ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.11 by pcg, Sun Apr 13 00:35:46 2003 UTC

85 rsachallenge chg; 85 rsachallenge chg;
86}; 86};
87 87
88struct rsa_cache : list<rsa_entry> 88struct rsa_cache : list<rsa_entry>
89{ 89{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 90 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 91
92 bool find (const rsaid &id, rsachallenge &chg) 92 bool find (const rsaid &id, rsachallenge &chg)
93 { 93 {
94 for (iterator i = begin (); i != end (); ++i) 94 for (iterator i = begin (); i != end (); ++i)
95 { 95 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 129 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 130 { }
131 131
132} rsa_cache; 132} rsa_cache;
133 133
134void rsa_cache::cleaner_cb (tstamp &ts) 134void rsa_cache::cleaner_cb (time_watcher &w)
135{ 135{
136 if (empty ()) 136 if (empty ())
137 ts = TSTAMP_CANCEL; 137 w.at = TSTAMP_CANCEL;
138 else 138 else
139 { 139 {
140 ts = NOW + RSA_TTL; 140 w.at = NOW + RSA_TTL;
141 141
142 for (iterator i = begin (); i != end (); ) 142 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 143 if (i->expire <= NOW)
144 i = erase (i); 144 i = erase (i);
145 else 145 else
197// only do action once every x seconds per host whole allowing bursts. 197// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 198// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 199// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
201{ 201{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 202 static const double ALPHA = 1. - 1. / 180.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 206
206 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 208 bool can (u32 host);
208}; 209};
209 210
225 { 226 {
226 net_rateinfo ri; 227 net_rateinfo ri;
227 228
228 ri.host = host; 229 ri.host = host;
229 ri.pcnt = 1.; 230 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 231 ri.diff = MAXDIF;
231 ri.last = NOW; 232 ri.last = NOW;
232 233
233 push_front (ri); 234 push_front (ri);
234 235
235 return true; 236 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 243 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 244 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 245
245 ri.last = NOW; 246 ri.last = NOW;
246 247
248 double dif = ri.diff / ri.pcnt;
249
247 bool send = ri.diff / ri.pcnt > CUTOFF; 250 bool send = dif > CUTOFF;
248 251
252 if (dif > MAXDIF)
253 {
254 ri.pcnt = 1.;
255 ri.diff = MAXDIF;
256 }
249 if (send) 257 else if (send)
250 ri.pcnt++; 258 ri.pcnt++;
251 259
252 push_front (ri); 260 push_front (ri);
253 261
254 return send; 262 return send;
285 hmac_gen (ctx); 293 hmac_gen (ctx);
286 294
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 295 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 296}
289 297
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 298void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 299{
292 this->type = type; 300 type = type_;
293 301
294 int src = THISNODE->id; 302 int src = THISNODE->id;
295 303
296 src1 = src; 304 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 305 srcdst = ((src >> 8) << 4) | (dst >> 8);
546}; 554};
547 555
548///////////////////////////////////////////////////////////////////////////// 556/////////////////////////////////////////////////////////////////////////////
549 557
550void 558void
559connection::connection_established ()
560{
561 if (ictx && octx)
562 {
563 connectmode = conf->connectmode;
564
565 rekey.start (NOW + ::conf.rekey);
566 keepalive.start (NOW + ::conf.keepalive);
567
568 // send queued packets
569 if (ictx && octx)
570 while (tap_packet *p = queue.get ())
571 {
572 send_data_packet (p);
573 delete p;
574 }
575 }
576 else
577 {
578 retry_cnt = 0;
579 establish_connection.start (NOW + 5);
580 keepalive.reset ();
581 rekey.reset ();
582 }
583}
584
585void
551connection::reset_dstaddr () 586connection::reset_si ()
552{ 587{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 588 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 589
588 // mask out protocols we cannot establish 590 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 591 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 592 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 593
592 if (protocol) 594 si.set (conf, protocol);
595}
596
597// ensure sockinfo is valid, forward if necessary
598const sockinfo &
599connection::forward_si (const sockinfo &si) const
600{
601 if (!si.valid ())
602 {
603 connection *r = vpn->find_router ();
604
605 if (r)
606 {
607 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
608 conf->nodename, r->conf->nodename);
609 return r->si;
610 }
611 else
612 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
613 conf->nodename);
593 { 614 }
594 rsachallenge chg;
595 615
596 rsa_cache.gen (pkt->id, chg); 616 return si;
617}
597 618
598 if (0 > RSA_public_encrypt (sizeof chg, 619void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 620connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 621{
601 fatal ("RSA_public_encrypt error"); 622 if (!vpn->send_vpn_packet (pkt, si, tos))
623 reset_connection ();
624}
602 625
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 626void
627connection::send_ping (const sockinfo &si, u8 pong)
628{
629 ping_packet *pkt = new ping_packet;
604 630
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 631 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
632 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
633
634 delete pkt;
635}
636
637void
638connection::send_reset (const sockinfo &si)
639{
640 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
641 {
642 config_packet *pkt = new config_packet;
643
644 pkt->setup (vpn_packet::PT_RESET, conf->id);
645 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 646
607 delete pkt; 647 delete pkt;
608 } 648 }
609 else 649}
610 ; // silently fail 650
651void
652connection::send_auth_request (const sockinfo &si, bool initiate)
653{
654 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
655
656 rsachallenge chg;
657
658 rsa_cache.gen (pkt->id, chg);
659
660 if (0 > RSA_public_encrypt (sizeof chg,
661 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
662 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
663 fatal ("RSA_public_encrypt error");
664
665 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
666
667 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
668
669 delete pkt;
611} 670}
612 671
613void 672void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 673connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 674{
641 700
642 delete r; 701 delete r;
643} 702}
644 703
645void 704void
646connection::establish_connection_cb (tstamp &ts) 705connection::establish_connection_cb (time_watcher &w)
647{ 706{
648 if (ictx || conf == THISNODE 707 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 708 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 709 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 710 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 711 else if (w.at <= NOW)
653 { 712 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 713 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 714
656 if (retry_int < 3600 * 8) 715 if (retry_int < 3600 * 8)
657 retry_cnt++; 716 retry_cnt++;
658 717
659 ts = NOW + retry_int; 718 w.at = NOW + retry_int;
660 719
661 if (conf->hostname) 720 reset_si ();
721
722 if (si.prot && !si.host)
723 vpn->send_connect_request (conf->id);
724 else
662 { 725 {
663 reset_dstaddr (); 726 const sockinfo &dsi = forward_si (si);
727
664 if (si.host && auth_rate_limiter.can (si)) 728 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 729 {
666 if (retry_cnt < 4) 730 if (retry_cnt < 4)
667 send_auth_request (si, true); 731 send_auth_request (dsi, true);
668 else 732 else
669 send_ping (si, 0); 733 send_ping (dsi, 0);
670 } 734 }
671 } 735 }
672 else
673 vpn->connect_request (conf->id);
674 } 736 }
675} 737}
676 738
677void 739void
678connection::reset_connection () 740connection::reset_connection ()
707 769
708 reset_connection (); 770 reset_connection ();
709} 771}
710 772
711void 773void
712connection::rekey_cb (tstamp &ts) 774connection::rekey_cb (time_watcher &w)
713{ 775{
714 ts = TSTAMP_CANCEL; 776 w.at = TSTAMP_CANCEL;
715 777
716 reset_connection (); 778 reset_connection ();
717 establish_connection (); 779 establish_connection ();
718} 780}
719 781
749 811
750 establish_connection (); 812 establish_connection ();
751 } 813 }
752} 814}
753 815
816void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
817{
818 if (ictx && octx)
819 send_vpn_packet (pkt, si, tos);
820 else
821 establish_connection ();
822}
823
754void 824void
755connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 825connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
756{ 826{
757 last_activity = NOW; 827 last_activity = NOW;
758 828
759 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 829 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
760 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 830 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
761 831
762 switch (pkt->typ ()) 832 switch (pkt->typ ())
763 { 833 {
764 case vpn_packet::PT_PING: 834 case vpn_packet::PT_PING:
765 // we send pings instead of auth packets after some retries, 835 // we send pings instead of auth packets after some retries,
766 // so reset the retry counter and establish a connection 836 // so reset the retry counter and establish a connection
767 // when we receive a ping. 837 // when we receive a ping.
768 if (!ictx) 838 if (!ictx)
839 {
840 if (auth_rate_limiter.can (rsi))
841 send_auth_request (rsi, true);
842 }
843 else
844 send_ping (rsi, 1); // pong
845
846 break;
847
848 case vpn_packet::PT_PONG:
849 break;
850
851 case vpn_packet::PT_RESET:
769 { 852 {
770 if (auth_rate_limiter.can (rsi)) 853 reset_connection ();
771 send_auth_request (rsi, true); 854
855 config_packet *p = (config_packet *) pkt;
856
857 if (!p->chk_config ())
858 {
859 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
860 conf->nodename, (const char *)rsi);
861 connectmode = conf_node::C_DISABLED;
862 }
863 else if (connectmode == conf_node::C_ALWAYS)
864 establish_connection ();
772 } 865 }
773 else
774 send_ping (rsi, 1); // pong
775
776 break; 866 break;
777 867
778 case vpn_packet::PT_PONG:
779 break;
780
781 case vpn_packet::PT_RESET: 868 case vpn_packet::PT_AUTH_REQ:
782 { 869 if (auth_rate_limiter.can (rsi))
783 reset_connection ();
784
785 config_packet *p = (config_packet *) pkt;
786
787 if (!p->chk_config ())
788 { 870 {
789 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 871 auth_req_packet *p = (auth_req_packet *) pkt;
872
873 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
874
875 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
876 {
877 if (p->prot_minor != PROTOCOL_MINOR)
878 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
879 conf->nodename, (const char *)rsi,
880 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
881
882 if (p->initiate)
883 send_auth_request (rsi, false);
884
885 rsachallenge k;
886
887 if (0 > RSA_private_decrypt (sizeof (p->encr),
888 (unsigned char *)&p->encr, (unsigned char *)&k,
889 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
890 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
790 conf->nodename, (const char *)rsi); 891 conf->nodename, (const char *)rsi);
791 connectmode = conf_node::C_DISABLED; 892 else
893 {
894 delete octx;
895
896 octx = new crypto_ctx (k, 1);
897 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
898
899 conf->protocols = p->protocols;
900
901 send_auth_response (rsi, p->id, k);
902
903 connection_established ();
904
905 break;
906 }
907 }
908
909 send_reset (rsi);
792 } 910 }
793 else if (connectmode == conf_node::C_ALWAYS) 911
794 establish_connection ();
795 }
796 break; 912 break;
797 913
798 case vpn_packet::PT_AUTH_REQ: 914 case vpn_packet::PT_AUTH_RES:
799 if (auth_rate_limiter.can (rsi))
800 { 915 {
801 auth_req_packet *p = (auth_req_packet *) pkt; 916 auth_res_packet *p = (auth_res_packet *) pkt;
802 917
803 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 918 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
804 919
805 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 920 if (p->chk_config ())
806 { 921 {
807 if (p->prot_minor != PROTOCOL_MINOR) 922 if (p->prot_minor != PROTOCOL_MINOR)
808 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 923 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
809 conf->nodename, (const char *)rsi, 924 conf->nodename, (const char *)rsi,
810 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 925 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
811 926
812 if (p->initiate)
813 send_auth_request (rsi, false);
814
815 rsachallenge k; 927 rsachallenge chg;
816 928
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 929 if (!rsa_cache.find (p->id, chg))
818 (unsigned char *)&p->encr, (unsigned char *)&k, 930 slog (L_ERR, _("%s(%s): unrequested auth response"),
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821 conf->nodename, (const char *)rsi); 931 conf->nodename, (const char *)rsi);
822 else 932 else
823 { 933 {
824 retry_cnt = 0; 934 crypto_ctx *cctx = new crypto_ctx (chg, 0);
825 establish_connection.set (NOW + 8); //? ;) 935
826 keepalive.reset (); 936 if (!p->hmac_chk (cctx))
937 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
827 rekey.reset (); 940 else
941 {
942 rsaresponse h;
828 943
944 rsa_hash (p->id, chg, h);
945
946 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
947 {
948 prot_minor = p->prot_minor;
949
950 delete ictx; ictx = cctx;
951
952 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
953
954 si = rsi;
955 protocol = rsi.prot;
956
957 connection_established ();
958
959 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
960 conf->nodename, (const char *)rsi,
961 p->prot_major, p->prot_minor);
962
963 if (::conf.script_node_up)
964 run_script (run_script_cb (this, &connection::script_node_up), false);
965
966 break;
967 }
968 else
969 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
970 conf->nodename, (const char *)rsi);
971 }
972
829 delete ictx; 973 delete cctx;
830 ictx = 0;
831
832 delete octx;
833
834 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836
837 conf->protocols = p->protocols;
838 send_auth_response (rsi, p->id, k);
839
840 break;
841 } 974 }
842 } 975 }
843
844 send_reset (rsi);
845 } 976 }
846 977
978 send_reset (rsi);
847 break; 979 break;
848 980
849 case vpn_packet::PT_AUTH_RES: 981 case vpn_packet::PT_DATA_COMPRESSED:
850 { 982#if !ENABLE_COMPRESSION
851 auth_res_packet *p = (auth_res_packet *) pkt; 983 send_reset (rsi);
984 break;
985#endif
852 986
853 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 987 case vpn_packet::PT_DATA_UNCOMPRESSED:
854 988
855 if (p->chk_config ()) 989 if (ictx && octx)
856 { 990 {
857 if (p->prot_minor != PROTOCOL_MINOR) 991 vpndata_packet *p = (vpndata_packet *)pkt;
858 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
859 conf->nodename, (const char *)rsi,
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 992
862 rsachallenge chg; 993 if (!p->hmac_chk (ictx))
863 994 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
864 if (!rsa_cache.find (p->id, chg)) 995 "could be an attack, or just corruption or an synchronization error"),
865 slog (L_ERR, _("%s(%s): unrequested auth response"),
866 conf->nodename, (const char *)rsi); 996 conf->nodename, (const char *)rsi);
867 else 997 else
868 { 998 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870
871 if (!p->hmac_chk (cctx))
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi);
875 else 999 u32 seqno;
1000 tap_packet *d = p->unpack (this, seqno);
1001
1002 if (iseqno.recv_ok (seqno))
876 { 1003 {
877 rsaresponse h; 1004 vpn->tap->send (d);
878 1005
879 rsa_hash (p->id, chg, h); 1006 if (p->dst () == 0) // re-broadcast
1007 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1008 {
1009 connection *c = *i;
880 1010
881 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h)) 1011 if (c->conf != THISNODE && c->conf != conf)
1012 c->inject_data_packet (d);
1013 }
1014
1015 if (si != rsi)
882 { 1016 {
883 prot_minor = p->prot_minor; 1017 // fast re-sync on conneciton changes, useful especially for tcp/ip
884
885 delete ictx; ictx = cctx;
886
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888
889 si = rsi; 1018 si = rsi;
890 1019
891 rekey.set (NOW + ::conf.rekey); 1020 slog (L_INFO, _("%s(%s): socket address changed to %s"),
892 keepalive.set (NOW + ::conf.keepalive);
893
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 1021 conf->nodename, (const char *)si, (const char *)rsi);
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor);
907
908 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false);
910
911 break;
912 } 1022 }
1023
913 else 1024 delete d;
914 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1025
915 conf->nodename, (const char *)rsi); 1026 break;
916 } 1027 }
917
918 delete cctx;
919 } 1028 }
920 } 1029 }
921 }
922 1030
923 send_reset (rsi); 1031 send_reset (rsi);
924 break; 1032 break;
925 1033
926 case vpn_packet::PT_DATA_COMPRESSED:
927#if !ENABLE_COMPRESSION
928 send_reset (rsi);
929 break;
930#endif
931
932 case vpn_packet::PT_DATA_UNCOMPRESSED:
933
934 if (ictx && octx)
935 {
936 vpndata_packet *p = (vpndata_packet *)pkt;
937
938 if (rsi == si)
939 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else
945 {
946 u32 seqno;
947 tap_packet *d = p->unpack (this, seqno);
948
949 if (iseqno.recv_ok (seqno))
950 {
951 vpn->tap->send (d);
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break;
965 }
966 }
967 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 }
971
972 send_reset (rsi);
973 break;
974
975 case vpn_packet::PT_CONNECT_REQ: 1034 case vpn_packet::PT_CONNECT_REQ:
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1035 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1036 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1037 connect_req_packet *p = (connect_req_packet *) pkt;
979 1038
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1039 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
981 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1]; 1040 connection *c = vpn->conns[p->id - 1];
1041 conf->protocols = p->protocols;
983 1042
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1043 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1044 conf->id, p->id, c->ictx && c->octx);
986 1045
987 if (c->ictx && c->octx) 1046 if (c->ictx && c->octx)
988 { 1047 {
989 // send connect_info packets to both sides, in case one is 1048 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1049 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1050 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1051 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1052 }
1053 else
1054 c->establish_connection ();
994 } 1055 }
995 1056
996 break; 1057 break;
997 1058
998 case vpn_packet::PT_CONNECT_INFO: 1059 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1060 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1061 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1062 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1063
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1064 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1065
1005 connection *c = vpn->conns[p->id - 1]; 1066 connection *c = vpn->conns[p->id - 1];
1006 1067
1068 c->conf->protocols = p->protocols;
1069 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1070 p->si.upgrade_protocol (protocol, c->conf);
1071
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1072 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1073 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1074
1075 const sockinfo &dsi = forward_si (p->si);
1076
1077 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1078 c->send_auth_request (dsi, true);
1011 } 1079 }
1012 1080
1013 break; 1081 break;
1014 1082
1015 default: 1083 default:
1016 send_reset (rsi); 1084 send_reset (rsi);
1017 break; 1085 break;
1018
1019 } 1086 }
1020} 1087}
1021 1088
1022void connection::keepalive_cb (tstamp &ts) 1089void connection::keepalive_cb (time_watcher &w)
1023{ 1090{
1024 if (NOW >= last_activity + ::conf.keepalive + 30) 1091 if (NOW >= last_activity + ::conf.keepalive + 30)
1025 { 1092 {
1026 reset_connection (); 1093 reset_connection ();
1027 establish_connection (); 1094 establish_connection ();
1028 } 1095 }
1029 else if (NOW < last_activity + ::conf.keepalive) 1096 else if (NOW < last_activity + ::conf.keepalive)
1030 ts = last_activity + ::conf.keepalive; 1097 w.at = last_activity + ::conf.keepalive;
1031 else if (conf->connectmode != conf_node::C_ONDEMAND 1098 else if (conf->connectmode != conf_node::C_ONDEMAND
1032 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1099 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1033 { 1100 {
1034 send_ping (si); 1101 send_ping (si);
1035 ts = NOW + 5; 1102 w.at = NOW + 5;
1036 } 1103 }
1037 else 1104 else
1038 reset_connection (); 1105 reset_connection ();
1039} 1106}
1040 1107
1041void connection::connect_request (int id) 1108void connection::send_connect_request (int id)
1042{ 1109{
1043 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1110 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1044 1111
1045 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1112 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1046 p->hmac_set (octx); 1113 p->hmac_set (octx);
1049 delete p; 1116 delete p;
1050} 1117}
1051 1118
1052void connection::script_node () 1119void connection::script_node ()
1053{ 1120{
1054 vpn->script_if_up (0); 1121 vpn->script_if_up ();
1055 1122
1056 char *env; 1123 char *env;
1057 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1124 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1058 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1125 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1059 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1126 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1060 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1127 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1061} 1128}
1062 1129
1063const char *connection::script_node_up (int) 1130const char *connection::script_node_up ()
1064{ 1131{
1065 script_node (); 1132 script_node ();
1066 1133
1067 putenv ("STATE=up"); 1134 putenv ("STATE=up");
1068 1135
1069 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1136 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1070} 1137}
1071 1138
1072const char *connection::script_node_down (int) 1139const char *connection::script_node_down ()
1073{ 1140{
1074 script_node (); 1141 script_node ();
1075 1142
1076 putenv ("STATE=down"); 1143 putenv ("STATE=down");
1077 1144
1078 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1145 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1079}
1080
1081// send a vpn packet out to other hosts
1082void
1083connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1084{
1085 if (protocol & PROT_IPv4)
1086 vpn->send_ipv4_packet (pkt, si, tos);
1087 else
1088 vpn->send_udpv4_packet (pkt, si, tos);
1089} 1146}
1090 1147
1091connection::connection(struct vpn *vpn_) 1148connection::connection(struct vpn *vpn_)
1092: vpn(vpn_) 1149: vpn(vpn_)
1093, rekey (this, &connection::rekey_cb) 1150, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines