ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
Revision: 1.24
Committed: Fri Mar 28 16:14:40 2003 UTC (21 years, 2 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.23: +60 -67 lines
Log Message: 
*** empty log message ***

File Contents

# Content
1 /*
2 protocol.C -- handle the protocol, encryption, handshaking etc.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18
19 #include "config.h"
20
21 #include <list>
22
23 #include <cstdlib>
24 #include <cstring>
25 #include <cstdio>
26
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <sys/poll.h>
30 #include <sys/wait.h>
31 #include <netinet/in.h>
32 #include <arpa/inet.h>
33 #include <errno.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include <openssl/rand.h>
38 #include <openssl/hmac.h>
39 #include <openssl/evp.h>
40 #include <openssl/rsa.h>
41 #include <openssl/err.h>
42
43 extern "C" {
44 # include "lzf/lzf.h"
45 }
46
47 #include "gettext.h"
48 #include "pidfile.h"
49
50 #include "conf.h"
51 #include "slog.h"
52 #include "device.h"
53 #include "protocol.h"
54
55 #if !HAVE_RAND_PSEUDO_BYTES
56 # define RAND_pseudo_bytes RAND_bytes
57 #endif
58
59 static time_t next_timecheck;
60
61 #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63 static u8
64 best_protocol (u8 protset)
65 {
66 if (protset & PROT_IPv4)
67 return PROT_IPv4;
68
69 return PROT_UDPv4;
70 }
71
72 struct crypto_ctx
73 {
74 EVP_CIPHER_CTX cctx;
75 HMAC_CTX hctx;
76
77 crypto_ctx (const rsachallenge &challenge, int enc);
78 ~crypto_ctx ();
79 };
80
81 crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
82 {
83 EVP_CIPHER_CTX_init (&cctx);
84 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
85 HMAC_CTX_init (&hctx);
86 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
87 }
88
89 crypto_ctx::~crypto_ctx ()
90 {
91 EVP_CIPHER_CTX_cleanup (&cctx);
92 HMAC_CTX_cleanup (&hctx);
93 }
94
95 static void
96 rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97 {
98 EVP_MD_CTX ctx;
99
100 EVP_MD_CTX_init (&ctx);
101 EVP_DigestInit (&ctx, RSA_HASH);
102 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103 EVP_DigestUpdate(&ctx, &id, sizeof id);
104 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105 EVP_MD_CTX_cleanup (&ctx);
106 }
107
108 struct rsa_entry {
109 tstamp expire;
110 rsaid id;
111 rsachallenge chg;
112 };
113
114 struct rsa_cache : list<rsa_entry>
115 {
116 void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118 bool find (const rsaid &id, rsachallenge &chg)
119 {
120 for (iterator i = begin (); i != end (); ++i)
121 {
122 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123 {
124 memcpy (&chg, &i->chg, sizeof chg);
125
126 erase (i);
127 return true;
128 }
129 }
130
131 if (cleaner.at < NOW)
132 cleaner.start (NOW + RSA_TTL);
133
134 return false;
135 }
136
137 void gen (rsaid &id, rsachallenge &chg)
138 {
139 rsa_entry e;
140
141 RAND_bytes ((unsigned char *)&id, sizeof id);
142 RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144 e.expire = NOW + RSA_TTL;
145 e.id = id;
146 memcpy (&e.chg, &chg, sizeof chg);
147
148 push_back (e);
149
150 if (cleaner.at < NOW)
151 cleaner.start (NOW + RSA_TTL);
152 }
153
154 rsa_cache ()
155 : cleaner (this, &rsa_cache::cleaner_cb)
156 { }
157
158 } rsa_cache;
159
160 void rsa_cache::cleaner_cb (tstamp &ts)
161 {
162 if (empty ())
163 ts = TSTAMP_CANCEL;
164 else
165 {
166 ts = NOW + RSA_TTL;
167
168 for (iterator i = begin (); i != end (); )
169 if (i->expire <= NOW)
170 i = erase (i);
171 else
172 ++i;
173 }
174 }
175
176 typedef callback<const char *, int> run_script_cb;
177
178 // run a shell script (or actually an external program).
179 static void
180 run_script (const run_script_cb &cb, bool wait)
181 {
182 int pid;
183
184 if ((pid = fork ()) == 0)
185 {
186 char *filename;
187 asprintf (&filename, "%s/%s", confbase, cb(0));
188 execl (filename, filename, (char *) 0);
189 exit (255);
190 }
191 else if (pid > 0)
192 {
193 if (wait)
194 {
195 waitpid (pid, 0, 0);
196 /* TODO: check status */
197 }
198 }
199 }
200
201 //////////////////////////////////////////////////////////////////////////////
202
203 void pkt_queue::put (tap_packet *p)
204 {
205 if (queue[i])
206 {
207 delete queue[i];
208 j = (j + 1) % QUEUEDEPTH;
209 }
210
211 queue[i] = p;
212
213 i = (i + 1) % QUEUEDEPTH;
214 }
215
216 tap_packet *pkt_queue::get ()
217 {
218 tap_packet *p = queue[j];
219
220 if (p)
221 {
222 queue[j] = 0;
223 j = (j + 1) % QUEUEDEPTH;
224 }
225
226 return p;
227 }
228
229 pkt_queue::pkt_queue ()
230 {
231 memset (queue, 0, sizeof (queue));
232 i = 0;
233 j = 0;
234 }
235
236 pkt_queue::~pkt_queue ()
237 {
238 for (i = QUEUEDEPTH; --i > 0; )
239 delete queue[i];
240 }
241
242 struct net_rateinfo {
243 u32 host;
244 double pcnt, diff;
245 tstamp last;
246 };
247
248 // only do action once every x seconds per host whole allowing bursts.
249 // this implementation ("splay list" ;) is inefficient,
250 // but low on resources.
251 struct net_rate_limiter : list<net_rateinfo>
252 {
253 static const double ALPHA = 1. - 1. / 90.; // allow bursts
254 static const double CUTOFF = 20.; // one event every CUTOFF seconds
255 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
256
257 bool can (const sockinfo &si) { return can((u32)si.host); }
258 bool can (u32 host);
259 };
260
261 net_rate_limiter auth_rate_limiter, reset_rate_limiter;
262
263 bool net_rate_limiter::can (u32 host)
264 {
265 iterator i;
266
267 for (i = begin (); i != end (); )
268 if (i->host == host)
269 break;
270 else if (i->last < NOW - EXPIRE)
271 i = erase (i);
272 else
273 i++;
274
275 if (i == end ())
276 {
277 net_rateinfo ri;
278
279 ri.host = host;
280 ri.pcnt = 1.;
281 ri.diff = CUTOFF * (1. / (1. - ALPHA));
282 ri.last = NOW;
283
284 push_front (ri);
285
286 return true;
287 }
288 else
289 {
290 net_rateinfo ri (*i);
291 erase (i);
292
293 ri.pcnt = ri.pcnt * ALPHA;
294 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296 ri.last = NOW;
297
298 bool send = ri.diff / ri.pcnt > CUTOFF;
299
300 if (send)
301 ri.pcnt++;
302
303 push_front (ri);
304
305 return send;
306 }
307 }
308
309 /////////////////////////////////////////////////////////////////////////////
310
311 static void next_wakeup (time_t next)
312 {
313 if (next_timecheck > next)
314 next_timecheck = next;
315 }
316
317 static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
318
319 struct hmac_packet:net_packet
320 {
321 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323 void hmac_set (crypto_ctx * ctx);
324 bool hmac_chk (crypto_ctx * ctx);
325
326 private:
327 void hmac_gen (crypto_ctx * ctx)
328 {
329 unsigned int xlen;
330 HMAC_CTX *hctx = &ctx->hctx;
331
332 HMAC_Init_ex (hctx, 0, 0, 0, 0);
333 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
334 len - sizeof (hmac_packet));
335 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
336 }
337 };
338
339 void
340 hmac_packet::hmac_set (crypto_ctx * ctx)
341 {
342 hmac_gen (ctx);
343
344 memcpy (hmac, hmac_digest, HMACLENGTH);
345 }
346
347 bool
348 hmac_packet::hmac_chk (crypto_ctx * ctx)
349 {
350 hmac_gen (ctx);
351
352 return !memcmp (hmac, hmac_digest, HMACLENGTH);
353 }
354
355 struct vpn_packet : hmac_packet
356 {
357 enum ptype
358 {
359 PT_RESET = 0,
360 PT_DATA_UNCOMPRESSED,
361 PT_DATA_COMPRESSED,
362 PT_PING, PT_PONG, // wasting namespace space? ;)
363 PT_AUTH_REQ, // authentification request
364 PT_AUTH_RES, // authentification response
365 PT_CONNECT_REQ, // want other host to contact me
366 PT_CONNECT_INFO, // request connection to some node
367 PT_MAX
368 };
369
370 u8 type;
371 u8 srcdst, src1, dst1;
372
373 void set_hdr (ptype type, unsigned int dst);
374
375 unsigned int src () const
376 {
377 return src1 | ((srcdst >> 4) << 8);
378 }
379
380 unsigned int dst () const
381 {
382 return dst1 | ((srcdst & 0xf) << 8);
383 }
384
385 ptype typ () const
386 {
387 return (ptype) type;
388 }
389 };
390
391 void vpn_packet::set_hdr (ptype type, unsigned int dst)
392 {
393 this->type = type;
394
395 int src = THISNODE->id;
396
397 src1 = src;
398 srcdst = ((src >> 8) << 4) | (dst >> 8);
399 dst1 = dst;
400 }
401
402 #define MAXVPNDATA (MAX_MTU - 6 - 6)
403 #define DATAHDR (sizeof (u32) + RAND_SIZE)
404
405 struct vpndata_packet:vpn_packet
406 {
407 u8 data[MAXVPNDATA + DATAHDR]; // seqno
408
409 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
410 tap_packet *unpack (connection *conn, u32 &seqno);
411 private:
412
413 const u32 data_hdr_size () const
414 {
415 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416 }
417 };
418
419 void
420 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
421 {
422 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423 int outl = 0, outl2;
424 ptype type = PT_DATA_UNCOMPRESSED;
425
426 #if ENABLE_COMPRESSION
427 u8 cdata[MAX_MTU];
428 u32 cl;
429
430 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
431 if (cl)
432 {
433 type = PT_DATA_COMPRESSED;
434 d = cdata;
435 l = cl + 2;
436
437 d[0] = cl >> 8;
438 d[1] = cl;
439 }
440 #endif
441
442 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
443
444 struct {
445 #if RAND_SIZE
446 u8 rnd[RAND_SIZE];
447 #endif
448 u32 seqno;
449 } datahdr;
450
451 datahdr.seqno = ntohl (seqno);
452 #if RAND_SIZE
453 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454 #endif
455
456 EVP_EncryptUpdate (cctx,
457 (unsigned char *) data + outl, &outl2,
458 (unsigned char *) &datahdr, DATAHDR);
459 outl += outl2;
460
461 EVP_EncryptUpdate (cctx,
462 (unsigned char *) data + outl, &outl2,
463 (unsigned char *) d, l);
464 outl += outl2;
465
466 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
467 outl += outl2;
468
469 len = outl + data_hdr_size ();
470
471 set_hdr (type, dst);
472
473 hmac_set (conn->octx);
474 }
475
476 tap_packet *
477 vpndata_packet::unpack (connection *conn, u32 &seqno)
478 {
479 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
480 int outl = 0, outl2;
481 tap_packet *p = new tap_packet;
482 u8 *d;
483 u32 l = len - data_hdr_size ();
484
485 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
486
487 #if ENABLE_COMPRESSION
488 u8 cdata[MAX_MTU];
489
490 if (type == PT_DATA_COMPRESSED)
491 d = cdata;
492 else
493 #endif
494 d = &(*p)[6 + 6 - DATAHDR];
495
496 /* this overwrites part of the src mac, but we fix that later */
497 EVP_DecryptUpdate (cctx,
498 d, &outl2,
499 (unsigned char *)&data, len - data_hdr_size ());
500 outl += outl2;
501
502 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
503 outl += outl2;
504
505 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
506
507 id2mac (dst () ? dst() : THISNODE->id, p->dst);
508 id2mac (src (), p->src);
509
510 #if ENABLE_COMPRESSION
511 if (type == PT_DATA_COMPRESSED)
512 {
513 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
514
515 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516 &(*p)[6 + 6], MAX_MTU)
517 + 6 + 6;
518 }
519 else
520 p->len = outl + (6 + 6 - DATAHDR);
521 #endif
522
523 return p;
524 }
525
526 struct ping_packet : vpn_packet
527 {
528 void setup (int dst, ptype type)
529 {
530 set_hdr (type, dst);
531 len = sizeof (*this) - sizeof (net_packet);
532 }
533 };
534
535 struct config_packet : vpn_packet
536 {
537 // actually, hmaclen cannot be checked because the hmac
538 // field comes before this data, so peers with other
539 // hmacs simply will not work.
540 u8 prot_major, prot_minor, randsize, hmaclen;
541 u8 flags, challengelen, pad2, pad3;
542 u32 cipher_nid, digest_nid, hmac_nid;
543
544 const u8 curflags () const
545 {
546 return 0x80
547 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
548 }
549
550 void setup (ptype type, int dst);
551 bool chk_config () const;
552 };
553
554 void config_packet::setup (ptype type, int dst)
555 {
556 prot_major = PROTOCOL_MAJOR;
557 prot_minor = PROTOCOL_MINOR;
558 randsize = RAND_SIZE;
559 hmaclen = HMACLENGTH;
560 flags = curflags ();
561 challengelen = sizeof (rsachallenge);
562
563 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
564 digest_nid = htonl (EVP_MD_type (RSA_HASH));
565 hmac_nid = htonl (EVP_MD_type (DIGEST));
566
567 len = sizeof (*this) - sizeof (net_packet);
568 set_hdr (type, dst);
569 }
570
571 bool config_packet::chk_config () const
572 {
573 return prot_major == PROTOCOL_MAJOR
574 && randsize == RAND_SIZE
575 && hmaclen == HMACLENGTH
576 && flags == curflags ()
577 && challengelen == sizeof (rsachallenge)
578 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
580 && hmac_nid == htonl (EVP_MD_type (DIGEST));
581 }
582
583 struct auth_req_packet : config_packet
584 {
585 char magic[8];
586 u8 initiate; // false if this is just an automatic reply
587 u8 protocols; // supported protocols (will get patches on forward)
588 u8 pad2, pad3;
589 rsaid id;
590 rsaencrdata encr;
591
592 auth_req_packet (int dst, bool initiate_, u8 protocols_)
593 {
594 config_packet::setup (PT_AUTH_REQ, dst);
595 strncpy (magic, MAGIC, 8);
596 initiate = !!initiate_;
597 protocols = protocols_;
598
599 len = sizeof (*this) - sizeof (net_packet);
600 }
601 };
602
603 struct auth_res_packet : config_packet
604 {
605 rsaid id;
606 u8 pad1, pad2, pad3;
607 u8 response_len; // encrypted length
608 rsaresponse response;
609
610 auth_res_packet (int dst)
611 {
612 config_packet::setup (PT_AUTH_RES, dst);
613
614 len = sizeof (*this) - sizeof (net_packet);
615 }
616 };
617
618 struct connect_req_packet : vpn_packet
619 {
620 u8 id, protocols;
621 u8 pad1, pad2;
622
623 connect_req_packet (int dst, int id_, u8 protocols_)
624 : id(id_)
625 , protocols(protocols_)
626 {
627 set_hdr (PT_CONNECT_REQ, dst);
628 len = sizeof (*this) - sizeof (net_packet);
629 }
630 };
631
632 struct connect_info_packet : vpn_packet
633 {
634 u8 id, protocols;
635 u8 pad1, pad2;
636 sockinfo si;
637
638 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
639 : id(id_)
640 , protocols(protocols_)
641 , si(si_)
642 {
643 set_hdr (PT_CONNECT_INFO, dst);
644
645 len = sizeof (*this) - sizeof (net_packet);
646 }
647 };
648
649 /////////////////////////////////////////////////////////////////////////////
650
651 void
652 connection::reset_dstaddr ()
653 {
654 si.set (conf);
655 }
656
657 void
658 connection::send_ping (const sockinfo &si, u8 pong)
659 {
660 ping_packet *pkt = new ping_packet;
661
662 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
663 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
664
665 delete pkt;
666 }
667
668 void
669 connection::send_reset (const sockinfo &si)
670 {
671 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
672 {
673 config_packet *pkt = new config_packet;
674
675 pkt->setup (vpn_packet::PT_RESET, conf->id);
676 send_vpn_packet (pkt, si, IPTOS_MINCOST);
677
678 delete pkt;
679 }
680 }
681
682 void
683 connection::send_auth_request (const sockinfo &si, bool initiate)
684 {
685 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
686
687 prot_send = best_protocol (THISNODE->protocols & conf->protocols);
688
689 rsachallenge chg;
690
691 rsa_cache.gen (pkt->id, chg);
692
693 if (0 > RSA_public_encrypt (sizeof chg,
694 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
695 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
696 fatal ("RSA_public_encrypt error");
697
698 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
699
700 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
701
702 delete pkt;
703 }
704
705 void
706 connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
707 {
708 auth_res_packet *pkt = new auth_res_packet (conf->id);
709
710 pkt->id = id;
711
712 rsa_hash (id, chg, pkt->response);
713
714 pkt->hmac_set (octx);
715
716 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
717
718 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
719
720 delete pkt;
721 }
722
723 void
724 connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
725 {
726 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
727 conf->id, rid, (const char *)rsi);
728
729 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
730
731 r->hmac_set (octx);
732 send_vpn_packet (r, si);
733
734 delete r;
735 }
736
737 void
738 connection::establish_connection_cb (tstamp &ts)
739 {
740 if (ictx || conf == THISNODE
741 || connectmode == conf_node::C_NEVER
742 || connectmode == conf_node::C_DISABLED)
743 ts = TSTAMP_CANCEL;
744 else if (ts <= NOW)
745 {
746 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
747
748 if (retry_int < 3600 * 8)
749 retry_cnt++;
750
751 ts = NOW + retry_int;
752
753 if (conf->hostname)
754 {
755 reset_dstaddr ();
756 if (si.host && auth_rate_limiter.can (si))
757 {
758 if (retry_cnt < 4)
759 send_auth_request (si, true);
760 else
761 send_ping (si, 0);
762 }
763 }
764 else
765 vpn->connect_request (conf->id);
766 }
767 }
768
769 void
770 connection::reset_connection ()
771 {
772 if (ictx && octx)
773 {
774 slog (L_INFO, _("%s(%s): connection lost"),
775 conf->nodename, (const char *)si);
776
777 if (::conf.script_node_down)
778 run_script (run_script_cb (this, &connection::script_node_down), false);
779 }
780
781 delete ictx; ictx = 0;
782 delete octx; octx = 0;
783
784 si.host= 0;
785
786 last_activity = 0;
787 retry_cnt = 0;
788
789 rekey.reset ();
790 keepalive.reset ();
791 establish_connection.reset ();
792 }
793
794 void
795 connection::shutdown ()
796 {
797 if (ictx && octx)
798 send_reset (si);
799
800 reset_connection ();
801 }
802
803 void
804 connection::rekey_cb (tstamp &ts)
805 {
806 ts = TSTAMP_CANCEL;
807
808 reset_connection ();
809 establish_connection ();
810 }
811
812 void
813 connection::send_data_packet (tap_packet *pkt, bool broadcast)
814 {
815 vpndata_packet *p = new vpndata_packet;
816 int tos = 0;
817
818 if (conf->inherit_tos
819 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
820 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
821 tos = (*pkt)[15] & IPTOS_TOS_MASK;
822
823 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
824 send_vpn_packet (p, si, tos);
825
826 delete p;
827
828 if (oseqno > MAX_SEQNO)
829 rekey ();
830 }
831
832 void
833 connection::inject_data_packet (tap_packet *pkt, bool broadcast)
834 {
835 if (ictx && octx)
836 send_data_packet (pkt, broadcast);
837 else
838 {
839 if (!broadcast)//DDDD
840 queue.put (new tap_packet (*pkt));
841
842 establish_connection ();
843 }
844 }
845
846 void
847 connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
848 {
849 last_activity = NOW;
850
851 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
852 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
853
854 switch (pkt->typ ())
855 {
856 case vpn_packet::PT_PING:
857 // we send pings instead of auth packets after some retries,
858 // so reset the retry counter and establish a connection
859 // when we receive a ping.
860 if (!ictx)
861 {
862 if (auth_rate_limiter.can (rsi))
863 send_auth_request (rsi, true);
864 }
865 else
866 send_ping (rsi, 1); // pong
867
868 break;
869
870 case vpn_packet::PT_PONG:
871 break;
872
873 case vpn_packet::PT_RESET:
874 {
875 reset_connection ();
876
877 config_packet *p = (config_packet *) pkt;
878
879 if (!p->chk_config ())
880 {
881 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
882 conf->nodename, (const char *)rsi);
883 connectmode = conf_node::C_DISABLED;
884 }
885 else if (connectmode == conf_node::C_ALWAYS)
886 establish_connection ();
887 }
888 break;
889
890 case vpn_packet::PT_AUTH_REQ:
891 if (auth_rate_limiter.can (rsi))
892 {
893 auth_req_packet *p = (auth_req_packet *) pkt;
894
895 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
896
897 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
898 {
899 if (p->prot_minor != PROTOCOL_MINOR)
900 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
901 conf->nodename, (const char *)rsi,
902 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
903
904 if (p->initiate)
905 send_auth_request (rsi, false);
906
907 rsachallenge k;
908
909 if (0 > RSA_private_decrypt (sizeof (p->encr),
910 (unsigned char *)&p->encr, (unsigned char *)&k,
911 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
912 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
913 conf->nodename, (const char *)rsi);
914 else
915 {
916 retry_cnt = 0;
917 establish_connection.set (NOW + 8); //? ;)
918 keepalive.reset ();
919 rekey.reset ();
920
921 delete ictx;
922 ictx = 0;
923
924 delete octx;
925
926 octx = new crypto_ctx (k, 1);
927 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
928
929 conf->protocols = p->protocols;
930 send_auth_response (rsi, p->id, k);
931
932 break;
933 }
934 }
935
936 send_reset (rsi);
937 }
938
939 break;
940
941 case vpn_packet::PT_AUTH_RES:
942 {
943 auth_res_packet *p = (auth_res_packet *) pkt;
944
945 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
946
947 if (p->chk_config ())
948 {
949 if (p->prot_minor != PROTOCOL_MINOR)
950 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
951 conf->nodename, (const char *)rsi,
952 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
953
954 rsachallenge chg;
955
956 if (!rsa_cache.find (p->id, chg))
957 slog (L_ERR, _("%s(%s): unrequested auth response"),
958 conf->nodename, (const char *)rsi);
959 else
960 {
961 crypto_ctx *cctx = new crypto_ctx (chg, 0);
962
963 if (!p->hmac_chk (cctx))
964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
965 "could be an attack, or just corruption or an synchronization error"),
966 conf->nodename, (const char *)rsi);
967 else
968 {
969 rsaresponse h;
970
971 rsa_hash (p->id, chg, h);
972
973 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
974 {
975 prot_minor = p->prot_minor;
976
977 delete ictx; ictx = cctx;
978
979 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
980
981 si = rsi;
982
983 rekey.set (NOW + ::conf.rekey);
984 keepalive.set (NOW + ::conf.keepalive);
985
986 // send queued packets
987 while (tap_packet *p = queue.get ())
988 {
989 send_data_packet (p);
990 delete p;
991 }
992
993 connectmode = conf->connectmode;
994
995 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
996 conf->nodename, (const char *)rsi,
997 p->prot_major, p->prot_minor);
998
999 if (::conf.script_node_up)
1000 run_script (run_script_cb (this, &connection::script_node_up), false);
1001
1002 break;
1003 }
1004 else
1005 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1006 conf->nodename, (const char *)rsi);
1007 }
1008
1009 delete cctx;
1010 }
1011 }
1012 }
1013
1014 send_reset (rsi);
1015 break;
1016
1017 case vpn_packet::PT_DATA_COMPRESSED:
1018 #if !ENABLE_COMPRESSION
1019 send_reset (rsi);
1020 break;
1021 #endif
1022
1023 case vpn_packet::PT_DATA_UNCOMPRESSED:
1024
1025 if (ictx && octx)
1026 {
1027 vpndata_packet *p = (vpndata_packet *)pkt;
1028
1029 if (rsi == si)
1030 {
1031 if (!p->hmac_chk (ictx))
1032 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1033 "could be an attack, or just corruption or an synchronization error"),
1034 conf->nodename, (const char *)rsi);
1035 else
1036 {
1037 u32 seqno;
1038 tap_packet *d = p->unpack (this, seqno);
1039
1040 if (iseqno.recv_ok (seqno))
1041 {
1042 vpn->tap->send (d);
1043
1044 if (p->dst () == 0) // re-broadcast
1045 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1046 {
1047 connection *c = *i;
1048
1049 if (c->conf != THISNODE && c->conf != conf)
1050 c->inject_data_packet (d);
1051 }
1052
1053 delete d;
1054
1055 break;
1056 }
1057 }
1058 }
1059 else
1060 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1061 }
1062
1063 send_reset (rsi);
1064 break;
1065
1066 case vpn_packet::PT_CONNECT_REQ:
1067 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1068 {
1069 connect_req_packet *p = (connect_req_packet *) pkt;
1070
1071 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1072 conf->protocols = p->protocols;
1073 connection *c = vpn->conns[p->id - 1];
1074
1075 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1076 conf->id, p->id, c->ictx && c->octx);
1077
1078 if (c->ictx && c->octx)
1079 {
1080 // send connect_info packets to both sides, in case one is
1081 // behind a nat firewall (or both ;)
1082 c->send_connect_info (conf->id, si, conf->protocols);
1083 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1084 }
1085 }
1086
1087 break;
1088
1089 case vpn_packet::PT_CONNECT_INFO:
1090 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1091 {
1092 connect_info_packet *p = (connect_info_packet *) pkt;
1093
1094 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1095 conf->protocols = p->protocols;
1096 connection *c = vpn->conns[p->id - 1];
1097
1098 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1099 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1100
1101 c->send_auth_request (p->si, true);
1102 }
1103
1104 break;
1105
1106 default:
1107 send_reset (rsi);
1108 break;
1109
1110 }
1111 }
1112
1113 void connection::keepalive_cb (tstamp &ts)
1114 {
1115 if (NOW >= last_activity + ::conf.keepalive + 30)
1116 {
1117 reset_connection ();
1118 establish_connection ();
1119 }
1120 else if (NOW < last_activity + ::conf.keepalive)
1121 ts = last_activity + ::conf.keepalive;
1122 else if (conf->connectmode != conf_node::C_ONDEMAND
1123 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1124 {
1125 send_ping (si);
1126 ts = NOW + 5;
1127 }
1128 else
1129 reset_connection ();
1130 }
1131
1132 void connection::connect_request (int id)
1133 {
1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1135
1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1137 p->hmac_set (octx);
1138 send_vpn_packet (p, si);
1139
1140 delete p;
1141 }
1142
1143 void connection::script_node ()
1144 {
1145 vpn->script_if_up (0);
1146
1147 char *env;
1148 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1149 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1150 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1151 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1152 }
1153
1154 const char *connection::script_node_up (int)
1155 {
1156 script_node ();
1157
1158 putenv ("STATE=up");
1159
1160 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1161 }
1162
1163 const char *connection::script_node_down (int)
1164 {
1165 script_node ();
1166
1167 putenv ("STATE=down");
1168
1169 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1170 }
1171
1172 // send a vpn packet out to other hosts
1173 void
1174 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1175 {
1176 if (prot_send & PROT_IPv4)
1177 vpn->send_ipv4_packet (pkt, si, tos);
1178 else
1179 vpn->send_udpv4_packet (pkt, si, tos);
1180 }
1181
1182 connection::connection(struct vpn *vpn_)
1183 : vpn(vpn_)
1184 , rekey (this, &connection::rekey_cb)
1185 , keepalive (this, &connection::keepalive_cb)
1186 , establish_connection (this, &connection::establish_connection_cb)
1187 {
1188 octx = ictx = 0;
1189 retry_cnt = 0;
1190
1191 connectmode = conf_node::C_ALWAYS; // initial setting
1192 reset_connection ();
1193 }
1194
1195 connection::~connection ()
1196 {
1197 shutdown ();
1198 }
1199
1200 /////////////////////////////////////////////////////////////////////////////
1201
1202 const char *vpn::script_if_up (int)
1203 {
1204 // the tunnel device mtu should be the physical mtu - overhead
1205 // the tricky part is rounding to the cipher key blocksize
1206 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1207 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1208 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1209 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1210
1211 char *env;
1212 asprintf (&env, "CONFBASE=%s", confbase);
1213 putenv (env);
1214 asprintf (&env, "NODENAME=%s", THISNODE->nodename);
1215 putenv (env);
1216 asprintf (&env, "NODEID=%d", THISNODE->id);
1217 putenv (env);
1218 asprintf (&env, "IFNAME=%s", tap->interface ());
1219 putenv (env);
1220 asprintf (&env, "MTU=%d", mtu);
1221 putenv (env);
1222 asprintf (&env, "MAC=%02x:%02x:%02x:%02x:%02x:%02x",
1223 0xfe, 0xfd, 0x80, 0x00, THISNODE->id >> 8,
1224 THISNODE->id & 0xff);
1225 putenv (env);
1226
1227 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1228 }
1229
1230 int
1231 vpn::setup ()
1232 {
1233 sockinfo si;
1234
1235 si.set (THISNODE);
1236
1237 udpv4_fd = -1;
1238
1239 if (THISNODE->protocols & PROT_UDPv4)
1240 {
1241 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1242
1243 if (udpv4_fd < 0)
1244 return -1;
1245
1246 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1247 {
1248 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1249 exit (1);
1250 }
1251
1252 #ifdef IP_MTU_DISCOVER
1253 // this I really consider a linux bug. I am neither connected
1254 // nor do I fragment myself. Linux still sets DF and doesn't
1255 // fragment for me sometimes.
1256 {
1257 int oval = IP_PMTUDISC_DONT;
1258 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1259 }
1260 #endif
1261
1262 // standard daemon practise...
1263 {
1264 int oval = 1;
1265 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1266 }
1267
1268 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1269 }
1270
1271 ipv4_fd = -1;
1272 if (THISNODE->protocols & PROT_IPv4)
1273 {
1274 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1275
1276 if (ipv4_fd < 0)
1277 return -1;
1278
1279 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1280 {
1281 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1282 exit (1);
1283 }
1284
1285 #ifdef IP_MTU_DISCOVER
1286 // this I really consider a linux bug. I am neither connected
1287 // nor do I fragment myself. Linux still sets DF and doesn't
1288 // fragment for me sometimes.
1289 {
1290 int oval = IP_PMTUDISC_DONT;
1291 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1292 }
1293 #endif
1294
1295 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1296 }
1297
1298 tap = new tap_device ();
1299 if (!tap) //D this, of course, never catches
1300 {
1301 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1302 exit (1);
1303 }
1304
1305 run_script (run_script_cb (this, &vpn::script_if_up), true);
1306
1307 tap_ev_watcher.start (tap->fd, POLLIN);
1308
1309 reconnect_all ();
1310
1311 return 0;
1312 }
1313
1314 void
1315 vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1316 {
1317 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1318 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1319 }
1320
1321 void
1322 vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1323 {
1324 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1325 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1326 }
1327
1328 void
1329 vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1330 {
1331 unsigned int src = pkt->src ();
1332 unsigned int dst = pkt->dst ();
1333
1334 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1335 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1336
1337 if (src == 0 || src > conns.size ()
1338 || dst > conns.size ()
1339 || pkt->typ () >= vpn_packet::PT_MAX)
1340 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1341 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1342 else
1343 {
1344 connection *c = conns[src - 1];
1345
1346 if (dst == 0 && !THISNODE->routerprio)
1347 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1348 c->conf->nodename, (const char *)rsi);
1349 else if (dst != 0 && dst != THISNODE->id)
1350 // FORWARDING NEEDED ;)
1351 slog (L_WARN,
1352 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1353 dst, conns[dst - 1]->conf->nodename,
1354 (const char *)rsi,
1355 THISNODE->id, THISNODE->nodename);
1356 else
1357 c->recv_vpn_packet (pkt, rsi);
1358 }
1359 }
1360
1361 void
1362 vpn::udpv4_ev (short revents)
1363 {
1364 if (revents & (POLLIN | POLLERR))
1365 {
1366 vpn_packet *pkt = new vpn_packet;
1367 struct sockaddr_in sa;
1368 socklen_t sa_len = sizeof (sa);
1369 int len;
1370
1371 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1372
1373 sockinfo si(sa);
1374
1375 if (len > 0)
1376 {
1377 pkt->len = len;
1378
1379 recv_vpn_packet (pkt, si);
1380 }
1381 else
1382 {
1383 // probably ECONNRESET or somesuch
1384 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1385 }
1386
1387 delete pkt;
1388 }
1389 else if (revents & POLLHUP)
1390 {
1391 // this cannot ;) happen on udp sockets
1392 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1393 exit (1);
1394 }
1395 else
1396 {
1397 slog (L_ERR,
1398 _("FATAL: unknown revents %08x in socket, terminating\n"),
1399 revents);
1400 exit (1);
1401 }
1402 }
1403
1404 void
1405 vpn::ipv4_ev (short revents)
1406 {
1407 if (revents & (POLLIN | POLLERR))
1408 {
1409 vpn_packet *pkt = new vpn_packet;
1410 struct sockaddr_in sa;
1411 socklen_t sa_len = sizeof (sa);
1412 int len;
1413
1414 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1415
1416 sockinfo si(sa, PROT_IPv4);
1417
1418 if (len > 0)
1419 {
1420 pkt->len = len;
1421
1422 // raw sockets deliver the ipv4, but don't expect it on sends
1423 // this is slow, but...
1424 pkt->skip_hdr (IP_OVERHEAD);
1425
1426 recv_vpn_packet (pkt, si);
1427 }
1428 else
1429 {
1430 // probably ECONNRESET or somesuch
1431 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1432 }
1433
1434 delete pkt;
1435 }
1436 else if (revents & POLLHUP)
1437 {
1438 // this cannot ;) happen on udp sockets
1439 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1440 exit (1);
1441 }
1442 else
1443 {
1444 slog (L_ERR,
1445 _("FATAL: unknown revents %08x in socket, terminating\n"),
1446 revents);
1447 exit (1);
1448 }
1449 }
1450
1451 void
1452 vpn::tap_ev (short revents)
1453 {
1454 if (revents & POLLIN)
1455 {
1456 /* process data */
1457 tap_packet *pkt;
1458
1459 pkt = tap->recv ();
1460
1461 int dst = mac2id (pkt->dst);
1462 int src = mac2id (pkt->src);
1463
1464 if (src != THISNODE->id)
1465 {
1466 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1467 exit (1);
1468 }
1469
1470 if (dst == THISNODE->id)
1471 {
1472 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1473 exit (1);
1474 }
1475
1476 if (dst > conns.size ())
1477 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1478 else
1479 {
1480 if (dst)
1481 {
1482 // unicast
1483 if (dst != THISNODE->id)
1484 conns[dst - 1]->inject_data_packet (pkt);
1485 }
1486 else
1487 {
1488 // broadcast, first check router, then self, then english
1489 connection *router = find_router ();
1490
1491 if (router)
1492 router->inject_data_packet (pkt, true);
1493 else
1494 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1495 if ((*c)->conf != THISNODE)
1496 (*c)->inject_data_packet (pkt);
1497 }
1498 }
1499
1500 delete pkt;
1501 }
1502 else if (revents & (POLLHUP | POLLERR))
1503 {
1504 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1505 exit (1);
1506 }
1507 else
1508 abort ();
1509 }
1510
1511 void
1512 vpn::event_cb (tstamp &ts)
1513 {
1514 if (events)
1515 {
1516 if (events & EVENT_SHUTDOWN)
1517 {
1518 slog (L_INFO, _("preparing shutdown..."));
1519
1520 shutdown_all ();
1521
1522 remove_pid (pidfilename);
1523
1524 slog (L_INFO, _("terminating"));
1525
1526 exit (0);
1527 }
1528
1529 if (events & EVENT_RECONNECT)
1530 {
1531 slog (L_INFO, _("forced reconnect"));
1532
1533 reconnect_all ();
1534 }
1535
1536 events = 0;
1537 }
1538
1539 ts = TSTAMP_CANCEL;
1540 }
1541
1542 void
1543 vpn::shutdown_all ()
1544 {
1545 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1546 (*c)->shutdown ();
1547 }
1548
1549 void
1550 vpn::reconnect_all ()
1551 {
1552 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1553 delete *c;
1554
1555 conns.clear ();
1556
1557 auth_rate_limiter.clear ();
1558 reset_rate_limiter.clear ();
1559
1560 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1561 i != conf.nodes.end (); ++i)
1562 {
1563 connection *conn = new connection (this);
1564
1565 conn->conf = *i;
1566 conns.push_back (conn);
1567
1568 conn->establish_connection ();
1569 }
1570 }
1571
1572 connection *vpn::find_router ()
1573 {
1574 u32 prio = 0;
1575 connection *router = 0;
1576
1577 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1578 {
1579 connection *c = *i;
1580
1581 if (c->conf->routerprio > prio
1582 && c->connectmode == conf_node::C_ALWAYS
1583 && c->conf != THISNODE
1584 && c->ictx && c->octx)
1585 {
1586 prio = c->conf->routerprio;
1587 router = c;
1588 }
1589 }
1590
1591 return router;
1592 }
1593
1594 void vpn::connect_request (int id)
1595 {
1596 connection *c = find_router ();
1597
1598 if (c)
1599 c->connect_request (id);
1600 //else // does not work, because all others must connect to the same router
1601 // // no router found, aggressively connect to all routers
1602 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1603 // if ((*i)->conf->routerprio)
1604 // (*i)->establish_connection ();
1605 }
1606
1607 void
1608 connection::dump_status ()
1609 {
1610 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1611 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1612 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1613 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1614 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1615 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1616 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1617 }
1618
1619 void
1620 vpn::dump_status ()
1621 {
1622 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1623
1624 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1625 (*c)->dump_status ();
1626
1627 slog (L_NOTICE, _("END status dump"));
1628 }
1629
1630 vpn::vpn (void)
1631 : udpv4_ev_watcher(this, &vpn::udpv4_ev)
1632 , ipv4_ev_watcher(this, &vpn::ipv4_ev)
1633 , tap_ev_watcher(this, &vpn::tap_ev)
1634 , event(this, &vpn::event_cb)
1635 {
1636 }
1637
1638 vpn::~vpn ()
1639 {
1640 }
1641