ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.14 by pcg, Fri Aug 8 09:29:22 2003 UTC vs.
Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC

197// only do action once every x seconds per host whole allowing bursts. 197// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 198// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 199// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
201{ 201{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 202 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
206 206
207 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
208 bool can (u32 host); 208 bool can (u32 host);
209}; 209};
210 210
211net_rate_limiter auth_rate_limiter, reset_rate_limiter; 211net_rate_limiter auth_rate_limiter, reset_rate_limiter;
212 212
475 set_hdr (type, dst); 475 set_hdr (type, dst);
476} 476}
477 477
478bool config_packet::chk_config () const 478bool config_packet::chk_config () const
479{ 479{
480 return prot_major == PROTOCOL_MAJOR 480 if (prot_major != PROTOCOL_MAJOR)
481 && randsize == RAND_SIZE 481 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
482 && hmaclen == HMACLENGTH 482 else if (randsize != RAND_SIZE)
483 && flags == curflags () 483 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
484 else if (hmaclen != HMACLENGTH)
485 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
486 else if (flags != curflags ())
487 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
484 && challengelen == sizeof (rsachallenge) 488 else if (challengelen != sizeof (rsachallenge))
489 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
485 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 490 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
491 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
486 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 492 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
493 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
487 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 494 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
495 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
496 else
497 return true;
498
499 return false;
488} 500}
489 501
490struct auth_req_packet : config_packet 502struct auth_req_packet : config_packet
491{ 503{
492 char magic[8]; 504 char magic[8];
898 rsachallenge k; 910 rsachallenge k;
899 911
900 if (0 > RSA_private_decrypt (sizeof (p->encr), 912 if (0 > RSA_private_decrypt (sizeof (p->encr),
901 (unsigned char *)&p->encr, (unsigned char *)&k, 913 (unsigned char *)&p->encr, (unsigned char *)&k,
902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
904 conf->nodename, (const char *)rsi); 916 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
905 else 917 else
906 { 918 {
907 delete octx; 919 delete octx;
908 920
909 octx = new crypto_ctx (k, 1); 921 octx = new crypto_ctx (k, 1);
916 connection_established (); 928 connection_established ();
917 929
918 break; 930 break;
919 } 931 }
920 } 932 }
933 else
934 slog (L_WARN, _("%s(%s): protocol mismatch"),
935 conf->nodename, (const char *)rsi);
921 936
922 send_reset (rsi); 937 send_reset (rsi);
923 } 938 }
924 939
925 break; 940 break;
939 954
940 rsachallenge chg; 955 rsachallenge chg;
941 956
942 if (!rsa_cache.find (p->id, chg)) 957 if (!rsa_cache.find (p->id, chg))
943 { 958 {
944 slog (L_ERR, _("%s(%s): unrequested auth response"), 959 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
945 conf->nodename, (const char *)rsi); 960 conf->nodename, (const char *)rsi);
946 break; 961 break;
947 } 962 }
948 else 963 else
949 { 964 {
950 crypto_ctx *cctx = new crypto_ctx (chg, 0); 965 crypto_ctx *cctx = new crypto_ctx (chg, 0);
951 966
952 if (!p->hmac_chk (cctx)) 967 if (!p->hmac_chk (cctx))
968 {
953 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 969 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
954 "could be an attack, or just corruption or an synchronization error"), 970 "could be an attack, or just corruption or an synchronization error"),
955 conf->nodename, (const char *)rsi); 971 conf->nodename, (const char *)rsi);
972 break;
973 }
956 else 974 else
957 { 975 {
958 rsaresponse h; 976 rsaresponse h;
959 977
960 rsa_hash (p->id, chg, h); 978 rsa_hash (p->id, chg, h);

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines