else
953 {
954 rsaresponse h;
955
956 rsa_hash (p->id, chg, h);
957
958 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
959 {
960 prot_minor = p->prot_minor;
961
962 delete ictx; ictx = cctx;
963
964 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966 si = rsi;
967
968 rekey.set (NOW + ::conf.rekey);
969 keepalive.set (NOW + ::conf.keepalive);
970
971 // send queued packets
972 while (tap_packet *p = queue.get ())
973 {
974 send_data_packet (p);
975 delete p;
976 }
977
978 connectmode = conf->connectmode;
979
980 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981 conf->nodename, (const char *)rsi,
982 p->prot_major, p->prot_minor);
983
984 if (::conf.script_node_up)
985 run_script (run_script_cb (this, &connection::script_node_up), false);
986
987 break;
988 }
989 else
990 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
991 conf->nodename, (const char *)rsi);
992 }
993
994 delete cctx;
995 }
996 }
997 }
998
999 send_reset (rsi);
1000 break;
1001
1002 case vpn_packet::PT_DATA_COMPRESSED:
1003 #if !ENABLE_COMPRESSION
1004 send_reset (rsi);
1005 break;
1006 #endif
1007
1008 case vpn_packet::PT_DATA_UNCOMPRESSED:
1009
1010 if (ictx && octx)
1011 {
1012 vpndata_packet *p = (vpndata_packet *)pkt;
1013
1014 if (rsi == si)
1015 {
1016 if (!p->hmac_chk (ictx))
1017 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1018 "could be an attack, or just corruption or an synchronization error"),
1019 conf->nodename, (const char *)rsi);
1020 else
1021 {
1022 u32 seqno;
1023 tap_packet *d = p->unpack (this, seqno);
1024
1025 if (iseqno.recv_ok (seqno))
1026 {
1027 vpn->tap->send (d);
1028
1029 if (p->dst () == 0) // re-broadcast
1030 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1031 {
1032 connection *c = *i;
1033
1034 if (c->conf != THISNODE && c->conf != conf)
1035 c->inject_data_packet (d);
1036 }
1037
1038 delete d;
1039
1040 break;
1041 }
1042 }
1043 }
1044 else
1045 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1046 }
1047
1048 send_reset (rsi);
1049 break;
1050
1051 case vpn_packet::PT_CONNECT_REQ:
1052 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1053 {
1054 connect_req_packet *p = (connect_req_packet *) pkt;
1055
1056 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1057
1058 connection *c = vpn->conns[p->id - 1];
1059
1060 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1061 conf->id, p->id, c->ictx && c->octx);
1062
1063 if (c->ictx && c->octx)
1064 {
1065 // send connect_info packets to both sides, in case one is
1066 // behind a nat firewall (or both ;)
1067 {
1068 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1069 c->conf->id, conf->id, (const char *)si);
1070
1071 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
1072
1073 r->hmac_set (c->octx);
1074 send_vpn_packet (r, c->si);
1075
1076 delete r;
1077 }
1078
1079 {
1080 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1081 conf->id, c->conf->id, (const char *)c->si);
1082
1083 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
1084
1085 r->hmac_set (octx);
1086 send_vpn_packet (r, si);
1087
1088 delete r;
1089 }
1090 }
1091 }
1092
1093 break;
1094
1095 case vpn_packet::PT_CONNECT_INFO:
1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1097 {
1098 connect_info_packet *p = (connect_info_packet *) pkt;
1099
1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1101
1102 connection *c = vpn->conns[p->id - 1];
1103
1104 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1105 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1106
1107 c->conf->can_recv = p->can_recv;
1108 c->send_auth_request (p->si, true);
1109 }
1110
1111 break;
1112
1113 default:
1114 send_reset (rsi);
1115 break;
1116
1117 }
1118 }
1119
1120 void connection::keepalive_cb (tstamp &ts)
1121 {
1122 if (NOW >= last_activity + ::conf.keepalive + 30)
1123 {
1124 reset_connection ();
1125 establish_connection ();
1126 }
1127 else if (NOW < last_activity + ::conf.keepalive)
1128 ts = last_activity + ::conf.keepalive;
1129 else if (conf->connectmode != conf_node::C_ONDEMAND
1130 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1131 {
1132 send_ping (si);
1133 ts = NOW + 5;
1134 }
1135 else
1136 reset_connection ();
1137
1138 }
1139
1140 void connection::connect_request (int id)
1141 {
1142 connect_req_packet *p = new connect_req_packet (conf->id, id);
1143
1144 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1145 p->hmac_set (octx);
1146 send_vpn_packet (p, si);
1147
1148 delete p;
1149 }
1150
1151 void connection::script_node ()
1152 {
1153 vpn->script_if_up (0);
1154
1155 char *env;
1156 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1157 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1158 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1159 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1160 }
1161
1162 const char *connection::script_node_up (int)
1163 {
1164 script_node ();
1165
1166 putenv ("STATE=up");
1167
1168 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1169 }
1170
1171 const char *connection::script_node_down (int)
1172 {
1173 script_node ();
1174
1175 putenv ("STATE=down");
1176
1177 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1178 }
1179
1180 // send a vpn packet out to other hosts
1181 void
1182 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1183 {
1184 if (prot_send & PROT_IPv4)
1185 vpn->send_ipv4_packet (pkt, si, tos);
1186 else
1187 vpn->send_udpv4_packet (pkt, si, tos);
1188 }
1189
1190 connection::connection(struct vpn *vpn_)
1191 : vpn(vpn_)
1192 , rekey (this, &connection::rekey_cb)
1193 , keepalive (this, &connection::keepalive_cb)
1194 , establish_connection (this, &connection::establish_connection_cb)
1195 {
1196 octx = ictx = 0;
1197 retry_cnt = 0;
1198
1199 connectmode = conf_node::C_ALWAYS; // initial setting
1200 reset_connection ();
1201 }
1202
1203 connection::~connection ()
1204 {
1205 shutdown ();
1206 }
1207
1208 /////////////////////////////////////////////////////////////////////////////
1209
1210 const char *vpn::script_if_up (int)
1211 {
1212 // the tunnel device mtu should be the physical mtu - overhead
1213 // the tricky part is rounding to the cipher key blocksize
1214 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1215 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1216 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1217 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1218
1219 char *env;
1220 asprintf (&env, "CONFBASE=%s", confbase);
1221 putenv (env);
1222 asprintf (&env, "NODENAME=%s", THISNODE->nodename);
1223 putenv (env);
1224 asprintf (&env, "NODEID=%d", THISNODE->id);
1225 putenv (env);
1226 asprintf (&env, "IFNAME=%s", tap->interface ());
1227 putenv (env);
1228 asprintf (&env, "MTU=%d", mtu);
1229 putenv (env);
1230 asprintf (&env, "MAC=%02x:%02x:%02x:%02x:%02x:%02x",
1231 0xfe, 0xfd, 0x80, 0x00, THISNODE->id >> 8,
1232 THISNODE->id & 0xff);
1233 putenv (env);
1234
1235 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1236 }
1237
1238 int
1239 vpn::setup ()
1240 {
1241 u8 prots = 0;
1242
1243 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1244 i != conf.nodes.end (); ++i)
1245 prots |= (*i)->can_send | (*i)->can_recv;
1246
1247 sockinfo si;
1248
1249 si.set (THISNODE);
1250
1251 udpv4_fd = -1;
1252
1253 if (prots & PROT_UDPv4)
1254 {
1255 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1256
1257 if (udpv4_fd < 0)
1258 return -1;
1259
1260 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1261 {
1262 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1263 exit (1);
1264 }
1265
1266 #ifdef IP_MTU_DISCOVER
1267 // this I really consider a linux bug. I am neither connected
1268 // nor do I fragment myself. Linux still sets DF and doesn't
1269 // fragment for me sometimes.
1270 {
1271 int oval = IP_PMTUDISC_DONT;
1272 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1273 }
1274 #endif
1275
1276 // standard daemon practise...
1277 {
1278 int oval = 1;
1279 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1280 }
1281
1282 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1283 }
1284
1285 ipv4_fd = -1;
1286 if (prots & PROT_IPv4)
1287 {
1288 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1289
1290 if (ipv4_fd < 0)
1291 return -1;
1292
1293 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1294 {
1295 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1296 exit (1);
1297 }
1298
1299 #ifdef IP_MTU_DISCOVER
1300 // this I really consider a linux bug. I am neither connected
1301 // nor do I fragment myself. Linux still sets DF and doesn't
1302 // fragment for me sometimes.
1303 {
1304 int oval = IP_PMTUDISC_DONT;
1305 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1306 }
1307 #endif
1308
1309 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1310 }
1311
1312 tap = new tap_device ();
1313 if (!tap) //D this, of course, never catches
1314 {
1315 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1316 exit (1);
1317 }
1318
1319 run_script (run_script_cb (this, &vpn::script_if_up), true);
1320
1321 tap_ev_watcher.start (tap->fd, POLLIN);
1322
1323 reconnect_all ();
1324
1325 return 0;
1326 }
1327
1328 void
1329 vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1330 {
1331 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1332 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1333 }
1334
1335 void
1336 vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1337 {
1338 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1339 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1340 }
1341
1342 void
1343 vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1344 {
1345 unsigned int src = pkt->src ();
1346 unsigned int dst = pkt->dst ();
1347
1348 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1349 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1350
1351 if (dst > conns.size () || pkt->typ () >= vpn_packet::PT_MAX)
1352 slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1353 pkt->typ (), pkt->src (), pkt->dst ());
1354 else if (dst == 0 && !THISNODE->routerprio)
1355 slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1356 else if (dst != 0 && dst != THISNODE->id)
1357 slog (L_WARN,
1358 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1359 dst, conns[dst - 1]->conf->nodename,
1360 (const char *)rsi,
1361 THISNODE->id, THISNODE->nodename);
1362 else if (src == 0 || src > conns.size ())
1363 slog (L_WARN, _("received frame from unknown node %d (%s)"),
1364 src, (const char *)rsi);
1365 else
1366 conns[src - 1]->recv_vpn_packet (pkt, rsi);
1367 }
1368
1369 void
1370 vpn::udpv4_ev (short revents)
1371 {
1372 if (revents & (POLLIN | POLLERR))
1373 {
1374 vpn_packet *pkt = new vpn_packet;
1375 struct sockaddr_in sa;
1376 socklen_t sa_len = sizeof (sa);
1377 int len;
1378
1379 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1380
1381 sockinfo si(sa);
1382
1383 if (len > 0)
1384 {
1385 pkt->len = len;
1386
1387 recv_vpn_packet (pkt, si);
1388 }
1389 else
1390 {
1391 // probably ECONNRESET or somesuch
1392 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1393 }
1394
1395 delete pkt;
1396 }
1397 else if (revents & POLLHUP)
1398 {
1399 // this cannot ;) happen on udp sockets
1400 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1401 exit (1);
1402 }
1403 else
1404 {
1405 slog (L_ERR,
1406 _("FATAL: unknown revents %08x in socket, terminating\n"),
1407 revents);
1408 exit (1);
1409 }
1410 }
1411
1412 void
1413 vpn::ipv4_ev (short revents)
1414 {
1415 if (revents & (POLLIN | POLLERR))
1416 {
1417 vpn_packet *pkt = new vpn_packet;
1418 struct sockaddr_in sa;
1419 socklen_t sa_len = sizeof (sa);
1420 int len;
1421
1422 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1423
1424 sockinfo si(sa, PROT_IPv4);
1425
1426 if (len > 0)
1427 {
1428 pkt->len = len;
1429
1430 // raw sockets deliver the ipv4, but don't expect it on sends
1431 // this is slow, but...
1432 pkt->skip_hdr (IP_OVERHEAD);
1433
1434 recv_vpn_packet (pkt, si);
1435 }
1436 else
1437 {
1438 // probably ECONNRESET or somesuch
1439 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1440 }
1441
1442 delete pkt;
1443 }
1444 else if (revents & POLLHUP)
1445 {
1446 // this cannot ;) happen on udp sockets
1447 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1448 exit (1);
1449 }
1450 else
1451 {
1452 slog (L_ERR,
1453 _("FATAL: unknown revents %08x in socket, terminating\n"),
1454 revents);
1455 exit (1);
1456 }
1457 }
1458
1459 void
1460 vpn::tap_ev (short revents)
1461 {
1462 if (revents & POLLIN)
1463 {
1464 /* process data */
1465 tap_packet *pkt;
1466
1467 pkt = tap->recv ();
1468
1469 int dst = mac2id (pkt->dst);
1470 int src = mac2id (pkt->src);
1471
1472 if (src != THISNODE->id)
1473 {
1474 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1475 exit (1);
1476 }
1477
1478 if (dst == THISNODE->id)
1479 {
1480 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1481 exit (1);
1482 }
1483
1484 if (dst > conns.size ())
1485 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1486 else
1487 {
1488 if (dst)
1489 {
1490 // unicast
1491 if (dst != THISNODE->id)
1492 conns[dst - 1]->inject_data_packet (pkt);
1493 }
1494 else
1495 {
1496 // broadcast, first check router, then self, then english
1497 connection *router = find_router ();
1498
1499 if (router)
1500 router->inject_data_packet (pkt, true);
1501 else
1502 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1503 if ((*c)->conf != THISNODE)
1504 (*c)->inject_data_packet (pkt);
1505 }
1506 }
1507
1508 delete pkt;
1509 }
1510 else if (revents & (POLLHUP | POLLERR))
1511 {
1512 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1513 exit (1);
1514 }
1515 else
1516 abort ();
1517 }
1518
1519 void
1520 vpn::event_cb (tstamp &ts)
1521 {
1522 if (events)
1523 {
1524 if (events & EVENT_SHUTDOWN)
1525 {
1526 slog (L_INFO, _("preparing shutdown..."));
1527
1528 shutdown_all ();
1529
1530 remove_pid (pidfilename);
1531
1532 slog (L_INFO, _("terminating"));
1533
1534 exit (0);
1535 }
1536
1537 if (events & EVENT_RECONNECT)
1538 {
1539 slog (L_INFO, _("forced reconnect"));
1540
1541 reconnect_all ();
1542 }
1543
1544 events = 0;
1545 }
1546
1547 ts = TSTAMP_CANCEL;
1548 }
1549
1550 void
1551 vpn::shutdown_all ()
1552 {
1553 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1554 (*c)->shutdown ();
1555 }
1556
1557 void
1558 vpn::reconnect_all ()
1559 {
1560 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1561 delete *c;
1562
1563 conns.clear ();
1564
1565 auth_rate_limiter.clear ();
1566 reset_rate_limiter.clear ();
1567
1568 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1569 i != conf.nodes.end (); ++i)
1570 {
1571 connection *conn = new connection (this);
1572
1573 conn->conf = *i;
1574 conns.push_back (conn);
1575
1576 conn->establish_connection ();
1577 }
1578 }
1579
1580 connection *vpn::find_router ()
1581 {
1582 u32 prio = 0;
1583 connection *router = 0;
1584
1585 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1586 {
1587 connection *c = *i;
1588
1589 if (c->conf->routerprio > prio
1590 && c->connectmode == conf_node::C_ALWAYS
1591 && c->conf != THISNODE
1592 && c->ictx && c->octx)
1593 {
1594 prio = c->conf->routerprio;
1595 router = c;
1596 }
1597 }
1598
1599 return router;
1600 }
1601
1602 void vpn::connect_request (int id)
1603 {
1604 connection *c = find_router ();
1605
1606 if (c)
1607 c->connect_request (id);
1608 //else // does not work, because all others must connect to the same router
1609 // // no router found, aggressively connect to all routers
1610 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1611 // if ((*i)->conf->routerprio)
1612 // (*i)->establish_connection ();
1613 }
1614
1615 void
1616 connection::dump_status ()
1617 {
1618 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1619 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1620 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1621 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1622 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1623 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1624 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1625 }
1626
1627 void
1628 vpn::dump_status ()
1629 {
1630 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1631
1632 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1633 (*c)->dump_status ();
1634
1635 slog (L_NOTICE, _("END status dump"));
1636 }
1637
1638 vpn::vpn (void)
1639 : udpv4_ev_watcher(this, &vpn::udpv4_ev)
1640 , ipv4_ev_watcher(this, &vpn::ipv4_ev)
1641 , tap_ev_watcher(this, &vpn::tap_ev)
1642 , event(this, &vpn::event_cb)
1643 {
1644 }
1645
1646 vpn::~vpn ()
1647 {
1648 }
1649