ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.8 by pcg, Sun Apr 6 04:17:36 2003 UTC

85 rsachallenge chg; 85 rsachallenge chg;
86}; 86};
87 87
88struct rsa_cache : list<rsa_entry> 88struct rsa_cache : list<rsa_entry>
89{ 89{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 90 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 91
92 bool find (const rsaid &id, rsachallenge &chg) 92 bool find (const rsaid &id, rsachallenge &chg)
93 { 93 {
94 for (iterator i = begin (); i != end (); ++i) 94 for (iterator i = begin (); i != end (); ++i)
95 { 95 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 129 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 130 { }
131 131
132} rsa_cache; 132} rsa_cache;
133 133
134void rsa_cache::cleaner_cb (tstamp &ts) 134void rsa_cache::cleaner_cb (time_watcher &w)
135{ 135{
136 if (empty ()) 136 if (empty ())
137 ts = TSTAMP_CANCEL; 137 w.at = TSTAMP_CANCEL;
138 else 138 else
139 { 139 {
140 ts = NOW + RSA_TTL; 140 w.at = NOW + RSA_TTL;
141 141
142 for (iterator i = begin (); i != end (); ) 142 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 143 if (i->expire <= NOW)
144 i = erase (i); 144 i = erase (i);
145 else 145 else
285 hmac_gen (ctx); 285 hmac_gen (ctx);
286 286
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 287 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 288}
289 289
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 290void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 291{
292 this->type = type; 292 type = type_;
293 293
294 int src = THISNODE->id; 294 int src = THISNODE->id;
295 295
296 src1 = src; 296 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 297 srcdst = ((src >> 8) << 4) | (dst >> 8);
546}; 546};
547 547
548///////////////////////////////////////////////////////////////////////////// 548/////////////////////////////////////////////////////////////////////////////
549 549
550void 550void
551connection::reset_dstaddr () 551connection::reset_si ()
552{ 552{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 553 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 554
588 // mask out protocols we cannot establish 555 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 556 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 558
592 if (protocol) 559 si.set (conf, protocol);
560}
561
562// ensure sockinfo is valid, forward if necessary
563const sockinfo &
564connection::forward_si (const sockinfo &si) const
565{
566 if (!si.valid ())
567 {
568 connection *r = vpn->find_router ();
569
570 if (r)
571 {
572 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
573 conf->nodename, r->conf->nodename);
574 return r->si;
575 }
576 else
577 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
578 conf->nodename);
593 { 579 }
594 rsachallenge chg;
595 580
596 rsa_cache.gen (pkt->id, chg); 581 return si;
582}
597 583
598 if (0 > RSA_public_encrypt (sizeof chg, 584void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 585connection::send_ping (const sockinfo &si, u8 pong)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 586{
601 fatal ("RSA_public_encrypt error"); 587 ping_packet *pkt = new ping_packet;
602 588
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 589 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
590 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
604 591
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 592 delete pkt;
593}
594
595void
596connection::send_reset (const sockinfo &si)
597{
598 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
599 {
600 config_packet *pkt = new config_packet;
601
602 pkt->setup (vpn_packet::PT_RESET, conf->id);
603 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 604
607 delete pkt; 605 delete pkt;
608 } 606 }
609 else 607}
610 ; // silently fail 608
609void
610connection::send_auth_request (const sockinfo &si, bool initiate)
611{
612 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
613
614 rsachallenge chg;
615
616 rsa_cache.gen (pkt->id, chg);
617
618 if (0 > RSA_public_encrypt (sizeof chg,
619 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
620 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
621 fatal ("RSA_public_encrypt error");
622
623 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
624
625 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
626
627
628 delete pkt;
611} 629}
612 630
613void 631void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 632connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 633{
621 639
622 pkt->hmac_set (octx); 640 pkt->hmac_set (octx);
623 641
624 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 642 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
625 643
626 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 644 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
627 645
628 delete pkt; 646 delete pkt;
629} 647}
630 648
631void 649void
635 conf->id, rid, (const char *)rsi); 653 conf->id, rid, (const char *)rsi);
636 654
637 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 655 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
638 656
639 r->hmac_set (octx); 657 r->hmac_set (octx);
640 send_vpn_packet (r, si); 658 vpn->send_vpn_packet (r, si);
641 659
642 delete r; 660 delete r;
643} 661}
644 662
645void 663void
646connection::establish_connection_cb (tstamp &ts) 664connection::establish_connection_cb (time_watcher &w)
647{ 665{
648 if (ictx || conf == THISNODE 666 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 667 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 668 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 669 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 670 else if (w.at <= NOW)
653 { 671 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 672 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 673
656 if (retry_int < 3600 * 8) 674 if (retry_int < 3600 * 8)
657 retry_cnt++; 675 retry_cnt++;
658 676
659 ts = NOW + retry_int; 677 w.at = NOW + retry_int;
660 678
661 if (conf->hostname) 679 reset_si ();
680
681 if (si.prot && !si.host)
682 vpn->connect_request (conf->id);
683 else
662 { 684 {
663 reset_dstaddr (); 685 const sockinfo &dsi = forward_si (si);
686
664 if (si.host && auth_rate_limiter.can (si)) 687 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 688 {
666 if (retry_cnt < 4) 689 if (retry_cnt < 4)
667 send_auth_request (si, true); 690 send_auth_request (dsi, true);
668 else 691 else
669 send_ping (si, 0); 692 send_ping (dsi, 0);
670 } 693 }
671 } 694 }
672 else
673 vpn->connect_request (conf->id);
674 } 695 }
675} 696}
676 697
677void 698void
678connection::reset_connection () 699connection::reset_connection ()
707 728
708 reset_connection (); 729 reset_connection ();
709} 730}
710 731
711void 732void
712connection::rekey_cb (tstamp &ts) 733connection::rekey_cb (time_watcher &w)
713{ 734{
714 ts = TSTAMP_CANCEL; 735 w.at = TSTAMP_CANCEL;
715 736
716 reset_connection (); 737 reset_connection ();
717 establish_connection (); 738 establish_connection ();
718} 739}
719 740
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 748 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 749 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 750 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 751
731 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 752 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732 send_vpn_packet (p, si, tos); 753 vpn->send_vpn_packet (p, si, tos);
733 754
734 delete p; 755 delete p;
735 756
736 if (oseqno > MAX_SEQNO) 757 if (oseqno > MAX_SEQNO)
737 rekey (); 758 rekey ();
749 770
750 establish_connection (); 771 establish_connection ();
751 } 772 }
752} 773}
753 774
775void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
776{
777 if (ictx && octx)
778 vpn->send_vpn_packet (pkt, si, tos);
779 else
780 establish_connection ();
781}
782
754void 783void
755connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 784connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
756{ 785{
757 last_activity = NOW; 786 last_activity = NOW;
758 787
759 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 788 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
760 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 789 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
761 790
762 switch (pkt->typ ()) 791 switch (pkt->typ ())
763 { 792 {
764 case vpn_packet::PT_PING: 793 case vpn_packet::PT_PING:
765 // we send pings instead of auth packets after some retries, 794 // we send pings instead of auth packets after some retries,
766 // so reset the retry counter and establish a connection 795 // so reset the retry counter and establish a connection
767 // when we receive a ping. 796 // when we receive a ping.
768 if (!ictx) 797 if (!ictx)
798 {
799 if (auth_rate_limiter.can (rsi))
800 send_auth_request (rsi, true);
801 }
802 else
803 send_ping (rsi, 1); // pong
804
805 break;
806
807 case vpn_packet::PT_PONG:
808 break;
809
810 case vpn_packet::PT_RESET:
769 { 811 {
770 if (auth_rate_limiter.can (rsi)) 812 reset_connection ();
771 send_auth_request (rsi, true); 813
814 config_packet *p = (config_packet *) pkt;
815
816 if (!p->chk_config ())
817 {
818 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
819 conf->nodename, (const char *)rsi);
820 connectmode = conf_node::C_DISABLED;
821 }
822 else if (connectmode == conf_node::C_ALWAYS)
823 establish_connection ();
772 } 824 }
773 else
774 send_ping (rsi, 1); // pong
775
776 break; 825 break;
777 826
778 case vpn_packet::PT_PONG:
779 break;
780
781 case vpn_packet::PT_RESET: 827 case vpn_packet::PT_AUTH_REQ:
782 { 828 if (auth_rate_limiter.can (rsi))
783 reset_connection ();
784
785 config_packet *p = (config_packet *) pkt;
786
787 if (!p->chk_config ())
788 { 829 {
789 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 830 auth_req_packet *p = (auth_req_packet *) pkt;
831
832 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
833
834 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
835 {
836 if (p->prot_minor != PROTOCOL_MINOR)
837 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
838 conf->nodename, (const char *)rsi,
839 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
840
841 if (p->initiate)
842 send_auth_request (rsi, false);
843
844 rsachallenge k;
845
846 if (0 > RSA_private_decrypt (sizeof (p->encr),
847 (unsigned char *)&p->encr, (unsigned char *)&k,
848 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
849 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
790 conf->nodename, (const char *)rsi); 850 conf->nodename, (const char *)rsi);
791 connectmode = conf_node::C_DISABLED; 851 else
852 {
853 retry_cnt = 0;
854 establish_connection.start (NOW + 8); //? ;)
855 keepalive.reset ();
856 rekey.reset ();
857
858 delete ictx;
859 ictx = 0;
860
861 delete octx;
862
863 octx = new crypto_ctx (k, 1);
864 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
865
866 conf->protocols = p->protocols;
867 send_auth_response (rsi, p->id, k);
868
869 break;
870 }
871 }
872
873 send_reset (rsi);
792 } 874 }
793 else if (connectmode == conf_node::C_ALWAYS) 875
794 establish_connection ();
795 }
796 break; 876 break;
797 877
798 case vpn_packet::PT_AUTH_REQ: 878 case vpn_packet::PT_AUTH_RES:
799 if (auth_rate_limiter.can (rsi))
800 { 879 {
801 auth_req_packet *p = (auth_req_packet *) pkt; 880 auth_res_packet *p = (auth_res_packet *) pkt;
802 881
803 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 882 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
804 883
805 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 884 if (p->chk_config ())
806 { 885 {
807 if (p->prot_minor != PROTOCOL_MINOR) 886 if (p->prot_minor != PROTOCOL_MINOR)
808 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 887 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
809 conf->nodename, (const char *)rsi, 888 conf->nodename, (const char *)rsi,
810 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 889 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
811 890
812 if (p->initiate)
813 send_auth_request (rsi, false);
814
815 rsachallenge k; 891 rsachallenge chg;
816 892
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 893 if (!rsa_cache.find (p->id, chg))
818 (unsigned char *)&p->encr, (unsigned char *)&k, 894 slog (L_ERR, _("%s(%s): unrequested auth response"),
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821 conf->nodename, (const char *)rsi); 895 conf->nodename, (const char *)rsi);
822 else 896 else
823 { 897 {
824 retry_cnt = 0; 898 crypto_ctx *cctx = new crypto_ctx (chg, 0);
825 establish_connection.set (NOW + 8); //? ;) 899
826 keepalive.reset (); 900 if (!p->hmac_chk (cctx))
901 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
902 "could be an attack, or just corruption or an synchronization error"),
903 conf->nodename, (const char *)rsi);
827 rekey.reset (); 904 else
905 {
906 rsaresponse h;
828 907
908 rsa_hash (p->id, chg, h);
909
910 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
911 {
912 prot_minor = p->prot_minor;
913
914 delete ictx; ictx = cctx;
915
916 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
917
918 si = rsi;
919 protocol = rsi.prot;
920
921 rekey.start (NOW + ::conf.rekey);
922 keepalive.start (NOW + ::conf.keepalive);
923
924 // send queued packets
925 while (tap_packet *p = queue.get ())
926 {
927 send_data_packet (p);
928 delete p;
929 }
930
931 connectmode = conf->connectmode;
932
933 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
934 conf->nodename, (const char *)rsi,
935 p->prot_major, p->prot_minor);
936
937 if (::conf.script_node_up)
938 run_script (run_script_cb (this, &connection::script_node_up), false);
939
940 break;
941 }
942 else
943 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
944 conf->nodename, (const char *)rsi);
945 }
946
829 delete ictx; 947 delete cctx;
830 ictx = 0;
831
832 delete octx;
833
834 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836
837 conf->protocols = p->protocols;
838 send_auth_response (rsi, p->id, k);
839
840 break;
841 } 948 }
842 } 949 }
843
844 send_reset (rsi);
845 } 950 }
846 951
952 send_reset (rsi);
847 break; 953 break;
848 954
849 case vpn_packet::PT_AUTH_RES: 955 case vpn_packet::PT_DATA_COMPRESSED:
850 { 956#if !ENABLE_COMPRESSION
851 auth_res_packet *p = (auth_res_packet *) pkt; 957 send_reset (rsi);
958 break;
959#endif
852 960
853 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 961 case vpn_packet::PT_DATA_UNCOMPRESSED:
854 962
855 if (p->chk_config ()) 963 if (ictx && octx)
856 { 964 {
857 if (p->prot_minor != PROTOCOL_MINOR) 965 vpndata_packet *p = (vpndata_packet *)pkt;
858 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
859 conf->nodename, (const char *)rsi,
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 966
862 rsachallenge chg; 967 if (rsi == si)
863
864 if (!rsa_cache.find (p->id, chg))
865 slog (L_ERR, _("%s(%s): unrequested auth response"),
866 conf->nodename, (const char *)rsi);
867 else
868 { 968 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870
871 if (!p->hmac_chk (cctx)) 969 if (!p->hmac_chk (ictx))
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 970 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 971 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 972 conf->nodename, (const char *)rsi);
875 else 973 else
876 { 974 {
877 rsaresponse h; 975 u32 seqno;
976 tap_packet *d = p->unpack (this, seqno);
878 977
879 rsa_hash (p->id, chg, h); 978 if (iseqno.recv_ok (seqno))
880
881 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
882 { 979 {
883 prot_minor = p->prot_minor; 980 vpn->tap->send (d);
884 981
885 delete ictx; ictx = cctx; 982 if (p->dst () == 0) // re-broadcast
886 983 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888
889 si = rsi;
890
891 rekey.set (NOW + ::conf.rekey);
892 keepalive.set (NOW + ::conf.keepalive);
893
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 { 984 {
985 connection *c = *i;
986
987 if (c->conf != THISNODE && c->conf != conf)
897 send_data_packet (p); 988 c->inject_data_packet (d);
898 delete p;
899 } 989 }
900 990
901 connectmode = conf->connectmode; 991 delete d;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor);
907
908 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false);
910 992
911 break; 993 break;
912 } 994 }
913 else
914 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
915 conf->nodename, (const char *)rsi);
916 } 995 }
996 }
997 else
998 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
999 }
917 1000
918 delete cctx; 1001 send_reset (rsi);
1002 break;
1003
1004 case vpn_packet::PT_CONNECT_REQ:
1005 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1006 {
1007 connect_req_packet *p = (connect_req_packet *) pkt;
1008
1009 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1010 connection *c = vpn->conns[p->id - 1];
1011 conf->protocols = p->protocols;
1012
1013 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1014 conf->id, p->id, c->ictx && c->octx);
1015
1016 if (c->ictx && c->octx)
1017 {
1018 // send connect_info packets to both sides, in case one is
1019 // behind a nat firewall (or both ;)
1020 c->send_connect_info (conf->id, si, conf->protocols);
1021 send_connect_info (c->conf->id, c->si, c->conf->protocols);
919 } 1022 }
920 } 1023 }
921 }
922 1024
923 send_reset (rsi);
924 break; 1025 break;
925 1026
926 case vpn_packet::PT_DATA_COMPRESSED:
927#if !ENABLE_COMPRESSION
928 send_reset (rsi);
929 break;
930#endif
931
932 case vpn_packet::PT_DATA_UNCOMPRESSED:
933
934 if (ictx && octx)
935 {
936 vpndata_packet *p = (vpndata_packet *)pkt;
937
938 if (rsi == si)
939 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else
945 {
946 u32 seqno;
947 tap_packet *d = p->unpack (this, seqno);
948
949 if (iseqno.recv_ok (seqno))
950 {
951 vpn->tap->send (d);
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break;
965 }
966 }
967 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 }
971
972 send_reset (rsi);
973 break;
974
975 case vpn_packet::PT_CONNECT_REQ: 1027 case vpn_packet::PT_CONNECT_INFO:
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1028 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1029 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1030 connect_info_packet *p = (connect_info_packet *) pkt;
979 1031
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1032 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
981 conf->protocols = p->protocols; 1033
982 connection *c = vpn->conns[p->id - 1]; 1034 connection *c = vpn->conns[p->id - 1];
983 1035
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx);
986
987 if (c->ictx && c->octx)
988 {
989 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 }
994 }
995
996 break;
997
998 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 {
1001 connect_info_packet *p = (connect_info_packet *) pkt;
1002
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1036 c->conf->protocols = p->protocols;
1005 connection *c = vpn->conns[p->id - 1]; 1037 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1038 p->si.upgrade_protocol (protocol, c->conf);
1006 1039
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1040 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1041 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1042
1043 const sockinfo &dsi = forward_si (p->si);
1044
1045 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1046 c->send_auth_request (dsi, true);
1011 } 1047 }
1012 1048
1013 break; 1049 break;
1014 1050
1015 default: 1051 default:
1016 send_reset (rsi); 1052 send_reset (rsi);
1017 break; 1053 break;
1018
1019 } 1054 }
1020} 1055}
1021 1056
1022void connection::keepalive_cb (tstamp &ts) 1057void connection::keepalive_cb (time_watcher &w)
1023{ 1058{
1024 if (NOW >= last_activity + ::conf.keepalive + 30) 1059 if (NOW >= last_activity + ::conf.keepalive + 30)
1025 { 1060 {
1026 reset_connection (); 1061 reset_connection ();
1027 establish_connection (); 1062 establish_connection ();
1028 } 1063 }
1029 else if (NOW < last_activity + ::conf.keepalive) 1064 else if (NOW < last_activity + ::conf.keepalive)
1030 ts = last_activity + ::conf.keepalive; 1065 w.at = last_activity + ::conf.keepalive;
1031 else if (conf->connectmode != conf_node::C_ONDEMAND 1066 else if (conf->connectmode != conf_node::C_ONDEMAND
1032 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1067 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1033 { 1068 {
1034 send_ping (si); 1069 send_ping (si);
1035 ts = NOW + 5; 1070 w.at = NOW + 5;
1036 } 1071 }
1037 else 1072 else
1038 reset_connection (); 1073 reset_connection ();
1039} 1074}
1040 1075
1042{ 1077{
1043 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1078 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1044 1079
1045 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1080 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1046 p->hmac_set (octx); 1081 p->hmac_set (octx);
1047 send_vpn_packet (p, si); 1082 vpn->send_vpn_packet (p, si);
1048 1083
1049 delete p; 1084 delete p;
1050} 1085}
1051 1086
1052void connection::script_node () 1087void connection::script_node ()
1053{ 1088{
1054 vpn->script_if_up (0); 1089 vpn->script_if_up ();
1055 1090
1056 char *env; 1091 char *env;
1057 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1092 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1058 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1093 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1059 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1094 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1060 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1095 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1061} 1096}
1062 1097
1063const char *connection::script_node_up (int) 1098const char *connection::script_node_up ()
1064{ 1099{
1065 script_node (); 1100 script_node ();
1066 1101
1067 putenv ("STATE=up"); 1102 putenv ("STATE=up");
1068 1103
1069 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1104 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1070} 1105}
1071 1106
1072const char *connection::script_node_down (int) 1107const char *connection::script_node_down ()
1073{ 1108{
1074 script_node (); 1109 script_node ();
1075 1110
1076 putenv ("STATE=down"); 1111 putenv ("STATE=down");
1077 1112
1078 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1113 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1079}
1080
1081// send a vpn packet out to other hosts
1082void
1083connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1084{
1085 if (protocol & PROT_IPv4)
1086 vpn->send_ipv4_packet (pkt, si, tos);
1087 else
1088 vpn->send_udpv4_packet (pkt, si, tos);
1089} 1114}
1090 1115
1091connection::connection(struct vpn *vpn_) 1116connection::connection(struct vpn *vpn_)
1092: vpn(vpn_) 1117: vpn(vpn_)
1093, rekey (this, &connection::rekey_cb) 1118, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines