[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC

…		…
85	rsachallenge chg;	85	rsachallenge chg;
86	};	86	};
87		87
88	struct rsa_cache : list<rsa_entry>	88	struct rsa_cache : list<rsa_entry>
89	{	89	{
90	void cleaner_cb (tstamp &ts); time_watcher cleaner;	90	void cleaner_cb (time_watcher &w); time_watcher cleaner;
91		91
92	bool find (const rsaid &id, rsachallenge &chg)	92	bool find (const rsaid &id, rsachallenge &chg)
93	{	93	{
94	for (iterator i = begin (); i != end (); ++i)	94	for (iterator i = begin (); i != end (); ++i)
95	{	95	{
…		…
129	: cleaner (this, &rsa_cache::cleaner_cb)	129	: cleaner (this, &rsa_cache::cleaner_cb)
130	{ }	130	{ }
131		131
132	} rsa_cache;	132	} rsa_cache;
133		133
134	void rsa_cache::cleaner_cb (tstamp &ts)	134	void rsa_cache::cleaner_cb (time_watcher &w)
135	{	135	{
136	if (empty ())	136	if (empty ())
137	ts = TSTAMP_CANCEL;	137	w.at = TSTAMP_CANCEL;
138	else	138	else
139	{	139	{
140	ts = NOW + RSA_TTL;	140	w.at = NOW + RSA_TTL;
141		141
142	for (iterator i = begin (); i != end (); )	142	for (iterator i = begin (); i != end (); )
143	if (i->expire <= NOW)	143	if (i->expire <= NOW)
144	i = erase (i);	144	i = erase (i);
145	else	145	else
…		…
197	// only do action once every x seconds per host whole allowing bursts.	197	// only do action once every x seconds per host whole allowing bursts.
198	// this implementation ("splay list" ;) is inefficient,	198	// this implementation ("splay list" ;) is inefficient,
199	// but low on resources.	199	// but low on resources.
200	struct net_rate_limiter : list<net_rateinfo>	200	struct net_rate_limiter : list<net_rateinfo>
201	{	201	{
202	static const double ALPHA = 1. - 1. / 90.; // allow bursts	202	static const double ALPHA = 1. - 1. / 180.; // allow bursts
203	static const double CUTOFF = 20.; // one event every CUTOFF seconds	203	static const double CUTOFF = 10.; // one event every CUTOFF seconds
204	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	204	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205		205
206	bool can (const sockinfo &si) { return can((u32)si.host); }	206	bool can (const sockinfo &si) { return can((u32)si.host); }
207	bool can (u32 host);	207	bool can (u32 host);
208	};	208	};
209		209
…		…
285	hmac_gen (ctx);	285	hmac_gen (ctx);
286		286
287	return !memcmp (hmac, hmac_digest, HMACLENGTH);	287	return !memcmp (hmac, hmac_digest, HMACLENGTH);
288	}	288	}
289		289
290	void vpn_packet::set_hdr (ptype type, unsigned int dst)	290	void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291	{	291	{
292	this->type = type;	292	type = type_;
293		293
294	int src = THISNODE->id;	294	int src = THISNODE->id;
295		295
296	src1 = src;	296	src1 = src;
297	srcdst = ((src >> 8) << 4) \| (dst >> 8);	297	srcdst = ((src >> 8) << 4) \| (dst >> 8);
…		…
546	};	546	};
547		547
548	/////////////////////////////////////////////////////////////////////////////	548	/////////////////////////////////////////////////////////////////////////////
549		549
550	void	550	void
551	connection::reset_dstaddr ()	551	connection::reset_si ()
552	{	552	{
553	si.set (conf);
554	}
555
556	void
557	connection::send_ping (const sockinfo &si, u8 pong)
558	{
559	ping_packet *pkt = new ping_packet;
560
561	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564	delete pkt;
565	}
566
567	void
568	connection::send_reset (const sockinfo &si)
569	{
570	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571	{
572	config_packet *pkt = new config_packet;
573
574	pkt->setup (vpn_packet::PT_RESET, conf->id);
575	send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577	delete pkt;
578	}
579	}
580
581	void
582	connection::send_auth_request (const sockinfo &si, bool initiate)
583	{
584	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586	protocol = best_protocol (THISNODE->protocols & conf->protocols);	553	protocol = best_protocol (THISNODE->protocols & conf->protocols);
587		554
588	// mask out protocols we cannot establish	555	// mask out protocols we cannot establish
589	if (!conf->udp_port) protocol &= ~PROT_UDPv4;	556	if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;	557	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591		558
592	if (protocol)	559	si.set (conf, protocol);
		560	}
		561
		562	// ensure sockinfo is valid, forward if necessary
		563	const sockinfo &
		564	connection::forward_si (const sockinfo &si) const
		565	{
		566	if (!si.valid ())
		567	{
		568	connection *r = vpn->find_router ();
		569
		570	if (r)
		571	{
		572	slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
		573	conf->nodename, r->conf->nodename);
		574	return r->si;
		575	}
		576	else
		577	slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
		578	conf->nodename);
593	{	579	}
594	rsachallenge chg;
595		580
596	rsa_cache.gen (pkt->id, chg);	581	return si;
		582	}
597		583
598	if (0 > RSA_public_encrypt (sizeof chg,	584	void
599	(unsigned char )&chg, (unsigned char )&pkt->encr,	585	connection::send_ping (const sockinfo &si, u8 pong)
600	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))	586	{
601	fatal ("RSA_public_encrypt error");	587	ping_packet *pkt = new ping_packet;
602		588
603	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);	589	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
		590	vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
604		591
605	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	592	delete pkt;
		593	}
		594
		595	void
		596	connection::send_reset (const sockinfo &si)
		597	{
		598	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
		599	{
		600	config_packet *pkt = new config_packet;
		601
		602	pkt->setup (vpn_packet::PT_RESET, conf->id);
		603	vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
606		604
607	delete pkt;	605	delete pkt;
608	}	606	}
609	else	607	}
610	; // silently fail	608
		609	void
		610	connection::send_auth_request (const sockinfo &si, bool initiate)
		611	{
		612	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
		613
		614	rsachallenge chg;
		615
		616	rsa_cache.gen (pkt->id, chg);
		617
		618	if (0 > RSA_public_encrypt (sizeof chg,
		619	(unsigned char )&chg, (unsigned char )&pkt->encr,
		620	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
		621	fatal ("RSA_public_encrypt error");
		622
		623	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
		624
		625	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY \| IPTOS_LOWDELAY); // rsa is very very costly
		626
		627	delete pkt;
611	}	628	}
612		629
613	void	630	void
614	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)	631	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615	{	632	{
…		…
621		638
622	pkt->hmac_set (octx);	639	pkt->hmac_set (octx);
623		640
624	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);	641	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
625		642
626	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	643	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
627		644
628	delete pkt;	645	delete pkt;
629	}	646	}
630		647
631	void	648	void
…		…
635	conf->id, rid, (const char *)rsi);	652	conf->id, rid, (const char *)rsi);
636		653
637	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);	654	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
638		655
639	r->hmac_set (octx);	656	r->hmac_set (octx);
640	send_vpn_packet (r, si);	657	vpn->send_vpn_packet (r, si);
641		658
642	delete r;	659	delete r;
643	}	660	}
644		661
645	void	662	void
646	connection::establish_connection_cb (tstamp &ts)	663	connection::establish_connection_cb (time_watcher &w)
647	{	664	{
648	if (ictx \|\| conf == THISNODE	665	if (ictx \|\| conf == THISNODE
649	\|\| connectmode == conf_node::C_NEVER	666	\|\| connectmode == conf_node::C_NEVER
650	\|\| connectmode == conf_node::C_DISABLED)	667	\|\| connectmode == conf_node::C_DISABLED)
651	ts = TSTAMP_CANCEL;	668	w.at = TSTAMP_CANCEL;
652	else if (ts <= NOW)	669	else if (w.at <= NOW)
653	{	670	{
654	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;	671	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655		672
656	if (retry_int < 3600 * 8)	673	if (retry_int < 3600 * 8)
657	retry_cnt++;	674	retry_cnt++;
658		675
659	ts = NOW + retry_int;	676	w.at = NOW + retry_int;
660		677
661	if (conf->hostname)	678	reset_si ();
		679
		680	if (si.prot && !si.host)
		681	vpn->connect_request (conf->id);
		682	else
662	{	683	{
663	reset_dstaddr ();	684	const sockinfo &dsi = forward_si (si);
		685
664	if (si.host && auth_rate_limiter.can (si))	686	if (dsi.valid () && auth_rate_limiter.can (dsi))
665	{	687	{
666	if (retry_cnt < 4)	688	if (retry_cnt < 4)
667	send_auth_request (si, true);	689	send_auth_request (dsi, true);
668	else	690	else
669	send_ping (si, 0);	691	send_ping (dsi, 0);
670	}	692	}
671	}	693	}
672	else
673	vpn->connect_request (conf->id);
674	}	694	}
675	}	695	}
676		696
677	void	697	void
678	connection::reset_connection ()	698	connection::reset_connection ()
…		…
707		727
708	reset_connection ();	728	reset_connection ();
709	}	729	}
710		730
711	void	731	void
712	connection::rekey_cb (tstamp &ts)	732	connection::rekey_cb (time_watcher &w)
713	{	733	{
714	ts = TSTAMP_CANCEL;	734	w.at = TSTAMP_CANCEL;
715		735
716	reset_connection ();	736	reset_connection ();
717	establish_connection ();	737	establish_connection ();
718	}	738	}
719		739
…		…
727	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP	747	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP
728	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4	748	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729	tos = (*pkt)[15] & IPTOS_TOS_MASK;	749	tos = (*pkt)[15] & IPTOS_TOS_MASK;
730		750
731	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	751	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732	send_vpn_packet (p, si, tos);	752	vpn->send_vpn_packet (p, si, tos);
733		753
734	delete p;	754	delete p;
735		755
736	if (oseqno > MAX_SEQNO)	756	if (oseqno > MAX_SEQNO)
737	rekey ();	757	rekey ();
…		…
749		769
750	establish_connection ();	770	establish_connection ();
751	}	771	}
752	}	772	}
753		773
		774	void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
		775	{
		776	if (ictx && octx)
		777	vpn->send_vpn_packet (pkt, si, tos);
		778	else
		779	establish_connection ();
		780	}
		781
754	void	782	void
755	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)	783	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
756	{	784	{
757	last_activity = NOW;	785	last_activity = NOW;
758		786
759	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	787	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
760	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	788	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
761		789
762	switch (pkt->typ ())	790	switch (pkt->typ ())
763	{	791	{
764	case vpn_packet::PT_PING:	792	case vpn_packet::PT_PING:
765	// we send pings instead of auth packets after some retries,	793	// we send pings instead of auth packets after some retries,
766	// so reset the retry counter and establish a connection	794	// so reset the retry counter and establish a connection
767	// when we receive a ping.	795	// when we receive a ping.
768	if (!ictx)	796	if (!ictx)
		797	{
		798	if (auth_rate_limiter.can (rsi))
		799	send_auth_request (rsi, true);
		800	}
		801	else
		802	send_ping (rsi, 1); // pong
		803
		804	break;
		805
		806	case vpn_packet::PT_PONG:
		807	break;
		808
		809	case vpn_packet::PT_RESET:
769	{	810	{
770	if (auth_rate_limiter.can (rsi))	811	reset_connection ();
771	send_auth_request (rsi, true);	812
		813	config_packet p = (config_packet ) pkt;
		814
		815	if (!p->chk_config ())
		816	{
		817	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
		818	conf->nodename, (const char *)rsi);
		819	connectmode = conf_node::C_DISABLED;
		820	}
		821	else if (connectmode == conf_node::C_ALWAYS)
		822	establish_connection ();
772	}	823	}
773	else
774	send_ping (rsi, 1); // pong
775
776	break;	824	break;
777		825
778	case vpn_packet::PT_PONG:
779	break;
780
781	case vpn_packet::PT_RESET:	826	case vpn_packet::PT_AUTH_REQ:
782	{	827	if (auth_rate_limiter.can (rsi))
783	reset_connection ();
784
785	config_packet p = (config_packet ) pkt;
786
787	if (!p->chk_config ())
788	{	828	{
789	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),	829	auth_req_packet p = (auth_req_packet ) pkt;
		830
		831	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
		832
		833	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
		834	{
		835	if (p->prot_minor != PROTOCOL_MINOR)
		836	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
		837	conf->nodename, (const char *)rsi,
		838	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
		839
		840	if (p->initiate)
		841	send_auth_request (rsi, false);
		842
		843	rsachallenge k;
		844
		845	if (0 > RSA_private_decrypt (sizeof (p->encr),
		846	(unsigned char )&p->encr, (unsigned char )&k,
		847	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		848	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
790	conf->nodename, (const char *)rsi);	849	conf->nodename, (const char *)rsi);
791	connectmode = conf_node::C_DISABLED;	850	else
		851	{
		852	retry_cnt = 0;
		853	establish_connection.start (NOW + 8); //? ;)
		854	keepalive.reset ();
		855	rekey.reset ();
		856
		857	delete ictx;
		858	ictx = 0;
		859
		860	delete octx;
		861
		862	octx = new crypto_ctx (k, 1);
		863	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
		864
		865	conf->protocols = p->protocols;
		866	send_auth_response (rsi, p->id, k);
		867
		868	break;
		869	}
		870	}
		871
		872	send_reset (rsi);
792	}	873	}
793	else if (connectmode == conf_node::C_ALWAYS)	874
794	establish_connection ();
795	}
796	break;	875	break;
797		876
798	case vpn_packet::PT_AUTH_REQ:	877	case vpn_packet::PT_AUTH_RES:
799	if (auth_rate_limiter.can (rsi))
800	{	878	{
801	auth_req_packet p = (auth_req_packet ) pkt;	879	auth_res_packet p = (auth_res_packet ) pkt;
802		880
803	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);	881	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
804		882
805	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))	883	if (p->chk_config ())
806	{	884	{
807	if (p->prot_minor != PROTOCOL_MINOR)	885	if (p->prot_minor != PROTOCOL_MINOR)
808	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),	886	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
809	conf->nodename, (const char *)rsi,	887	conf->nodename, (const char *)rsi,
810	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	888	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
811		889
812	if (p->initiate)
813	send_auth_request (rsi, false);
814
815	rsachallenge k;	890	rsachallenge chg;
816		891
817	if (0 > RSA_private_decrypt (sizeof (p->encr),	892	if (!rsa_cache.find (p->id, chg))
818	(unsigned char )&p->encr, (unsigned char )&k,	893	slog (L_ERR, _("%s(%s): unrequested auth response"),
819	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821	conf->nodename, (const char *)rsi);	894	conf->nodename, (const char *)rsi);
822	else	895	else
823	{	896	{
824	retry_cnt = 0;	897	crypto_ctx *cctx = new crypto_ctx (chg, 0);
825	establish_connection.set (NOW + 8); //? ;)	898
826	keepalive.reset ();	899	if (!p->hmac_chk (cctx))
		900	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
		901	"could be an attack, or just corruption or an synchronization error"),
		902	conf->nodename, (const char *)rsi);
827	rekey.reset ();	903	else
		904	{
		905	rsaresponse h;
828		906
		907	rsa_hash (p->id, chg, h);
		908
		909	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
		910	{
		911	prot_minor = p->prot_minor;
		912
		913	delete ictx; ictx = cctx;
		914
		915	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
		916
		917	si = rsi;
		918	protocol = rsi.prot;
		919
		920	rekey.start (NOW + ::conf.rekey);
		921	keepalive.start (NOW + ::conf.keepalive);
		922
		923	// send queued packets
		924	while (tap_packet *p = queue.get ())
		925	{
		926	send_data_packet (p);
		927	delete p;
		928	}
		929
		930	connectmode = conf->connectmode;
		931
		932	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
		933	conf->nodename, (const char *)rsi,
		934	p->prot_major, p->prot_minor);
		935
		936	if (::conf.script_node_up)
		937	run_script (run_script_cb (this, &connection::script_node_up), false);
		938
		939	break;
		940	}
		941	else
		942	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
		943	conf->nodename, (const char *)rsi);
		944	}
		945
829	delete ictx;	946	delete cctx;
830	ictx = 0;
831
832	delete octx;
833
834	octx = new crypto_ctx (k, 1);
835	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
836
837	conf->protocols = p->protocols;
838	send_auth_response (rsi, p->id, k);
839
840	break;
841	}	947	}
842	}	948	}
843
844	send_reset (rsi);
845	}	949	}
846		950
		951	send_reset (rsi);
847	break;	952	break;
848		953
849	case vpn_packet::PT_AUTH_RES:	954	case vpn_packet::PT_DATA_COMPRESSED:
850	{	955	#if !ENABLE_COMPRESSION
851	auth_res_packet p = (auth_res_packet ) pkt;	956	send_reset (rsi);
		957	break;
		958	#endif
852		959
853	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);	960	case vpn_packet::PT_DATA_UNCOMPRESSED:
854		961
855	if (p->chk_config ())	962	if (ictx && octx)
856	{	963	{
857	if (p->prot_minor != PROTOCOL_MINOR)	964	vpndata_packet p = (vpndata_packet )pkt;
858	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
859	conf->nodename, (const char *)rsi,
860	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861		965
862	rsachallenge chg;	966	if (rsi == si)
863
864	if (!rsa_cache.find (p->id, chg))
865	slog (L_ERR, _("%s(%s): unrequested auth response"),
866	conf->nodename, (const char *)rsi);
867	else
868	{	967	{
869	crypto_ctx *cctx = new crypto_ctx (chg, 0);
870
871	if (!p->hmac_chk (cctx))	968	if (!p->hmac_chk (ictx))
872	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"	969	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
873	"could be an attack, or just corruption or an synchronization error"),	970	"could be an attack, or just corruption or an synchronization error"),
874	conf->nodename, (const char *)rsi);	971	conf->nodename, (const char *)rsi);
875	else	972	else
876	{	973	{
877	rsaresponse h;	974	u32 seqno;
		975	tap_packet *d = p->unpack (this, seqno);
878		976
879	rsa_hash (p->id, chg, h);	977	if (iseqno.recv_ok (seqno))
880
881	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
882	{	978	{
883	prot_minor = p->prot_minor;	979	vpn->tap->send (d);
884		980
885	delete ictx; ictx = cctx;	981	if (p->dst () == 0) // re-broadcast
886		982	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
887	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888
889	si = rsi;
890
891	rekey.set (NOW + ::conf.rekey);
892	keepalive.set (NOW + ::conf.keepalive);
893
894	// send queued packets
895	while (tap_packet *p = queue.get ())
896	{	983	{
		984	connection c = i;
		985
		986	if (c->conf != THISNODE && c->conf != conf)
897	send_data_packet (p);	987	c->inject_data_packet (d);
898	delete p;
899	}	988	}
900		989
901	connectmode = conf->connectmode;	990	delete d;
902
903	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
904	conf->nodename, (const char *)rsi,
905	strprotocol (protocol),
906	p->prot_major, p->prot_minor);
907
908	if (::conf.script_node_up)
909	run_script (run_script_cb (this, &connection::script_node_up), false);
910		991
911	break;	992	break;
912	}	993	}
913	else
914	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
915	conf->nodename, (const char *)rsi);
916	}	994	}
		995	}
		996	else
		997	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
		998	}
917		999
918	delete cctx;	1000	send_reset (rsi);
		1001	break;
		1002
		1003	case vpn_packet::PT_CONNECT_REQ:
		1004	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
		1005	{
		1006	connect_req_packet p = (connect_req_packet ) pkt;
		1007
		1008	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
		1009	connection *c = vpn->conns[p->id - 1];
		1010	conf->protocols = p->protocols;
		1011
		1012	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
		1013	conf->id, p->id, c->ictx && c->octx);
		1014
		1015	if (c->ictx && c->octx)
		1016	{
		1017	// send connect_info packets to both sides, in case one is
		1018	// behind a nat firewall (or both ;)
		1019	c->send_connect_info (conf->id, si, conf->protocols);
		1020	send_connect_info (c->conf->id, c->si, c->conf->protocols);
919	}	1021	}
920	}	1022	}
921	}
922		1023
923	send_reset (rsi);
924	break;	1024	break;
925		1025
926	case vpn_packet::PT_DATA_COMPRESSED:
927	#if !ENABLE_COMPRESSION
928	send_reset (rsi);
929	break;
930	#endif
931
932	case vpn_packet::PT_DATA_UNCOMPRESSED:
933
934	if (ictx && octx)
935	{
936	vpndata_packet p = (vpndata_packet )pkt;
937
938	if (rsi == si)
939	{
940	if (!p->hmac_chk (ictx))
941	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942	"could be an attack, or just corruption or an synchronization error"),
943	conf->nodename, (const char *)rsi);
944	else
945	{
946	u32 seqno;
947	tap_packet *d = p->unpack (this, seqno);
948
949	if (iseqno.recv_ok (seqno))
950	{
951	vpn->tap->send (d);
952
953	if (p->dst () == 0) // re-broadcast
954	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955	{
956	connection c = i;
957
958	if (c->conf != THISNODE && c->conf != conf)
959	c->inject_data_packet (d);
960	}
961
962	delete d;
963
964	break;
965	}
966	}
967	}
968	else
969	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970	}
971
972	send_reset (rsi);
973	break;
974
975	case vpn_packet::PT_CONNECT_REQ:	1026	case vpn_packet::PT_CONNECT_INFO:
976	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1027	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977	{	1028	{
978	connect_req_packet p = (connect_req_packet ) pkt;	1029	connect_info_packet p = (connect_info_packet ) pkt;
979		1030
980	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1031	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
981	conf->protocols = p->protocols;	1032
982	connection *c = vpn->conns[p->id - 1];	1033	connection *c = vpn->conns[p->id - 1];
983		1034
984	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985	conf->id, p->id, c->ictx && c->octx);
986
987	if (c->ictx && c->octx)
988	{
989	// send connect_info packets to both sides, in case one is
990	// behind a nat firewall (or both ;)
991	c->send_connect_info (conf->id, si, conf->protocols);
992	send_connect_info (c->conf->id, c->si, c->conf->protocols);
993	}
994	}
995
996	break;
997
998	case vpn_packet::PT_CONNECT_INFO:
999	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000	{
1001	connect_info_packet p = (connect_info_packet ) pkt;
1002
1003	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004	conf->protocols = p->protocols;	1035	c->conf->protocols = p->protocols;
1005	connection *c = vpn->conns[p->id - 1];	1036	protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
		1037	p->si.upgrade_protocol (protocol, c->conf);
1006		1038
1007	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1039	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1040	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009		1041
		1042	const sockinfo &dsi = forward_si (p->si);
		1043
		1044	if (dsi.valid ())
1010	c->send_auth_request (p->si, true);	1045	c->send_auth_request (dsi, true);
1011	}	1046	}
1012		1047
1013	break;	1048	break;
1014		1049
1015	default:	1050	default:
1016	send_reset (rsi);	1051	send_reset (rsi);
1017	break;	1052	break;
1018
1019	}	1053	}
1020	}	1054	}
1021		1055
1022	void connection::keepalive_cb (tstamp &ts)	1056	void connection::keepalive_cb (time_watcher &w)
1023	{	1057	{
1024	if (NOW >= last_activity + ::conf.keepalive + 30)	1058	if (NOW >= last_activity + ::conf.keepalive + 30)
1025	{	1059	{
1026	reset_connection ();	1060	reset_connection ();
1027	establish_connection ();	1061	establish_connection ();
1028	}	1062	}
1029	else if (NOW < last_activity + ::conf.keepalive)	1063	else if (NOW < last_activity + ::conf.keepalive)
1030	ts = last_activity + ::conf.keepalive;	1064	w.at = last_activity + ::conf.keepalive;
1031	else if (conf->connectmode != conf_node::C_ONDEMAND	1065	else if (conf->connectmode != conf_node::C_ONDEMAND
1032	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1066	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1033	{	1067	{
1034	send_ping (si);	1068	send_ping (si);
1035	ts = NOW + 5;	1069	w.at = NOW + 5;
1036	}	1070	}
1037	else	1071	else
1038	reset_connection ();	1072	reset_connection ();
1039	}	1073	}
1040		1074
…		…
1042	{	1076	{
1043	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);	1077	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1044		1078
1045	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);	1079	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1046	p->hmac_set (octx);	1080	p->hmac_set (octx);
1047	send_vpn_packet (p, si);	1081	vpn->send_vpn_packet (p, si);
1048		1082
1049	delete p;	1083	delete p;
1050	}	1084	}
1051		1085
1052	void connection::script_node ()	1086	void connection::script_node ()
1053	{	1087	{
1054	vpn->script_if_up (0);	1088	vpn->script_if_up ();
1055		1089
1056	char *env;	1090	char *env;
1057	asprintf (&env, "DESTID=%d", conf->id); putenv (env);	1091	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1058	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);	1092	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1059	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);	1093	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1060	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);	1094	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1061	}	1095	}
1062		1096
1063	const char *connection::script_node_up (int)	1097	const char *connection::script_node_up ()
1064	{	1098	{
1065	script_node ();	1099	script_node ();
1066		1100
1067	putenv ("STATE=up");	1101	putenv ("STATE=up");
1068		1102
1069	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";	1103	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1070	}	1104	}
1071		1105
1072	const char *connection::script_node_down (int)	1106	const char *connection::script_node_down ()
1073	{	1107	{
1074	script_node ();	1108	script_node ();
1075		1109
1076	putenv ("STATE=down");	1110	putenv ("STATE=down");
1077		1111
1078	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1112	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1079	}
1080
1081	// send a vpn packet out to other hosts
1082	void
1083	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1084	{
1085	if (protocol & PROT_IPv4)
1086	vpn->send_ipv4_packet (pkt, si, tos);
1087	else
1088	vpn->send_udpv4_packet (pkt, si, tos);
1089	}	1113	}
1090		1114
1091	connection::connection(struct vpn *vpn_)	1115	connection::connection(struct vpn *vpn_)
1092	: vpn(vpn_)	1116	: vpn(vpn_)
1093	, rekey (this, &connection::rekey_cb)	1117	, rekey (this, &connection::rekey_cb)

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs. Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC