ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC vs.
Revision 1.29 by pcg, Thu Jan 29 18:55:10 2004 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
20 21
21extern "C" { 22extern "C" {
22# include "lzf/lzf.h" 23# include "lzf/lzf.h"
23} 24}
24 25
26#include <cassert>
27
25#include <list> 28#include <list>
26 29
27#include <openssl/rand.h> 30#include <openssl/rand.h>
28#include <openssl/evp.h> 31#include <openssl/evp.h>
29#include <openssl/rsa.h> 32#include <openssl/rsa.h>
35#include "slog.h" 38#include "slog.h"
36#include "device.h" 39#include "device.h"
37#include "vpn.h" 40#include "vpn.h"
38#include "connection.h" 41#include "connection.h"
39 42
43#include "netcompat.h"
44
40#if !HAVE_RAND_PSEUDO_BYTES 45#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 46# define RAND_pseudo_bytes RAND_bytes
42#endif 47#endif
43 48
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 49#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
53}; 58};
54 59
55crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 60crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
56{ 61{
57 EVP_CIPHER_CTX_init (&cctx); 62 EVP_CIPHER_CTX_init (&cctx);
58 EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); 63 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc));
59 HMAC_CTX_init (&hctx); 64 HMAC_CTX_init (&hctx);
60 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); 65 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
61} 66}
62 67
63crypto_ctx::~crypto_ctx () 68crypto_ctx::~crypto_ctx ()
64{ 69{
65 EVP_CIPHER_CTX_cleanup (&cctx); 70 require (EVP_CIPHER_CTX_cleanup (&cctx));
66 HMAC_CTX_cleanup (&hctx); 71 HMAC_CTX_cleanup (&hctx);
67} 72}
68 73
69static void 74static void
70rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 75rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
71{ 76{
72 EVP_MD_CTX ctx; 77 EVP_MD_CTX ctx;
73 78
74 EVP_MD_CTX_init (&ctx); 79 EVP_MD_CTX_init (&ctx);
75 EVP_DigestInit (&ctx, RSA_HASH); 80 require (EVP_DigestInit (&ctx, RSA_HASH));
76 EVP_DigestUpdate(&ctx, &chg, sizeof chg); 81 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
77 EVP_DigestUpdate(&ctx, &id, sizeof id); 82 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
78 EVP_DigestFinal (&ctx, (unsigned char *)&h, 0); 83 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
79 EVP_MD_CTX_cleanup (&ctx); 84 EVP_MD_CTX_cleanup (&ctx);
80} 85}
81 86
82struct rsa_entry { 87struct rsa_entry {
83 tstamp expire; 88 tstamp expire;
131 136
132} rsa_cache; 137} rsa_cache;
133 138
134void rsa_cache::cleaner_cb (time_watcher &w) 139void rsa_cache::cleaner_cb (time_watcher &w)
135{ 140{
136 if (empty ()) 141 if (!empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 142 {
140 w.at = NOW + RSA_TTL; 143 w.start (NOW + RSA_TTL);
141 144
142 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 146 if (i->expire <= NOW)
144 i = erase (i); 147 i = erase (i);
145 else 148 else
147 } 150 }
148} 151}
149 152
150////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
151 154
152void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
153{ 156{
154 if (queue[i]) 157 if (queue[i])
155 { 158 {
156 delete queue[i]; 159 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 163 queue[i] = p;
161 164
162 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
163} 166}
164 167
165tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
166{ 169{
167 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
168 171
169 if (p) 172 if (p)
170 { 173 {
171 queue[j] = 0; 174 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 209
206 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 211 bool can (u32 host);
208}; 212};
209 213
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 215
225 { 229 {
226 net_rateinfo ri; 230 net_rateinfo ri;
227 231
228 ri.host = host; 232 ri.host = host;
229 ri.pcnt = 1.; 233 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = MAXDIF;
231 ri.last = NOW; 235 ri.last = NOW;
232 236
233 push_front (ri); 237 push_front (ri);
234 238
235 return true; 239 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 248
245 ri.last = NOW; 249 ri.last = NOW;
246 250
251 double dif = ri.diff / ri.pcnt;
252
247 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > CUTOFF;
248 254
255 if (dif > MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = MAXDIF;
259 }
249 if (send) 260 else if (send)
250 ri.pcnt++; 261 ri.pcnt++;
251 262
252 push_front (ri); 263 push_front (ri);
253 264
254 return send; 265 return send;
299} 310}
300 311
301#define MAXVPNDATA (MAX_MTU - 6 - 6) 312#define MAXVPNDATA (MAX_MTU - 6 - 6)
302#define DATAHDR (sizeof (u32) + RAND_SIZE) 313#define DATAHDR (sizeof (u32) + RAND_SIZE)
303 314
304struct vpndata_packet:vpn_packet 315struct vpndata_packet : vpn_packet
305 { 316 {
306 u8 data[MAXVPNDATA + DATAHDR]; // seqno 317 u8 data[MAXVPNDATA + DATAHDR]; // seqno
307 318
308 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 319 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
309 tap_packet *unpack (connection *conn, u32 &seqno); 320 tap_packet *unpack (connection *conn, u32 &seqno);
336 d[0] = cl >> 8; 347 d[0] = cl >> 8;
337 d[1] = cl; 348 d[1] = cl;
338 } 349 }
339#endif 350#endif
340 351
341 EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); 352 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0));
342 353
343 struct { 354 struct {
344#if RAND_SIZE 355#if RAND_SIZE
345 u8 rnd[RAND_SIZE]; 356 u8 rnd[RAND_SIZE];
346#endif 357#endif
350 datahdr.seqno = ntohl (seqno); 361 datahdr.seqno = ntohl (seqno);
351#if RAND_SIZE 362#if RAND_SIZE
352 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); 363 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
353#endif 364#endif
354 365
355 EVP_EncryptUpdate (cctx, 366 require (EVP_EncryptUpdate (cctx,
356 (unsigned char *) data + outl, &outl2, 367 (unsigned char *) data + outl, &outl2,
357 (unsigned char *) &datahdr, DATAHDR); 368 (unsigned char *) &datahdr, DATAHDR));
358 outl += outl2; 369 outl += outl2;
359 370
360 EVP_EncryptUpdate (cctx, 371 require (EVP_EncryptUpdate (cctx,
361 (unsigned char *) data + outl, &outl2, 372 (unsigned char *) data + outl, &outl2,
362 (unsigned char *) d, l); 373 (unsigned char *) d, l));
363 outl += outl2; 374 outl += outl2;
364 375
365 EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2); 376 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
366 outl += outl2; 377 outl += outl2;
367 378
368 len = outl + data_hdr_size (); 379 len = outl + data_hdr_size ();
369 380
370 set_hdr (type, dst); 381 set_hdr (type, dst);
379 int outl = 0, outl2; 390 int outl = 0, outl2;
380 tap_packet *p = new tap_packet; 391 tap_packet *p = new tap_packet;
381 u8 *d; 392 u8 *d;
382 u32 l = len - data_hdr_size (); 393 u32 l = len - data_hdr_size ();
383 394
384 EVP_DecryptInit_ex (cctx, 0, 0, 0, 0); 395 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0));
385 396
386#if ENABLE_COMPRESSION 397#if ENABLE_COMPRESSION
387 u8 cdata[MAX_MTU]; 398 u8 cdata[MAX_MTU];
388 399
389 if (type == PT_DATA_COMPRESSED) 400 if (type == PT_DATA_COMPRESSED)
391 else 402 else
392#endif 403#endif
393 d = &(*p)[6 + 6 - DATAHDR]; 404 d = &(*p)[6 + 6 - DATAHDR];
394 405
395 /* this overwrites part of the src mac, but we fix that later */ 406 /* this overwrites part of the src mac, but we fix that later */
396 EVP_DecryptUpdate (cctx, 407 require (EVP_DecryptUpdate (cctx,
397 d, &outl2, 408 d, &outl2,
398 (unsigned char *)&data, len - data_hdr_size ()); 409 (unsigned char *)&data, len - data_hdr_size ()));
399 outl += outl2; 410 outl += outl2;
400 411
401 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 412 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
402 outl += outl2; 413 outl += outl2;
403 414
404 seqno = ntohl (*(u32 *)(d + RAND_SIZE)); 415 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
405 416
406 id2mac (dst () ? dst() : THISNODE->id, p->dst); 417 id2mac (dst () ? dst() : THISNODE->id, p->dst);
467 set_hdr (type, dst); 478 set_hdr (type, dst);
468} 479}
469 480
470bool config_packet::chk_config () const 481bool config_packet::chk_config () const
471{ 482{
472 return prot_major == PROTOCOL_MAJOR 483 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 484 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 485 else if (randsize != RAND_SIZE)
475 && flags == curflags () 486 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 491 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
496 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 497 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
498 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
499 else
500 return true;
501
502 return false;
480} 503}
481 504
482struct auth_req_packet : config_packet 505struct auth_req_packet : config_packet
483{ 506{
484 char magic[8]; 507 char magic[8];
485 u8 initiate; // false if this is just an automatic reply 508 u8 initiate; // false if this is just an automatic reply
486 u8 protocols; // supported protocols (will get patches on forward) 509 u8 protocols; // supported protocols (will be patched on forward)
487 u8 pad2, pad3; 510 u8 pad2, pad3;
488 rsaid id; 511 rsaid id;
489 rsaencrdata encr; 512 rsaencrdata encr;
490 513
491 auth_req_packet (int dst, bool initiate_, u8 protocols_) 514 auth_req_packet (int dst, bool initiate_, u8 protocols_)
544 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
545 } 568 }
546}; 569};
547 570
548///////////////////////////////////////////////////////////////////////////// 571/////////////////////////////////////////////////////////////////////////////
572
573void
574connection::connection_established ()
575{
576 if (ictx && octx)
577 {
578 connectmode = conf->connectmode;
579
580 rekey.start (NOW + ::conf.rekey);
581 keepalive.start (NOW + ::conf.keepalive);
582
583 // send queued packets
584 if (ictx && octx)
585 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 {
588 send_data_packet (p);
589 delete p;
590 }
591
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p;
596 }
597 }
598 }
599 else
600 {
601 retry_cnt = 0;
602 establish_connection.start (NOW + 5);
603 keepalive.stop ();
604 rekey.stop ();
605 }
606}
549 607
550void 608void
551connection::reset_si () 609connection::reset_si ()
552{ 610{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 611 protocol = best_protocol (THISNODE->protocols & conf->protocols);
580 638
581 return si; 639 return si;
582} 640}
583 641
584void 642void
643connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
644{
645 if (!vpn->send_vpn_packet (pkt, si, tos))
646 reset_connection ();
647}
648
649void
585connection::send_ping (const sockinfo &si, u8 pong) 650connection::send_ping (const sockinfo &si, u8 pong)
586{ 651{
587 ping_packet *pkt = new ping_packet; 652 ping_packet *pkt = new ping_packet;
588 653
589 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 654 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
590 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 655 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
591 656
592 delete pkt; 657 delete pkt;
593} 658}
594 659
595void 660void
598 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 663 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
599 { 664 {
600 config_packet *pkt = new config_packet; 665 config_packet *pkt = new config_packet;
601 666
602 pkt->setup (vpn_packet::PT_RESET, conf->id); 667 pkt->setup (vpn_packet::PT_RESET, conf->id);
603 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 668 send_vpn_packet (pkt, si, IPTOS_MINCOST);
604 669
605 delete pkt; 670 delete pkt;
606 } 671 }
607} 672}
608 673
610connection::send_auth_request (const sockinfo &si, bool initiate) 675connection::send_auth_request (const sockinfo &si, bool initiate)
611{ 676{
612 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
613 678
614 rsachallenge chg; 679 rsachallenge chg;
615
616 rsa_cache.gen (pkt->id, chg); 680 rsa_cache.gen (pkt->id, chg);
617 681 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
618 if (0 > RSA_public_encrypt (sizeof chg,
619 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
620 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
621 fatal ("RSA_public_encrypt error");
622 682
623 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 683 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
624 684
625 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 685 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
626 686
627 delete pkt; 687 delete pkt;
628} 688}
629 689
630void 690void
638 698
639 pkt->hmac_set (octx); 699 pkt->hmac_set (octx);
640 700
641 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 701 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
642 702
643 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 703 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
644 704
645 delete pkt; 705 delete pkt;
646} 706}
647 707
648void 708void
652 conf->id, rid, (const char *)rsi); 712 conf->id, rid, (const char *)rsi);
653 713
654 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 714 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
655 715
656 r->hmac_set (octx); 716 r->hmac_set (octx);
657 vpn->send_vpn_packet (r, si); 717 send_vpn_packet (r, si);
658 718
659 delete r; 719 delete r;
660} 720}
661 721
662void 722void
663connection::establish_connection_cb (time_watcher &w) 723connection::establish_connection_cb (time_watcher &w)
664{ 724{
665 if (ictx || conf == THISNODE 725 if (!ictx
726 && conf != THISNODE
666 || connectmode == conf_node::C_NEVER 727 && connectmode != conf_node::C_NEVER
667 || connectmode == conf_node::C_DISABLED) 728 && connectmode != conf_node::C_DISABLED
668 w.at = TSTAMP_CANCEL; 729 && NOW > w.at)
669 else if (w.at <= NOW)
670 { 730 {
671 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
672 732
673 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
674 retry_cnt++; 734 retry_cnt++;
675 735
676 w.at = NOW + retry_int; 736 w.start (NOW + retry_int);
677 737
678 reset_si (); 738 reset_si ();
679 739
680 if (si.prot && !si.host) 740 if (si.prot && !si.host)
681 vpn->connect_request (conf->id); 741 vpn->send_connect_request (conf->id);
682 else 742 else
683 { 743 {
684 const sockinfo &dsi = forward_si (si); 744 const sockinfo &dsi = forward_si (si);
685 745
686 if (dsi.valid () && auth_rate_limiter.can (dsi)) 746 if (dsi.valid () && auth_rate_limiter.can (dsi))
712 si.host= 0; 772 si.host= 0;
713 773
714 last_activity = 0; 774 last_activity = 0;
715 retry_cnt = 0; 775 retry_cnt = 0;
716 776
717 rekey.reset (); 777 rekey.stop ();
718 keepalive.reset (); 778 keepalive.stop ();
719 establish_connection.reset (); 779 establish_connection.stop ();
720} 780}
721 781
722void 782void
723connection::shutdown () 783connection::shutdown ()
724{ 784{
729} 789}
730 790
731void 791void
732connection::rekey_cb (time_watcher &w) 792connection::rekey_cb (time_watcher &w)
733{ 793{
734 w.at = TSTAMP_CANCEL;
735
736 reset_connection (); 794 reset_connection ();
737 establish_connection (); 795 establish_connection ();
738} 796}
739 797
740void 798void
741connection::send_data_packet (tap_packet *pkt, bool broadcast) 799connection::send_data_packet (tap_packet *pkt)
742{ 800{
743 vpndata_packet *p = new vpndata_packet; 801 vpndata_packet *p = new vpndata_packet;
744 int tos = 0; 802 int tos = 0;
745 803
746 if (conf->inherit_tos 804 // I am not hilarious about peeking into packets, but so be it.
747 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 805 if (conf->inherit_tos && pkt->is_ipv4 ())
748 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
749 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
750 807
751 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
752 vpn->send_vpn_packet (p, si, tos); 809 send_vpn_packet (p, si, tos);
753 810
754 delete p; 811 delete p;
755 812
756 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
757 rekey (); 814 rekey ();
758} 815}
759 816
760void 817void
761connection::inject_data_packet (tap_packet *pkt, bool broadcast) 818connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
762{ 819{
763 if (ictx && octx) 820 if (ictx && octx)
764 send_data_packet (pkt, broadcast); 821 send_data_packet (pkt);
765 else 822 else
766 { 823 {
767 if (!broadcast)//DDDD 824 if (!broadcast)//DDDD
768 queue.put (new tap_packet (*pkt)); 825 data_queue.put (new tap_packet (*pkt));
769 826
770 establish_connection (); 827 establish_connection ();
771 } 828 }
772} 829}
773 830
774void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 831void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
775{ 832{
776 if (ictx && octx) 833 if (ictx && octx)
777 vpn->send_vpn_packet (pkt, si, tos); 834 send_vpn_packet (pkt, si, tos);
778 else 835 else
836 {
837 vpn_queue.put ((vpn_packet *)new data_packet (*(data_packet *)pkt));
838
779 establish_connection (); 839 establish_connection ();
840 }
780} 841}
781 842
782void 843void
783connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 844connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
784{ 845{
840 if (p->initiate) 901 if (p->initiate)
841 send_auth_request (rsi, false); 902 send_auth_request (rsi, false);
842 903
843 rsachallenge k; 904 rsachallenge k;
844 905
845 if (0 > RSA_private_decrypt (sizeof (p->encr), 906 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
846 (unsigned char *)&p->encr, (unsigned char *)&k, 907 {
847 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
848 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 908 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
849 conf->nodename, (const char *)rsi); 909 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
910 break;
911 }
850 else 912 else
851 { 913 {
852 retry_cnt = 0;
853 establish_connection.start (NOW + 8); //? ;)
854 keepalive.reset ();
855 rekey.reset ();
856
857 delete ictx;
858 ictx = 0;
859
860 delete octx; 914 delete octx;
861 915
862 octx = new crypto_ctx (k, 1); 916 octx = new crypto_ctx (k, 1);
863 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 917 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
864 918
865 conf->protocols = p->protocols; 919 conf->protocols = p->protocols;
920
866 send_auth_response (rsi, p->id, k); 921 send_auth_response (rsi, p->id, k);
922
923 connection_established ();
867 924
868 break; 925 break;
869 } 926 }
870 } 927 }
928 else
929 slog (L_WARN, _("%s(%s): protocol mismatch"),
930 conf->nodename, (const char *)rsi);
871 931
872 send_reset (rsi); 932 send_reset (rsi);
873 } 933 }
874 934
875 break; 935 break;
888 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 948 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
889 949
890 rsachallenge chg; 950 rsachallenge chg;
891 951
892 if (!rsa_cache.find (p->id, chg)) 952 if (!rsa_cache.find (p->id, chg))
953 {
893 slog (L_ERR, _("%s(%s): unrequested auth response"), 954 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
894 conf->nodename, (const char *)rsi); 955 conf->nodename, (const char *)rsi);
956 break;
957 }
895 else 958 else
896 { 959 {
897 crypto_ctx *cctx = new crypto_ctx (chg, 0); 960 crypto_ctx *cctx = new crypto_ctx (chg, 0);
898 961
899 if (!p->hmac_chk (cctx)) 962 if (!p->hmac_chk (cctx))
963 {
900 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
901 "could be an attack, or just corruption or an synchronization error"), 965 "could be an attack, or just corruption or a synchronization error"),
902 conf->nodename, (const char *)rsi); 966 conf->nodename, (const char *)rsi);
967 break;
968 }
903 else 969 else
904 { 970 {
905 rsaresponse h; 971 rsaresponse h;
906 972
907 rsa_hash (p->id, chg, h); 973 rsa_hash (p->id, chg, h);
915 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 981 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
916 982
917 si = rsi; 983 si = rsi;
918 protocol = rsi.prot; 984 protocol = rsi.prot;
919 985
920 rekey.start (NOW + ::conf.rekey); 986 connection_established ();
921 keepalive.start (NOW + ::conf.keepalive);
922
923 // send queued packets
924 while (tap_packet *p = queue.get ())
925 {
926 send_data_packet (p);
927 delete p;
928 }
929
930 connectmode = conf->connectmode;
931 987
932 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 988 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
933 conf->nodename, (const char *)rsi, 989 conf->nodename, (const char *)rsi,
934 p->prot_major, p->prot_minor); 990 p->prot_major, p->prot_minor);
935 991
961 1017
962 if (ictx && octx) 1018 if (ictx && octx)
963 { 1019 {
964 vpndata_packet *p = (vpndata_packet *)pkt; 1020 vpndata_packet *p = (vpndata_packet *)pkt;
965 1021
966 if (rsi == si) 1022 if (!p->hmac_chk (ictx))
1023 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1024 "could be an attack, or just corruption or a synchronization error"),
1025 conf->nodename, (const char *)rsi);
1026 else
967 { 1027 {
968 if (!p->hmac_chk (ictx))
969 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
970 "could be an attack, or just corruption or an synchronization error"),
971 conf->nodename, (const char *)rsi);
972 else 1028 u32 seqno;
1029 tap_packet *d = p->unpack (this, seqno);
1030
1031 if (iseqno.recv_ok (seqno))
973 { 1032 {
974 u32 seqno; 1033 vpn->tap->send (d);
975 tap_packet *d = p->unpack (this, seqno);
976 1034
977 if (iseqno.recv_ok (seqno)) 1035 if (si != rsi)
978 { 1036 {
979 vpn->tap->send (d); 1037 // fast re-sync on connection changes, useful especially for tcp/ip
980
981 if (p->dst () == 0) // re-broadcast
982 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
983 {
984 connection *c = *i;
985
986 if (c->conf != THISNODE && c->conf != conf)
987 c->inject_data_packet (d);
988 }
989
990 delete d;
991
992 break; 1038 si = rsi;
1039
1040 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1041 conf->nodename, (const char *)si, (const char *)rsi);
993 } 1042 }
1043
1044 delete d;
1045
1046 break;
994 } 1047 }
995 } 1048 }
996 else
997 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
998 } 1049 }
999 1050
1000 send_reset (rsi); 1051 send_reset (rsi);
1001 break; 1052 break;
1002 1053
1017 // send connect_info packets to both sides, in case one is 1068 // send connect_info packets to both sides, in case one is
1018 // behind a nat firewall (or both ;) 1069 // behind a nat firewall (or both ;)
1019 c->send_connect_info (conf->id, si, conf->protocols); 1070 c->send_connect_info (conf->id, si, conf->protocols);
1020 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1071 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1021 } 1072 }
1073 else
1074 c->establish_connection ();
1022 } 1075 }
1023 1076
1024 break; 1077 break;
1025 1078
1026 case vpn_packet::PT_CONNECT_INFO: 1079 case vpn_packet::PT_CONNECT_INFO:
1059 { 1112 {
1060 reset_connection (); 1113 reset_connection ();
1061 establish_connection (); 1114 establish_connection ();
1062 } 1115 }
1063 else if (NOW < last_activity + ::conf.keepalive) 1116 else if (NOW < last_activity + ::conf.keepalive)
1064 w.at = last_activity + ::conf.keepalive; 1117 w.start (last_activity + ::conf.keepalive);
1065 else if (conf->connectmode != conf_node::C_ONDEMAND 1118 else if (conf->connectmode != conf_node::C_ONDEMAND
1066 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1119 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1067 { 1120 {
1068 send_ping (si); 1121 send_ping (si);
1069 w.at = NOW + 5; 1122 w.start (NOW + 5);
1070 } 1123 }
1124 else if (NOW < last_activity + ::conf.keepalive + 10)
1125 // hold ondemand connections implicitly a few seconds longer
1126 // should delete octx, though, or something like that ;)
1127 w.start (last_activity + ::conf.keepalive + 10);
1071 else 1128 else
1072 reset_connection (); 1129 reset_connection ();
1073} 1130}
1074 1131
1075void connection::connect_request (int id) 1132void connection::send_connect_request (int id)
1076{ 1133{
1077 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1078 1135
1079 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1080 p->hmac_set (octx); 1137 p->hmac_set (octx);
1081 vpn->send_vpn_packet (p, si); 1138 send_vpn_packet (p, si);
1082 1139
1083 delete p; 1140 delete p;
1084} 1141}
1085 1142
1086void connection::script_node () 1143void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines