ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC vs.
Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC

147 } 147 }
148} 148}
149 149
150////////////////////////////////////////////////////////////////////////////// 150//////////////////////////////////////////////////////////////////////////////
151 151
152void pkt_queue::put (tap_packet *p) 152void pkt_queue::put (net_packet *p)
153{ 153{
154 if (queue[i]) 154 if (queue[i])
155 { 155 {
156 delete queue[i]; 156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 157 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 160 queue[i] = p;
161 161
162 i = (i + 1) % QUEUEDEPTH; 162 i = (i + 1) % QUEUEDEPTH;
163} 163}
164 164
165tap_packet *pkt_queue::get () 165net_packet *pkt_queue::get ()
166{ 166{
167 tap_packet *p = queue[j]; 167 net_packet *p = queue[j];
168 168
169 if (p) 169 if (p)
170 { 170 {
171 queue[j] = 0; 171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 172 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 197// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 198// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 199// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
201{ 201{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 202 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 206
206 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 208 bool can (u32 host);
208}; 209};
209 210
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 211net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 212
225 { 226 {
226 net_rateinfo ri; 227 net_rateinfo ri;
227 228
228 ri.host = host; 229 ri.host = host;
229 ri.pcnt = 1.; 230 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 231 ri.diff = MAXDIF;
231 ri.last = NOW; 232 ri.last = NOW;
232 233
233 push_front (ri); 234 push_front (ri);
234 235
235 return true; 236 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 243 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 244 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 245
245 ri.last = NOW; 246 ri.last = NOW;
246 247
248 double dif = ri.diff / ri.pcnt;
249
247 bool send = ri.diff / ri.pcnt > CUTOFF; 250 bool send = dif > CUTOFF;
248 251
252 if (dif > MAXDIF)
253 {
254 ri.pcnt = 1.;
255 ri.diff = MAXDIF;
256 }
249 if (send) 257 else if (send)
250 ri.pcnt++; 258 ri.pcnt++;
251 259
252 push_front (ri); 260 push_front (ri);
253 261
254 return send; 262 return send;
467 set_hdr (type, dst); 475 set_hdr (type, dst);
468} 476}
469 477
470bool config_packet::chk_config () const 478bool config_packet::chk_config () const
471{ 479{
472 return prot_major == PROTOCOL_MAJOR 480 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 481 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 482 else if (randsize != RAND_SIZE)
475 && flags == curflags () 483 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
484 else if (hmaclen != HMACLENGTH)
485 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
486 else if (flags != curflags ())
487 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 488 else if (challengelen != sizeof (rsachallenge))
489 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 490 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
491 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 492 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
493 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 494 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
495 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
496 else
497 return true;
498
499 return false;
480} 500}
481 501
482struct auth_req_packet : config_packet 502struct auth_req_packet : config_packet
483{ 503{
484 char magic[8]; 504 char magic[8];
544 len = sizeof (*this) - sizeof (net_packet); 564 len = sizeof (*this) - sizeof (net_packet);
545 } 565 }
546}; 566};
547 567
548///////////////////////////////////////////////////////////////////////////// 568/////////////////////////////////////////////////////////////////////////////
569
570void
571connection::connection_established ()
572{
573 if (ictx && octx)
574 {
575 connectmode = conf->connectmode;
576
577 rekey.start (NOW + ::conf.rekey);
578 keepalive.start (NOW + ::conf.keepalive);
579
580 // send queued packets
581 if (ictx && octx)
582 {
583 while (tap_packet *p = (tap_packet *)data_queue.get ())
584 {
585 send_data_packet (p);
586 delete p;
587 }
588
589 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
590 {
591 send_vpn_packet (p, si, IPTOS_RELIABILITY);
592 delete p;
593 }
594 }
595 }
596 else
597 {
598 retry_cnt = 0;
599 establish_connection.start (NOW + 5);
600 keepalive.reset ();
601 rekey.reset ();
602 }
603}
549 604
550void 605void
551connection::reset_si () 606connection::reset_si ()
552{ 607{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 608 protocol = best_protocol (THISNODE->protocols & conf->protocols);
580 635
581 return si; 636 return si;
582} 637}
583 638
584void 639void
640connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
641{
642 if (!vpn->send_vpn_packet (pkt, si, tos))
643 reset_connection ();
644}
645
646void
585connection::send_ping (const sockinfo &si, u8 pong) 647connection::send_ping (const sockinfo &si, u8 pong)
586{ 648{
587 ping_packet *pkt = new ping_packet; 649 ping_packet *pkt = new ping_packet;
588 650
589 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 651 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
590 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 652 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
591 653
592 delete pkt; 654 delete pkt;
593} 655}
594 656
595void 657void
598 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 660 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
599 { 661 {
600 config_packet *pkt = new config_packet; 662 config_packet *pkt = new config_packet;
601 663
602 pkt->setup (vpn_packet::PT_RESET, conf->id); 664 pkt->setup (vpn_packet::PT_RESET, conf->id);
603 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 665 send_vpn_packet (pkt, si, IPTOS_MINCOST);
604 666
605 delete pkt; 667 delete pkt;
606 } 668 }
607} 669}
608 670
620 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 682 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
621 fatal ("RSA_public_encrypt error"); 683 fatal ("RSA_public_encrypt error");
622 684
623 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 685 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
624 686
625 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 687 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
626 688
627 delete pkt; 689 delete pkt;
628} 690}
629 691
630void 692void
638 700
639 pkt->hmac_set (octx); 701 pkt->hmac_set (octx);
640 702
641 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 703 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
642 704
643 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 705 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
644 706
645 delete pkt; 707 delete pkt;
646} 708}
647 709
648void 710void
652 conf->id, rid, (const char *)rsi); 714 conf->id, rid, (const char *)rsi);
653 715
654 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 716 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
655 717
656 r->hmac_set (octx); 718 r->hmac_set (octx);
657 vpn->send_vpn_packet (r, si); 719 send_vpn_packet (r, si);
658 720
659 delete r; 721 delete r;
660} 722}
661 723
662void 724void
676 w.at = NOW + retry_int; 738 w.at = NOW + retry_int;
677 739
678 reset_si (); 740 reset_si ();
679 741
680 if (si.prot && !si.host) 742 if (si.prot && !si.host)
681 vpn->connect_request (conf->id); 743 vpn->send_connect_request (conf->id);
682 else 744 else
683 { 745 {
684 const sockinfo &dsi = forward_si (si); 746 const sockinfo &dsi = forward_si (si);
685 747
686 if (dsi.valid () && auth_rate_limiter.can (dsi)) 748 if (dsi.valid () && auth_rate_limiter.can (dsi))
741connection::send_data_packet (tap_packet *pkt, bool broadcast) 803connection::send_data_packet (tap_packet *pkt, bool broadcast)
742{ 804{
743 vpndata_packet *p = new vpndata_packet; 805 vpndata_packet *p = new vpndata_packet;
744 int tos = 0; 806 int tos = 0;
745 807
808 // I am not hilarious about peeking into packets, but so be it.
746 if (conf->inherit_tos 809 if (conf->inherit_tos
747 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
748 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
749 tos = (*pkt)[15] & IPTOS_TOS_MASK; 812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
750 813
751 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
752 vpn->send_vpn_packet (p, si, tos); 815 send_vpn_packet (p, si, tos);
753 816
754 delete p; 817 delete p;
755 818
756 if (oseqno > MAX_SEQNO) 819 if (oseqno > MAX_SEQNO)
757 rekey (); 820 rekey ();
763 if (ictx && octx) 826 if (ictx && octx)
764 send_data_packet (pkt, broadcast); 827 send_data_packet (pkt, broadcast);
765 else 828 else
766 { 829 {
767 if (!broadcast)//DDDD 830 if (!broadcast)//DDDD
768 queue.put (new tap_packet (*pkt)); 831 data_queue.put (new tap_packet (*pkt));
769 832
770 establish_connection (); 833 establish_connection ();
771 } 834 }
772} 835}
773 836
774void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 837void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
775{ 838{
776 if (ictx && octx) 839 if (ictx && octx)
777 vpn->send_vpn_packet (pkt, si, tos); 840 send_vpn_packet (pkt, si, tos);
778 else 841 else
842 {
843 vpn_queue.put (new vpn_packet (*pkt));
844
779 establish_connection (); 845 establish_connection ();
846 }
780} 847}
781 848
782void 849void
783connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 850connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
784{ 851{
843 rsachallenge k; 910 rsachallenge k;
844 911
845 if (0 > RSA_private_decrypt (sizeof (p->encr), 912 if (0 > RSA_private_decrypt (sizeof (p->encr),
846 (unsigned char *)&p->encr, (unsigned char *)&k, 913 (unsigned char *)&p->encr, (unsigned char *)&k,
847 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
848 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
849 conf->nodename, (const char *)rsi); 916 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
850 else 917 else
851 { 918 {
852 retry_cnt = 0;
853 establish_connection.start (NOW + 8); //? ;)
854 keepalive.reset ();
855 rekey.reset ();
856
857 delete ictx;
858 ictx = 0;
859
860 delete octx; 919 delete octx;
861 920
862 octx = new crypto_ctx (k, 1); 921 octx = new crypto_ctx (k, 1);
863 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 922 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
864 923
865 conf->protocols = p->protocols; 924 conf->protocols = p->protocols;
925
866 send_auth_response (rsi, p->id, k); 926 send_auth_response (rsi, p->id, k);
927
928 connection_established ();
867 929
868 break; 930 break;
869 } 931 }
870 } 932 }
933 else
934 slog (L_WARN, _("%s(%s): protocol mismatch"),
935 conf->nodename, (const char *)rsi);
871 936
872 send_reset (rsi); 937 send_reset (rsi);
873 } 938 }
874 939
875 break; 940 break;
888 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 953 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
889 954
890 rsachallenge chg; 955 rsachallenge chg;
891 956
892 if (!rsa_cache.find (p->id, chg)) 957 if (!rsa_cache.find (p->id, chg))
958 {
893 slog (L_ERR, _("%s(%s): unrequested auth response"), 959 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
894 conf->nodename, (const char *)rsi); 960 conf->nodename, (const char *)rsi);
961 break;
962 }
895 else 963 else
896 { 964 {
897 crypto_ctx *cctx = new crypto_ctx (chg, 0); 965 crypto_ctx *cctx = new crypto_ctx (chg, 0);
898 966
899 if (!p->hmac_chk (cctx)) 967 if (!p->hmac_chk (cctx))
968 {
900 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 969 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
901 "could be an attack, or just corruption or an synchronization error"), 970 "could be an attack, or just corruption or an synchronization error"),
902 conf->nodename, (const char *)rsi); 971 conf->nodename, (const char *)rsi);
972 break;
973 }
903 else 974 else
904 { 975 {
905 rsaresponse h; 976 rsaresponse h;
906 977
907 rsa_hash (p->id, chg, h); 978 rsa_hash (p->id, chg, h);
915 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 986 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
916 987
917 si = rsi; 988 si = rsi;
918 protocol = rsi.prot; 989 protocol = rsi.prot;
919 990
920 rekey.start (NOW + ::conf.rekey); 991 connection_established ();
921 keepalive.start (NOW + ::conf.keepalive);
922
923 // send queued packets
924 while (tap_packet *p = queue.get ())
925 {
926 send_data_packet (p);
927 delete p;
928 }
929
930 connectmode = conf->connectmode;
931 992
932 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 993 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
933 conf->nodename, (const char *)rsi, 994 conf->nodename, (const char *)rsi,
934 p->prot_major, p->prot_minor); 995 p->prot_major, p->prot_minor);
935 996
961 1022
962 if (ictx && octx) 1023 if (ictx && octx)
963 { 1024 {
964 vpndata_packet *p = (vpndata_packet *)pkt; 1025 vpndata_packet *p = (vpndata_packet *)pkt;
965 1026
966 if (rsi == si) 1027 if (!p->hmac_chk (ictx))
1028 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1029 "could be an attack, or just corruption or an synchronization error"),
1030 conf->nodename, (const char *)rsi);
1031 else
967 { 1032 {
968 if (!p->hmac_chk (ictx))
969 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
970 "could be an attack, or just corruption or an synchronization error"),
971 conf->nodename, (const char *)rsi);
972 else 1033 u32 seqno;
1034 tap_packet *d = p->unpack (this, seqno);
1035
1036 if (iseqno.recv_ok (seqno))
973 { 1037 {
974 u32 seqno; 1038 vpn->tap->send (d);
975 tap_packet *d = p->unpack (this, seqno);
976 1039
977 if (iseqno.recv_ok (seqno)) 1040 if (p->dst () == 0) // re-broadcast
1041 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1042 {
1043 connection *c = *i;
1044
1045 if (c->conf != THISNODE && c->conf != conf)
1046 c->inject_data_packet (d);
1047 }
1048
1049 if (si != rsi)
978 { 1050 {
979 vpn->tap->send (d); 1051 // fast re-sync on connection changes, useful especially for tcp/ip
980
981 if (p->dst () == 0) // re-broadcast
982 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
983 {
984 connection *c = *i;
985
986 if (c->conf != THISNODE && c->conf != conf)
987 c->inject_data_packet (d);
988 }
989
990 delete d;
991
992 break; 1052 si = rsi;
1053
1054 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1055 conf->nodename, (const char *)si, (const char *)rsi);
993 } 1056 }
1057
1058 delete d;
1059
1060 break;
994 } 1061 }
995 } 1062 }
996 else
997 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
998 } 1063 }
999 1064
1000 send_reset (rsi); 1065 send_reset (rsi);
1001 break; 1066 break;
1002 1067
1017 // send connect_info packets to both sides, in case one is 1082 // send connect_info packets to both sides, in case one is
1018 // behind a nat firewall (or both ;) 1083 // behind a nat firewall (or both ;)
1019 c->send_connect_info (conf->id, si, conf->protocols); 1084 c->send_connect_info (conf->id, si, conf->protocols);
1020 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1085 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1021 } 1086 }
1087 else
1088 c->establish_connection ();
1022 } 1089 }
1023 1090
1024 break; 1091 break;
1025 1092
1026 case vpn_packet::PT_CONNECT_INFO: 1093 case vpn_packet::PT_CONNECT_INFO:
1066 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1133 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1067 { 1134 {
1068 send_ping (si); 1135 send_ping (si);
1069 w.at = NOW + 5; 1136 w.at = NOW + 5;
1070 } 1137 }
1138 else if (NOW < last_activity + ::conf.keepalive + 10)
1139 // hold ondemand connections implicitly a few seconds longer
1140 // should delete octx, though, or something like that ;)
1141 w.at = last_activity + ::conf.keepalive + 10;
1071 else 1142 else
1072 reset_connection (); 1143 reset_connection ();
1073} 1144}
1074 1145
1075void connection::connect_request (int id) 1146void connection::send_connect_request (int id)
1076{ 1147{
1077 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1148 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1078 1149
1079 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1150 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1080 p->hmac_set (octx); 1151 p->hmac_set (octx);
1081 vpn->send_vpn_packet (p, si); 1152 send_vpn_packet (p, si);
1082 1153
1083 delete p; 1154 delete p;
1084} 1155}
1085 1156
1086void connection::script_node () 1157void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines