ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
Revision: 1.25
Committed: Fri Mar 28 16:21:09 2003 UTC (21 years, 2 months ago) by pcg
Content type: text/plain
Branch: MAIN
Changes since 1.24: +4 -12 lines
Log Message: 
*** empty log message ***

File Contents

# Content
1 /*
2 protocol.C -- handle the protocol, encryption, handshaking etc.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18
19 #include "config.h"
20
21 #include <list>
22
23 #include <cstdlib>
24 #include <cstring>
25 #include <cstdio>
26
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <sys/poll.h>
30 #include <sys/wait.h>
31 #include <netinet/in.h>
32 #include <arpa/inet.h>
33 #include <errno.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include <openssl/rand.h>
38 #include <openssl/hmac.h>
39 #include <openssl/evp.h>
40 #include <openssl/rsa.h>
41 #include <openssl/err.h>
42
43 extern "C" {
44 # include "lzf/lzf.h"
45 }
46
47 #include "gettext.h"
48 #include "pidfile.h"
49
50 #include "conf.h"
51 #include "slog.h"
52 #include "device.h"
53 #include "protocol.h"
54
55 #if !HAVE_RAND_PSEUDO_BYTES
56 # define RAND_pseudo_bytes RAND_bytes
57 #endif
58
59 static time_t next_timecheck;
60
61 #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63 struct crypto_ctx
64 {
65 EVP_CIPHER_CTX cctx;
66 HMAC_CTX hctx;
67
68 crypto_ctx (const rsachallenge &challenge, int enc);
69 ~crypto_ctx ();
70 };
71
72 crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
73 {
74 EVP_CIPHER_CTX_init (&cctx);
75 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
76 HMAC_CTX_init (&hctx);
77 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
78 }
79
80 crypto_ctx::~crypto_ctx ()
81 {
82 EVP_CIPHER_CTX_cleanup (&cctx);
83 HMAC_CTX_cleanup (&hctx);
84 }
85
86 static void
87 rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88 {
89 EVP_MD_CTX ctx;
90
91 EVP_MD_CTX_init (&ctx);
92 EVP_DigestInit (&ctx, RSA_HASH);
93 EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94 EVP_DigestUpdate(&ctx, &id, sizeof id);
95 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
96 EVP_MD_CTX_cleanup (&ctx);
97 }
98
99 struct rsa_entry {
100 tstamp expire;
101 rsaid id;
102 rsachallenge chg;
103 };
104
105 struct rsa_cache : list<rsa_entry>
106 {
107 void cleaner_cb (tstamp &ts); time_watcher cleaner;
108
109 bool find (const rsaid &id, rsachallenge &chg)
110 {
111 for (iterator i = begin (); i != end (); ++i)
112 {
113 if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
114 {
115 memcpy (&chg, &i->chg, sizeof chg);
116
117 erase (i);
118 return true;
119 }
120 }
121
122 if (cleaner.at < NOW)
123 cleaner.start (NOW + RSA_TTL);
124
125 return false;
126 }
127
128 void gen (rsaid &id, rsachallenge &chg)
129 {
130 rsa_entry e;
131
132 RAND_bytes ((unsigned char *)&id, sizeof id);
133 RAND_bytes ((unsigned char *)&chg, sizeof chg);
134
135 e.expire = NOW + RSA_TTL;
136 e.id = id;
137 memcpy (&e.chg, &chg, sizeof chg);
138
139 push_back (e);
140
141 if (cleaner.at < NOW)
142 cleaner.start (NOW + RSA_TTL);
143 }
144
145 rsa_cache ()
146 : cleaner (this, &rsa_cache::cleaner_cb)
147 { }
148
149 } rsa_cache;
150
151 void rsa_cache::cleaner_cb (tstamp &ts)
152 {
153 if (empty ())
154 ts = TSTAMP_CANCEL;
155 else
156 {
157 ts = NOW + RSA_TTL;
158
159 for (iterator i = begin (); i != end (); )
160 if (i->expire <= NOW)
161 i = erase (i);
162 else
163 ++i;
164 }
165 }
166
167 typedef callback<const char *, int> run_script_cb;
168
169 // run a shell script (or actually an external program).
170 static void
171 run_script (const run_script_cb &cb, bool wait)
172 {
173 int pid;
174
175 if ((pid = fork ()) == 0)
176 {
177 char *filename;
178 asprintf (&filename, "%s/%s", confbase, cb(0));
179 execl (filename, filename, (char *) 0);
180 exit (255);
181 }
182 else if (pid > 0)
183 {
184 if (wait)
185 {
186 waitpid (pid, 0, 0);
187 /* TODO: check status */
188 }
189 }
190 }
191
192 //////////////////////////////////////////////////////////////////////////////
193
194 void pkt_queue::put (tap_packet *p)
195 {
196 if (queue[i])
197 {
198 delete queue[i];
199 j = (j + 1) % QUEUEDEPTH;
200 }
201
202 queue[i] = p;
203
204 i = (i + 1) % QUEUEDEPTH;
205 }
206
207 tap_packet *pkt_queue::get ()
208 {
209 tap_packet *p = queue[j];
210
211 if (p)
212 {
213 queue[j] = 0;
214 j = (j + 1) % QUEUEDEPTH;
215 }
216
217 return p;
218 }
219
220 pkt_queue::pkt_queue ()
221 {
222 memset (queue, 0, sizeof (queue));
223 i = 0;
224 j = 0;
225 }
226
227 pkt_queue::~pkt_queue ()
228 {
229 for (i = QUEUEDEPTH; --i > 0; )
230 delete queue[i];
231 }
232
233 struct net_rateinfo {
234 u32 host;
235 double pcnt, diff;
236 tstamp last;
237 };
238
239 // only do action once every x seconds per host whole allowing bursts.
240 // this implementation ("splay list" ;) is inefficient,
241 // but low on resources.
242 struct net_rate_limiter : list<net_rateinfo>
243 {
244 static const double ALPHA = 1. - 1. / 90.; // allow bursts
245 static const double CUTOFF = 20.; // one event every CUTOFF seconds
246 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
247
248 bool can (const sockinfo &si) { return can((u32)si.host); }
249 bool can (u32 host);
250 };
251
252 net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253
254 bool net_rate_limiter::can (u32 host)
255 {
256 iterator i;
257
258 for (i = begin (); i != end (); )
259 if (i->host == host)
260 break;
261 else if (i->last < NOW - EXPIRE)
262 i = erase (i);
263 else
264 i++;
265
266 if (i == end ())
267 {
268 net_rateinfo ri;
269
270 ri.host = host;
271 ri.pcnt = 1.;
272 ri.diff = CUTOFF * (1. / (1. - ALPHA));
273 ri.last = NOW;
274
275 push_front (ri);
276
277 return true;
278 }
279 else
280 {
281 net_rateinfo ri (*i);
282 erase (i);
283
284 ri.pcnt = ri.pcnt * ALPHA;
285 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
286
287 ri.last = NOW;
288
289 bool send = ri.diff / ri.pcnt > CUTOFF;
290
291 if (send)
292 ri.pcnt++;
293
294 push_front (ri);
295
296 return send;
297 }
298 }
299
300 /////////////////////////////////////////////////////////////////////////////
301
302 static void next_wakeup (time_t next)
303 {
304 if (next_timecheck > next)
305 next_timecheck = next;
306 }
307
308 static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
309
310 struct hmac_packet:net_packet
311 {
312 u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
313
314 void hmac_set (crypto_ctx * ctx);
315 bool hmac_chk (crypto_ctx * ctx);
316
317 private:
318 void hmac_gen (crypto_ctx * ctx)
319 {
320 unsigned int xlen;
321 HMAC_CTX *hctx = &ctx->hctx;
322
323 HMAC_Init_ex (hctx, 0, 0, 0, 0);
324 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
325 len - sizeof (hmac_packet));
326 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
327 }
328 };
329
330 void
331 hmac_packet::hmac_set (crypto_ctx * ctx)
332 {
333 hmac_gen (ctx);
334
335 memcpy (hmac, hmac_digest, HMACLENGTH);
336 }
337
338 bool
339 hmac_packet::hmac_chk (crypto_ctx * ctx)
340 {
341 hmac_gen (ctx);
342
343 return !memcmp (hmac, hmac_digest, HMACLENGTH);
344 }
345
346 struct vpn_packet : hmac_packet
347 {
348 enum ptype
349 {
350 PT_RESET = 0,
351 PT_DATA_UNCOMPRESSED,
352 PT_DATA_COMPRESSED,
353 PT_PING, PT_PONG, // wasting namespace space? ;)
354 PT_AUTH_REQ, // authentification request
355 PT_AUTH_RES, // authentification response
356 PT_CONNECT_REQ, // want other host to contact me
357 PT_CONNECT_INFO, // request connection to some node
358 PT_MAX
359 };
360
361 u8 type;
362 u8 srcdst, src1, dst1;
363
364 void set_hdr (ptype type, unsigned int dst);
365
366 unsigned int src () const
367 {
368 return src1 | ((srcdst >> 4) << 8);
369 }
370
371 unsigned int dst () const
372 {
373 return dst1 | ((srcdst & 0xf) << 8);
374 }
375
376 ptype typ () const
377 {
378 return (ptype) type;
379 }
380 };
381
382 void vpn_packet::set_hdr (ptype type, unsigned int dst)
383 {
384 this->type = type;
385
386 int src = THISNODE->id;
387
388 src1 = src;
389 srcdst = ((src >> 8) << 4) | (dst >> 8);
390 dst1 = dst;
391 }
392
393 #define MAXVPNDATA (MAX_MTU - 6 - 6)
394 #define DATAHDR (sizeof (u32) + RAND_SIZE)
395
396 struct vpndata_packet:vpn_packet
397 {
398 u8 data[MAXVPNDATA + DATAHDR]; // seqno
399
400 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
401 tap_packet *unpack (connection *conn, u32 &seqno);
402 private:
403
404 const u32 data_hdr_size () const
405 {
406 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
407 }
408 };
409
410 void
411 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
412 {
413 EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
414 int outl = 0, outl2;
415 ptype type = PT_DATA_UNCOMPRESSED;
416
417 #if ENABLE_COMPRESSION
418 u8 cdata[MAX_MTU];
419 u32 cl;
420
421 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
422 if (cl)
423 {
424 type = PT_DATA_COMPRESSED;
425 d = cdata;
426 l = cl + 2;
427
428 d[0] = cl >> 8;
429 d[1] = cl;
430 }
431 #endif
432
433 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
434
435 struct {
436 #if RAND_SIZE
437 u8 rnd[RAND_SIZE];
438 #endif
439 u32 seqno;
440 } datahdr;
441
442 datahdr.seqno = ntohl (seqno);
443 #if RAND_SIZE
444 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
445 #endif
446
447 EVP_EncryptUpdate (cctx,
448 (unsigned char *) data + outl, &outl2,
449 (unsigned char *) &datahdr, DATAHDR);
450 outl += outl2;
451
452 EVP_EncryptUpdate (cctx,
453 (unsigned char *) data + outl, &outl2,
454 (unsigned char *) d, l);
455 outl += outl2;
456
457 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
458 outl += outl2;
459
460 len = outl + data_hdr_size ();
461
462 set_hdr (type, dst);
463
464 hmac_set (conn->octx);
465 }
466
467 tap_packet *
468 vpndata_packet::unpack (connection *conn, u32 &seqno)
469 {
470 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
471 int outl = 0, outl2;
472 tap_packet *p = new tap_packet;
473 u8 *d;
474 u32 l = len - data_hdr_size ();
475
476 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
477
478 #if ENABLE_COMPRESSION
479 u8 cdata[MAX_MTU];
480
481 if (type == PT_DATA_COMPRESSED)
482 d = cdata;
483 else
484 #endif
485 d = &(*p)[6 + 6 - DATAHDR];
486
487 /* this overwrites part of the src mac, but we fix that later */
488 EVP_DecryptUpdate (cctx,
489 d, &outl2,
490 (unsigned char *)&data, len - data_hdr_size ());
491 outl += outl2;
492
493 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
494 outl += outl2;
495
496 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
497
498 id2mac (dst () ? dst() : THISNODE->id, p->dst);
499 id2mac (src (), p->src);
500
501 #if ENABLE_COMPRESSION
502 if (type == PT_DATA_COMPRESSED)
503 {
504 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
505
506 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
507 &(*p)[6 + 6], MAX_MTU)
508 + 6 + 6;
509 }
510 else
511 p->len = outl + (6 + 6 - DATAHDR);
512 #endif
513
514 return p;
515 }
516
517 struct ping_packet : vpn_packet
518 {
519 void setup (int dst, ptype type)
520 {
521 set_hdr (type, dst);
522 len = sizeof (*this) - sizeof (net_packet);
523 }
524 };
525
526 struct config_packet : vpn_packet
527 {
528 // actually, hmaclen cannot be checked because the hmac
529 // field comes before this data, so peers with other
530 // hmacs simply will not work.
531 u8 prot_major, prot_minor, randsize, hmaclen;
532 u8 flags, challengelen, pad2, pad3;
533 u32 cipher_nid, digest_nid, hmac_nid;
534
535 const u8 curflags () const
536 {
537 return 0x80
538 | (ENABLE_COMPRESSION ? 0x01 : 0x00);
539 }
540
541 void setup (ptype type, int dst);
542 bool chk_config () const;
543 };
544
545 void config_packet::setup (ptype type, int dst)
546 {
547 prot_major = PROTOCOL_MAJOR;
548 prot_minor = PROTOCOL_MINOR;
549 randsize = RAND_SIZE;
550 hmaclen = HMACLENGTH;
551 flags = curflags ();
552 challengelen = sizeof (rsachallenge);
553
554 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
555 digest_nid = htonl (EVP_MD_type (RSA_HASH));
556 hmac_nid = htonl (EVP_MD_type (DIGEST));
557
558 len = sizeof (*this) - sizeof (net_packet);
559 set_hdr (type, dst);
560 }
561
562 bool config_packet::chk_config () const
563 {
564 return prot_major == PROTOCOL_MAJOR
565 && randsize == RAND_SIZE
566 && hmaclen == HMACLENGTH
567 && flags == curflags ()
568 && challengelen == sizeof (rsachallenge)
569 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
570 && digest_nid == htonl (EVP_MD_type (RSA_HASH))
571 && hmac_nid == htonl (EVP_MD_type (DIGEST));
572 }
573
574 struct auth_req_packet : config_packet
575 {
576 char magic[8];
577 u8 initiate; // false if this is just an automatic reply
578 u8 protocols; // supported protocols (will get patches on forward)
579 u8 pad2, pad3;
580 rsaid id;
581 rsaencrdata encr;
582
583 auth_req_packet (int dst, bool initiate_, u8 protocols_)
584 {
585 config_packet::setup (PT_AUTH_REQ, dst);
586 strncpy (magic, MAGIC, 8);
587 initiate = !!initiate_;
588 protocols = protocols_;
589
590 len = sizeof (*this) - sizeof (net_packet);
591 }
592 };
593
594 struct auth_res_packet : config_packet
595 {
596 rsaid id;
597 u8 pad1, pad2, pad3;
598 u8 response_len; // encrypted length
599 rsaresponse response;
600
601 auth_res_packet (int dst)
602 {
603 config_packet::setup (PT_AUTH_RES, dst);
604
605 len = sizeof (*this) - sizeof (net_packet);
606 }
607 };
608
609 struct connect_req_packet : vpn_packet
610 {
611 u8 id, protocols;
612 u8 pad1, pad2;
613
614 connect_req_packet (int dst, int id_, u8 protocols_)
615 : id(id_)
616 , protocols(protocols_)
617 {
618 set_hdr (PT_CONNECT_REQ, dst);
619 len = sizeof (*this) - sizeof (net_packet);
620 }
621 };
622
623 struct connect_info_packet : vpn_packet
624 {
625 u8 id, protocols;
626 u8 pad1, pad2;
627 sockinfo si;
628
629 connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
630 : id(id_)
631 , protocols(protocols_)
632 , si(si_)
633 {
634 set_hdr (PT_CONNECT_INFO, dst);
635
636 len = sizeof (*this) - sizeof (net_packet);
637 }
638 };
639
640 /////////////////////////////////////////////////////////////////////////////
641
642 void
643 connection::reset_dstaddr ()
644 {
645 si.set (conf);
646 }
647
648 void
649 connection::send_ping (const sockinfo &si, u8 pong)
650 {
651 ping_packet *pkt = new ping_packet;
652
653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
655
656 delete pkt;
657 }
658
659 void
660 connection::send_reset (const sockinfo &si)
661 {
662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
663 {
664 config_packet *pkt = new config_packet;
665
666 pkt->setup (vpn_packet::PT_RESET, conf->id);
667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
668
669 delete pkt;
670 }
671 }
672
673 void
674 connection::send_auth_request (const sockinfo &si, bool initiate)
675 {
676 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
677
678 protocol = best_protocol (THISNODE->protocols & conf->protocols);
679
680 rsachallenge chg;
681
682 rsa_cache.gen (pkt->id, chg);
683
684 if (0 > RSA_public_encrypt (sizeof chg,
685 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
686 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
687 fatal ("RSA_public_encrypt error");
688
689 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
690
691 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
692
693 delete pkt;
694 }
695
696 void
697 connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
698 {
699 auth_res_packet *pkt = new auth_res_packet (conf->id);
700
701 pkt->id = id;
702
703 rsa_hash (id, chg, pkt->response);
704
705 pkt->hmac_set (octx);
706
707 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
708
709 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
710
711 delete pkt;
712 }
713
714 void
715 connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
716 {
717 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
718 conf->id, rid, (const char *)rsi);
719
720 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
721
722 r->hmac_set (octx);
723 send_vpn_packet (r, si);
724
725 delete r;
726 }
727
728 void
729 connection::establish_connection_cb (tstamp &ts)
730 {
731 if (ictx || conf == THISNODE
732 || connectmode == conf_node::C_NEVER
733 || connectmode == conf_node::C_DISABLED)
734 ts = TSTAMP_CANCEL;
735 else if (ts <= NOW)
736 {
737 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
738
739 if (retry_int < 3600 * 8)
740 retry_cnt++;
741
742 ts = NOW + retry_int;
743
744 if (conf->hostname)
745 {
746 reset_dstaddr ();
747 if (si.host && auth_rate_limiter.can (si))
748 {
749 if (retry_cnt < 4)
750 send_auth_request (si, true);
751 else
752 send_ping (si, 0);
753 }
754 }
755 else
756 vpn->connect_request (conf->id);
757 }
758 }
759
760 void
761 connection::reset_connection ()
762 {
763 if (ictx && octx)
764 {
765 slog (L_INFO, _("%s(%s): connection lost"),
766 conf->nodename, (const char *)si);
767
768 if (::conf.script_node_down)
769 run_script (run_script_cb (this, &connection::script_node_down), false);
770 }
771
772 delete ictx; ictx = 0;
773 delete octx; octx = 0;
774
775 si.host= 0;
776
777 last_activity = 0;
778 retry_cnt = 0;
779
780 rekey.reset ();
781 keepalive.reset ();
782 establish_connection.reset ();
783 }
784
785 void
786 connection::shutdown ()
787 {
788 if (ictx && octx)
789 send_reset (si);
790
791 reset_connection ();
792 }
793
794 void
795 connection::rekey_cb (tstamp &ts)
796 {
797 ts = TSTAMP_CANCEL;
798
799 reset_connection ();
800 establish_connection ();
801 }
802
803 void
804 connection::send_data_packet (tap_packet *pkt, bool broadcast)
805 {
806 vpndata_packet *p = new vpndata_packet;
807 int tos = 0;
808
809 if (conf->inherit_tos
810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
813
814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
815 send_vpn_packet (p, si, tos);
816
817 delete p;
818
819 if (oseqno > MAX_SEQNO)
820 rekey ();
821 }
822
823 void
824 connection::inject_data_packet (tap_packet *pkt, bool broadcast)
825 {
826 if (ictx && octx)
827 send_data_packet (pkt, broadcast);
828 else
829 {
830 if (!broadcast)//DDDD
831 queue.put (new tap_packet (*pkt));
832
833 establish_connection ();
834 }
835 }
836
837 void
838 connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
839 {
840 last_activity = NOW;
841
842 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
843 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
844
845 switch (pkt->typ ())
846 {
847 case vpn_packet::PT_PING:
848 // we send pings instead of auth packets after some retries,
849 // so reset the retry counter and establish a connection
850 // when we receive a ping.
851 if (!ictx)
852 {
853 if (auth_rate_limiter.can (rsi))
854 send_auth_request (rsi, true);
855 }
856 else
857 send_ping (rsi, 1); // pong
858
859 break;
860
861 case vpn_packet::PT_PONG:
862 break;
863
864 case vpn_packet::PT_RESET:
865 {
866 reset_connection ();
867
868 config_packet *p = (config_packet *) pkt;
869
870 if (!p->chk_config ())
871 {
872 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
873 conf->nodename, (const char *)rsi);
874 connectmode = conf_node::C_DISABLED;
875 }
876 else if (connectmode == conf_node::C_ALWAYS)
877 establish_connection ();
878 }
879 break;
880
881 case vpn_packet::PT_AUTH_REQ:
882 if (auth_rate_limiter.can (rsi))
883 {
884 auth_req_packet *p = (auth_req_packet *) pkt;
885
886 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
887
888 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
889 {
890 if (p->prot_minor != PROTOCOL_MINOR)
891 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
892 conf->nodename, (const char *)rsi,
893 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
894
895 if (p->initiate)
896 send_auth_request (rsi, false);
897
898 rsachallenge k;
899
900 if (0 > RSA_private_decrypt (sizeof (p->encr),
901 (unsigned char *)&p->encr, (unsigned char *)&k,
902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
904 conf->nodename, (const char *)rsi);
905 else
906 {
907 retry_cnt = 0;
908 establish_connection.set (NOW + 8); //? ;)
909 keepalive.reset ();
910 rekey.reset ();
911
912 delete ictx;
913 ictx = 0;
914
915 delete octx;
916
917 octx = new crypto_ctx (k, 1);
918 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
919
920 conf->protocols = p->protocols;
921 send_auth_response (rsi, p->id, k);
922
923 break;
924 }
925 }
926
927 send_reset (rsi);
928 }
929
930 break;
931
932 case vpn_packet::PT_AUTH_RES:
933 {
934 auth_res_packet *p = (auth_res_packet *) pkt;
935
936 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
937
938 if (p->chk_config ())
939 {
940 if (p->prot_minor != PROTOCOL_MINOR)
941 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
942 conf->nodename, (const char *)rsi,
943 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
944
945 rsachallenge chg;
946
947 if (!rsa_cache.find (p->id, chg))
948 slog (L_ERR, _("%s(%s): unrequested auth response"),
949 conf->nodename, (const char *)rsi);
950 else
951 {
952 crypto_ctx *cctx = new crypto_ctx (chg, 0);
953
954 if (!p->hmac_chk (cctx))
955 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
956 "could be an attack, or just corruption or an synchronization error"),
957 conf->nodename, (const char *)rsi);
958 else
959 {
960 rsaresponse h;
961
962 rsa_hash (p->id, chg, h);
963
964 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
965 {
966 prot_minor = p->prot_minor;
967
968 delete ictx; ictx = cctx;
969
970 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
971
972 si = rsi;
973
974 rekey.set (NOW + ::conf.rekey);
975 keepalive.set (NOW + ::conf.keepalive);
976
977 // send queued packets
978 while (tap_packet *p = queue.get ())
979 {
980 send_data_packet (p);
981 delete p;
982 }
983
984 connectmode = conf->connectmode;
985
986 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
987 conf->nodename, (const char *)rsi,
988 strprotocol (protocol),
989 p->prot_major, p->prot_minor);
990
991 if (::conf.script_node_up)
992 run_script (run_script_cb (this, &connection::script_node_up), false);
993
994 break;
995 }
996 else
997 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
998 conf->nodename, (const char *)rsi);
999 }
1000
1001 delete cctx;
1002 }
1003 }
1004 }
1005
1006 send_reset (rsi);
1007 break;
1008
1009 case vpn_packet::PT_DATA_COMPRESSED:
1010 #if !ENABLE_COMPRESSION
1011 send_reset (rsi);
1012 break;
1013 #endif
1014
1015 case vpn_packet::PT_DATA_UNCOMPRESSED:
1016
1017 if (ictx && octx)
1018 {
1019 vpndata_packet *p = (vpndata_packet *)pkt;
1020
1021 if (rsi == si)
1022 {
1023 if (!p->hmac_chk (ictx))
1024 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1025 "could be an attack, or just corruption or an synchronization error"),
1026 conf->nodename, (const char *)rsi);
1027 else
1028 {
1029 u32 seqno;
1030 tap_packet *d = p->unpack (this, seqno);
1031
1032 if (iseqno.recv_ok (seqno))
1033 {
1034 vpn->tap->send (d);
1035
1036 if (p->dst () == 0) // re-broadcast
1037 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1038 {
1039 connection *c = *i;
1040
1041 if (c->conf != THISNODE && c->conf != conf)
1042 c->inject_data_packet (d);
1043 }
1044
1045 delete d;
1046
1047 break;
1048 }
1049 }
1050 }
1051 else
1052 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1053 }
1054
1055 send_reset (rsi);
1056 break;
1057
1058 case vpn_packet::PT_CONNECT_REQ:
1059 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1060 {
1061 connect_req_packet *p = (connect_req_packet *) pkt;
1062
1063 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1064 conf->protocols = p->protocols;
1065 connection *c = vpn->conns[p->id - 1];
1066
1067 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1068 conf->id, p->id, c->ictx && c->octx);
1069
1070 if (c->ictx && c->octx)
1071 {
1072 // send connect_info packets to both sides, in case one is
1073 // behind a nat firewall (or both ;)
1074 c->send_connect_info (conf->id, si, conf->protocols);
1075 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1076 }
1077 }
1078
1079 break;
1080
1081 case vpn_packet::PT_CONNECT_INFO:
1082 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1083 {
1084 connect_info_packet *p = (connect_info_packet *) pkt;
1085
1086 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1087 conf->protocols = p->protocols;
1088 connection *c = vpn->conns[p->id - 1];
1089
1090 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1091 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1092
1093 c->send_auth_request (p->si, true);
1094 }
1095
1096 break;
1097
1098 default:
1099 send_reset (rsi);
1100 break;
1101
1102 }
1103 }
1104
1105 void connection::keepalive_cb (tstamp &ts)
1106 {
1107 if (NOW >= last_activity + ::conf.keepalive + 30)
1108 {
1109 reset_connection ();
1110 establish_connection ();
1111 }
1112 else if (NOW < last_activity + ::conf.keepalive)
1113 ts = last_activity + ::conf.keepalive;
1114 else if (conf->connectmode != conf_node::C_ONDEMAND
1115 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1116 {
1117 send_ping (si);
1118 ts = NOW + 5;
1119 }
1120 else
1121 reset_connection ();
1122 }
1123
1124 void connection::connect_request (int id)
1125 {
1126 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1127
1128 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1129 p->hmac_set (octx);
1130 send_vpn_packet (p, si);
1131
1132 delete p;
1133 }
1134
1135 void connection::script_node ()
1136 {
1137 vpn->script_if_up (0);
1138
1139 char *env;
1140 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1141 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1142 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1143 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1144 }
1145
1146 const char *connection::script_node_up (int)
1147 {
1148 script_node ();
1149
1150 putenv ("STATE=up");
1151
1152 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1153 }
1154
1155 const char *connection::script_node_down (int)
1156 {
1157 script_node ();
1158
1159 putenv ("STATE=down");
1160
1161 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1162 }
1163
1164 // send a vpn packet out to other hosts
1165 void
1166 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1167 {
1168 if (protocol & PROT_IPv4)
1169 vpn->send_ipv4_packet (pkt, si, tos);
1170 else
1171 vpn->send_udpv4_packet (pkt, si, tos);
1172 }
1173
1174 connection::connection(struct vpn *vpn_)
1175 : vpn(vpn_)
1176 , rekey (this, &connection::rekey_cb)
1177 , keepalive (this, &connection::keepalive_cb)
1178 , establish_connection (this, &connection::establish_connection_cb)
1179 {
1180 octx = ictx = 0;
1181 retry_cnt = 0;
1182
1183 connectmode = conf_node::C_ALWAYS; // initial setting
1184 reset_connection ();
1185 }
1186
1187 connection::~connection ()
1188 {
1189 shutdown ();
1190 }
1191
1192 /////////////////////////////////////////////////////////////////////////////
1193
1194 const char *vpn::script_if_up (int)
1195 {
1196 // the tunnel device mtu should be the physical mtu - overhead
1197 // the tricky part is rounding to the cipher key blocksize
1198 int mtu = conf.mtu - ETH_OVERHEAD - VPE_OVERHEAD - MAX_OVERHEAD;
1199 mtu += ETH_OVERHEAD - 6 - 6; // now we have the data portion
1200 mtu -= mtu % EVP_CIPHER_block_size (CIPHER); // round
1201 mtu -= ETH_OVERHEAD - 6 - 6; // and get interface mtu again
1202
1203 char *env;
1204 asprintf (&env, "CONFBASE=%s", confbase);
1205 putenv (env);
1206 asprintf (&env, "NODENAME=%s", THISNODE->nodename);
1207 putenv (env);
1208 asprintf (&env, "NODEID=%d", THISNODE->id);
1209 putenv (env);
1210 asprintf (&env, "IFNAME=%s", tap->interface ());
1211 putenv (env);
1212 asprintf (&env, "MTU=%d", mtu);
1213 putenv (env);
1214 asprintf (&env, "MAC=%02x:%02x:%02x:%02x:%02x:%02x",
1215 0xfe, 0xfd, 0x80, 0x00, THISNODE->id >> 8,
1216 THISNODE->id & 0xff);
1217 putenv (env);
1218
1219 return ::conf.script_if_up ? ::conf.script_if_up : "if-up";
1220 }
1221
1222 int
1223 vpn::setup ()
1224 {
1225 sockinfo si;
1226
1227 si.set (THISNODE);
1228
1229 udpv4_fd = -1;
1230
1231 if (THISNODE->protocols & PROT_UDPv4)
1232 {
1233 udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1234
1235 if (udpv4_fd < 0)
1236 return -1;
1237
1238 if (bind (udpv4_fd, si.sav4 (), si.salenv4 ()))
1239 {
1240 slog (L_ERR, _("can't bind udpv4 to %s: %s"), (const char *)si, strerror (errno));
1241 exit (1);
1242 }
1243
1244 #ifdef IP_MTU_DISCOVER
1245 // this I really consider a linux bug. I am neither connected
1246 // nor do I fragment myself. Linux still sets DF and doesn't
1247 // fragment for me sometimes.
1248 {
1249 int oval = IP_PMTUDISC_DONT;
1250 setsockopt (udpv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1251 }
1252 #endif
1253
1254 // standard daemon practise...
1255 {
1256 int oval = 1;
1257 setsockopt (udpv4_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1258 }
1259
1260 udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1261 }
1262
1263 ipv4_fd = -1;
1264 if (THISNODE->protocols & PROT_IPv4)
1265 {
1266 ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1267
1268 if (ipv4_fd < 0)
1269 return -1;
1270
1271 if (bind (ipv4_fd, si.sav4 (), si.salenv4 ()))
1272 {
1273 slog (L_ERR, _("can't bind ipv4 socket to %s: %s"), (const char *)si, strerror (errno));
1274 exit (1);
1275 }
1276
1277 #ifdef IP_MTU_DISCOVER
1278 // this I really consider a linux bug. I am neither connected
1279 // nor do I fragment myself. Linux still sets DF and doesn't
1280 // fragment for me sometimes.
1281 {
1282 int oval = IP_PMTUDISC_DONT;
1283 setsockopt (ipv4_fd, SOL_IP, IP_MTU_DISCOVER, &oval, sizeof oval);
1284 }
1285 #endif
1286
1287 ipv4_ev_watcher.start (ipv4_fd, POLLIN);
1288 }
1289
1290 tap = new tap_device ();
1291 if (!tap) //D this, of course, never catches
1292 {
1293 slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1294 exit (1);
1295 }
1296
1297 run_script (run_script_cb (this, &vpn::script_if_up), true);
1298
1299 tap_ev_watcher.start (tap->fd, POLLIN);
1300
1301 reconnect_all ();
1302
1303 return 0;
1304 }
1305
1306 void
1307 vpn::send_ipv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1308 {
1309 setsockopt (ipv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1310 sendto (ipv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1311 }
1312
1313 void
1314 vpn::send_udpv4_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1315 {
1316 setsockopt (udpv4_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1317 sendto (udpv4_fd, &((*pkt)[0]), pkt->len, 0, si.sav4 (), si.salenv4 ());
1318 }
1319
1320 void
1321 vpn::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1322 {
1323 unsigned int src = pkt->src ();
1324 unsigned int dst = pkt->dst ();
1325
1326 slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1327 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1328
1329 if (src == 0 || src > conns.size ()
1330 || dst > conns.size ()
1331 || pkt->typ () >= vpn_packet::PT_MAX)
1332 slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
1333 (const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1334 else
1335 {
1336 connection *c = conns[src - 1];
1337
1338 if (dst == 0 && !THISNODE->routerprio)
1339 slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
1340 c->conf->nodename, (const char *)rsi);
1341 else if (dst != 0 && dst != THISNODE->id)
1342 // FORWARDING NEEDED ;)
1343 slog (L_WARN,
1344 _("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1345 dst, conns[dst - 1]->conf->nodename,
1346 (const char *)rsi,
1347 THISNODE->id, THISNODE->nodename);
1348 else
1349 c->recv_vpn_packet (pkt, rsi);
1350 }
1351 }
1352
1353 void
1354 vpn::udpv4_ev (short revents)
1355 {
1356 if (revents & (POLLIN | POLLERR))
1357 {
1358 vpn_packet *pkt = new vpn_packet;
1359 struct sockaddr_in sa;
1360 socklen_t sa_len = sizeof (sa);
1361 int len;
1362
1363 len = recvfrom (udpv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1364
1365 sockinfo si(sa);
1366
1367 if (len > 0)
1368 {
1369 pkt->len = len;
1370
1371 recv_vpn_packet (pkt, si);
1372 }
1373 else
1374 {
1375 // probably ECONNRESET or somesuch
1376 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1377 }
1378
1379 delete pkt;
1380 }
1381 else if (revents & POLLHUP)
1382 {
1383 // this cannot ;) happen on udp sockets
1384 slog (L_ERR, _("FATAL: POLLHUP on udp v4 fd, terminating."));
1385 exit (1);
1386 }
1387 else
1388 {
1389 slog (L_ERR,
1390 _("FATAL: unknown revents %08x in socket, terminating\n"),
1391 revents);
1392 exit (1);
1393 }
1394 }
1395
1396 void
1397 vpn::ipv4_ev (short revents)
1398 {
1399 if (revents & (POLLIN | POLLERR))
1400 {
1401 vpn_packet *pkt = new vpn_packet;
1402 struct sockaddr_in sa;
1403 socklen_t sa_len = sizeof (sa);
1404 int len;
1405
1406 len = recvfrom (ipv4_fd, &((*pkt)[0]), MAXSIZE, 0, (sockaddr *)&sa, &sa_len);
1407
1408 sockinfo si(sa, PROT_IPv4);
1409
1410 if (len > 0)
1411 {
1412 pkt->len = len;
1413
1414 // raw sockets deliver the ipv4, but don't expect it on sends
1415 // this is slow, but...
1416 pkt->skip_hdr (IP_OVERHEAD);
1417
1418 recv_vpn_packet (pkt, si);
1419 }
1420 else
1421 {
1422 // probably ECONNRESET or somesuch
1423 slog (L_DEBUG, _("%s: %s"), (const char *)si, strerror (errno));
1424 }
1425
1426 delete pkt;
1427 }
1428 else if (revents & POLLHUP)
1429 {
1430 // this cannot ;) happen on udp sockets
1431 slog (L_ERR, _("FATAL: POLLHUP on ipv4 fd, terminating."));
1432 exit (1);
1433 }
1434 else
1435 {
1436 slog (L_ERR,
1437 _("FATAL: unknown revents %08x in socket, terminating\n"),
1438 revents);
1439 exit (1);
1440 }
1441 }
1442
1443 void
1444 vpn::tap_ev (short revents)
1445 {
1446 if (revents & POLLIN)
1447 {
1448 /* process data */
1449 tap_packet *pkt;
1450
1451 pkt = tap->recv ();
1452
1453 int dst = mac2id (pkt->dst);
1454 int src = mac2id (pkt->src);
1455
1456 if (src != THISNODE->id)
1457 {
1458 slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1459 exit (1);
1460 }
1461
1462 if (dst == THISNODE->id)
1463 {
1464 slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1465 exit (1);
1466 }
1467
1468 if (dst > conns.size ())
1469 slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1470 else
1471 {
1472 if (dst)
1473 {
1474 // unicast
1475 if (dst != THISNODE->id)
1476 conns[dst - 1]->inject_data_packet (pkt);
1477 }
1478 else
1479 {
1480 // broadcast, first check router, then self, then english
1481 connection *router = find_router ();
1482
1483 if (router)
1484 router->inject_data_packet (pkt, true);
1485 else
1486 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1487 if ((*c)->conf != THISNODE)
1488 (*c)->inject_data_packet (pkt);
1489 }
1490 }
1491
1492 delete pkt;
1493 }
1494 else if (revents & (POLLHUP | POLLERR))
1495 {
1496 slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1497 exit (1);
1498 }
1499 else
1500 abort ();
1501 }
1502
1503 void
1504 vpn::event_cb (tstamp &ts)
1505 {
1506 if (events)
1507 {
1508 if (events & EVENT_SHUTDOWN)
1509 {
1510 slog (L_INFO, _("preparing shutdown..."));
1511
1512 shutdown_all ();
1513
1514 remove_pid (pidfilename);
1515
1516 slog (L_INFO, _("terminating"));
1517
1518 exit (0);
1519 }
1520
1521 if (events & EVENT_RECONNECT)
1522 {
1523 slog (L_INFO, _("forced reconnect"));
1524
1525 reconnect_all ();
1526 }
1527
1528 events = 0;
1529 }
1530
1531 ts = TSTAMP_CANCEL;
1532 }
1533
1534 void
1535 vpn::shutdown_all ()
1536 {
1537 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1538 (*c)->shutdown ();
1539 }
1540
1541 void
1542 vpn::reconnect_all ()
1543 {
1544 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1545 delete *c;
1546
1547 conns.clear ();
1548
1549 auth_rate_limiter.clear ();
1550 reset_rate_limiter.clear ();
1551
1552 for (configuration::node_vector::iterator i = conf.nodes.begin ();
1553 i != conf.nodes.end (); ++i)
1554 {
1555 connection *conn = new connection (this);
1556
1557 conn->conf = *i;
1558 conns.push_back (conn);
1559
1560 conn->establish_connection ();
1561 }
1562 }
1563
1564 connection *vpn::find_router ()
1565 {
1566 u32 prio = 0;
1567 connection *router = 0;
1568
1569 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1570 {
1571 connection *c = *i;
1572
1573 if (c->conf->routerprio > prio
1574 && c->connectmode == conf_node::C_ALWAYS
1575 && c->conf != THISNODE
1576 && c->ictx && c->octx)
1577 {
1578 prio = c->conf->routerprio;
1579 router = c;
1580 }
1581 }
1582
1583 return router;
1584 }
1585
1586 void vpn::connect_request (int id)
1587 {
1588 connection *c = find_router ();
1589
1590 if (c)
1591 c->connect_request (id);
1592 //else // does not work, because all others must connect to the same router
1593 // // no router found, aggressively connect to all routers
1594 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1595 // if ((*i)->conf->routerprio)
1596 // (*i)->establish_connection ();
1597 }
1598
1599 void
1600 connection::dump_status ()
1601 {
1602 slog (L_NOTICE, _("node %s (id %d)"), conf->nodename, conf->id);
1603 slog (L_NOTICE, _(" connectmode %d (%d) / sockaddr %s / minor %d"),
1604 connectmode, conf->connectmode, (const char *)si, (int)prot_minor);
1605 slog (L_NOTICE, _(" ictx/octx %08lx/%08lx / oseqno %d / retry_cnt %d"),
1606 (long)ictx, (long)octx, (int)oseqno, (int)retry_cnt);
1607 slog (L_NOTICE, _(" establish_conn %ld / rekey %ld / keepalive %ld"),
1608 (long)(establish_connection.at), (long)(rekey.at), (long)(keepalive.at));
1609 }
1610
1611 void
1612 vpn::dump_status ()
1613 {
1614 slog (L_NOTICE, _("BEGIN status dump (%ld)"), (long)NOW);
1615
1616 for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1617 (*c)->dump_status ();
1618
1619 slog (L_NOTICE, _("END status dump"));
1620 }
1621
1622 vpn::vpn (void)
1623 : udpv4_ev_watcher(this, &vpn::udpv4_ev)
1624 , ipv4_ev_watcher(this, &vpn::ipv4_ev)
1625 , tap_ev_watcher(this, &vpn::tap_ev)
1626 , event(this, &vpn::event_cb)
1627 {
1628 }
1629
1630 vpn::~vpn ()
1631 {
1632 }
1633