[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs.
Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC

     }
 }
 //////////////////////////////////////////////////////////////////////////////
-void pkt_queue::put (tap_packet *p)
+void pkt_queue::put (net_packet *p)
 {
   if (queue[i])
     {
       delete queue[i];
       j = (j + 1) % QUEUEDEPTH;
   queue[i] = p;
   i = (i + 1) % QUEUEDEPTH;
 }
-tap_packet *pkt_queue::get ()
+net_packet *pkt_queue::get ()
 {
-  tap_packet *p = queue[j];
+  net_packet *p = queue[j];
   if (p)
     {
       queue[j] = 0;
       j = (j + 1) % QUEUEDEPTH;
 // only do action once every x seconds per host whole allowing bursts.
 // this implementation ("splay list" ;) is inefficient,
 // but low on resources.
 struct net_rate_limiter : list<net_rateinfo>
 {
-  static const double ALPHA  = 1. - 1. / 90.; // allow bursts
+  static const double ALPHA  = 1. - 1. / 600.; // allow bursts
-  static const double CUTOFF = 20.;           // one event every CUTOFF seconds
+  static const double CUTOFF = 10.;            // one event every CUTOFF seconds
-  static const double EXPIRE = CUTOFF * 30.;  // expire entries after this time
+  static const double EXPIRE = CUTOFF * 30.;   // expire entries after this time
+  static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
-  bool can (const sockinfo &si) { return can((u32)si.host);             }
+  bool can (const sockinfo &si) { return can((u32)si.host); }
   bool can (u32 host);
 };
 net_rate_limiter auth_rate_limiter, reset_rate_limiter;
     {
       net_rateinfo ri;
       ri.host = host;
       ri.pcnt = 1.;
-      ri.diff = CUTOFF * (1. / (1. - ALPHA));
+      ri.diff = MAXDIF;
       ri.last = NOW;
       push_front (ri);
       return true;
       ri.pcnt = ri.pcnt * ALPHA;
       ri.diff = ri.diff * ALPHA + (NOW - ri.last);
       ri.last = NOW;
+      double dif = ri.diff / ri.pcnt;
-      bool send = ri.diff / ri.pcnt > CUTOFF;
+      bool send = dif > CUTOFF;
+      if (dif > MAXDIF)
+        {
+          ri.pcnt = 1.;
+          ri.diff = MAXDIF;
+        }
-      if (send)
+      else if (send)
         ri.pcnt++;
       push_front (ri);
       return send;
   set_hdr (type, dst);
 }
 bool config_packet::chk_config () const
 {
-  return prot_major == PROTOCOL_MAJOR
+  if (prot_major != PROTOCOL_MAJOR)
-         && randsize == RAND_SIZE
+    slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
-         && hmaclen == HMACLENGTH
+  else if (randsize != RAND_SIZE)
-         && flags == curflags ()
+    slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
+  else if (hmaclen != HMACLENGTH)
+    slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
+  else if (flags != curflags ())
+    slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
-         && challengelen == sizeof (rsachallenge)
+  else if (challengelen != sizeof (rsachallenge))
+    slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
-         && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
+  else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
+    slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
-         && digest_nid == htonl (EVP_MD_type (RSA_HASH))
+  else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
+    slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
-         && hmac_nid   == htonl (EVP_MD_type (DIGEST));
+  else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
+    slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
+  else
+    return true;
+  return false;
 }
 struct auth_req_packet : config_packet
 {
   char magic[8];
 };
 /////////////////////////////////////////////////////////////////////////////
 void
+connection::connection_established ()
+{
+  if (ictx && octx)
+    {
+      connectmode = conf->connectmode;
+      rekey.start (NOW + ::conf.rekey);
+      keepalive.start (NOW + ::conf.keepalive);
+      // send queued packets
+      if (ictx && octx)
+        {
+          while (tap_packet *p = (tap_packet *)data_queue.get ())
+            {
+              send_data_packet (p);
+              delete p;
+            }
+          while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
+            {
+              send_vpn_packet (p, si, IPTOS_RELIABILITY);
+              delete p;
+            }
+        }
+    }
+  else
+    {
+      retry_cnt = 0;
+      establish_connection.start (NOW + 5);
+      keepalive.reset ();
+      rekey.reset ();
+    }
+}
+void
-connection::reset_dstaddr ()
+connection::reset_si ()
 {
   protocol = best_protocol (THISNODE->protocols & conf->protocols);
   // mask out protocols we cannot establish
   if (!conf->udp_port) protocol &= ~PROT_UDPv4;
   if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
   si.set (conf, protocol);
 }
+// ensure sockinfo is valid, forward if necessary
+const sockinfo &
+connection::forward_si (const sockinfo &si) const
+{
+  if (!si.valid ())
+    {
+      connection *r = vpn->find_router ();
+      if (r)
+        {
+          slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
+                conf->nodename, r->conf->nodename);
+          return r->si;
+        }
+      else
+        slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
+              conf->nodename);
+    }
+  return si;
+}
+void
+connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
+{
+  if (!vpn->send_vpn_packet (pkt, si, tos))
+    reset_connection ();
+}
 void
 connection::send_ping (const sockinfo &si, u8 pong)
 {
   ping_packet *pkt = new ping_packet;
   pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
-  vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
+  send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
   delete pkt;
 }
 void
   if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
     {
       config_packet *pkt = new config_packet;
       pkt->setup (vpn_packet::PT_RESET, conf->id);
-      vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
+      send_vpn_packet (pkt, si, IPTOS_MINCOST);
       delete pkt;
     }
 }
                               conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
     fatal ("RSA_public_encrypt error");
   slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
-  vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
+  send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
   delete pkt;
 }
 void
   pkt->hmac_set (octx);
   slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
-  vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
+  send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
   delete pkt;
 }
 void
                  conf->id, rid, (const char *)rsi);
   connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
   r->hmac_set (octx);
-  vpn->send_vpn_packet (r, si);
+  send_vpn_packet (r, si);
   delete r;
 }
 void
       if (retry_int < 3600 * 8)
         retry_cnt++;
       w.at = NOW + retry_int;
-      if (conf->hostname)
+      reset_si ();
+      if (si.prot && !si.host)
+        vpn->send_connect_request (conf->id);
+      else
         {
-          reset_dstaddr ();
+          const sockinfo &dsi = forward_si (si);
-          if (si.valid () && auth_rate_limiter.can (si))
+          if (dsi.valid () && auth_rate_limiter.can (dsi))
-           {
+            {
-            if (retry_cnt < 4)
+              if (retry_cnt < 4)
-              send_auth_request (si, true);
+                send_auth_request (dsi, true);
-            else
+              else
-              send_ping (si, 0);
+                send_ping (dsi, 0);
-           }
+            }
         }
-      else
-        vpn->connect_request (conf->id);
     }
 }
 void
 connection::reset_connection ()
 connection::send_data_packet (tap_packet *pkt, bool broadcast)
 {
   vpndata_packet *p = new vpndata_packet;
   int tos = 0;
+  // I am not hilarious about peeking into packets, but so be it.
   if (conf->inherit_tos
       && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
       && ((*pkt)[14] & 0xf0) == 0x40)             // IPv4
     tos = (*pkt)[15] & IPTOS_TOS_MASK;
   p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
-  vpn->send_vpn_packet (p, si, tos);
+  send_vpn_packet (p, si, tos);
   delete p;
   if (oseqno > MAX_SEQNO)
     rekey ();
   if (ictx && octx)
     send_data_packet (pkt, broadcast);
   else
     {
       if (!broadcast)//DDDD
-        queue.put (new tap_packet (*pkt));
+        data_queue.put (new tap_packet (*pkt));
+      establish_connection ();
+    }
+}
+void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
+{
+  if (ictx && octx)
+    send_vpn_packet (pkt, si, tos);
+  else
+    {
+      vpn_queue.put (new vpn_packet (*pkt));
       establish_connection ();
     }
 }
                 rsachallenge k;
                 if (0 > RSA_private_decrypt (sizeof (p->encr),
                                              (unsigned char *)&p->encr, (unsigned char *)&k,
                                              ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
-                  slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
+                  slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
-                        conf->nodename, (const char *)rsi);
+                        conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
                 else
                   {
-                    retry_cnt = 0;
-                    establish_connection.start (NOW + 8); //? ;)
-                    keepalive.reset ();
-                    rekey.reset ();
-                    delete ictx;
-                    ictx = 0;
                     delete octx;
                     octx   = new crypto_ctx (k, 1);
                     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
                     conf->protocols = p->protocols;
                     send_auth_response (rsi, p->id, k);
+                    connection_established ();
                     break;
                   }
               }
+            else
+              slog (L_WARN, _("%s(%s): protocol mismatch"),
+                    conf->nodename, (const char *)rsi);
             send_reset (rsi);
           }
         break;
                       PROTOCOL_MINOR, conf->nodename, p->prot_minor);
               rsachallenge chg;
               if (!rsa_cache.find (p->id, chg))
+                {
-                slog (L_ERR, _("%s(%s): unrequested auth response"),
+                  slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
-                      conf->nodename, (const char *)rsi);
+                        conf->nodename, (const char *)rsi);
+                  break;
+                }
               else
                 {
                   crypto_ctx *cctx = new crypto_ctx (chg, 0);
                   if (!p->hmac_chk (cctx))
+                    {
-                    slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
+                      slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
-                                   "could be an attack, or just corruption or an synchronization error"),
+                                     "could be an attack, or just corruption or an synchronization error"),
-                          conf->nodename, (const char *)rsi);
+                            conf->nodename, (const char *)rsi);
+                      break;
+                    }
                   else
                     {
                       rsaresponse h;
                       rsa_hash (p->id, chg, h);
                           iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
                           si = rsi;
                           protocol = rsi.prot;
-                          rekey.start (NOW + ::conf.rekey);
+                          connection_established ();
-                          keepalive.start (NOW + ::conf.keepalive);
-                          // send queued packets
-                          while (tap_packet *p = queue.get ())
-                            {
-                              send_data_packet (p);
-                              delete p;
-                            }
-                          connectmode = conf->connectmode;
                           slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
                                 conf->nodename, (const char *)rsi,
                                 p->prot_major, p->prot_minor);
         if (ictx && octx)
           {
             vpndata_packet *p = (vpndata_packet *)pkt;
-            if (rsi == si)
+            if (!p->hmac_chk (ictx))
+              slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
+                             "could be an attack, or just corruption or an synchronization error"),
+                    conf->nodename, (const char *)rsi);
+            else
               {
-                if (!p->hmac_chk (ictx))
-                  slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
-                                 "could be an attack, or just corruption or an synchronization error"),
-                        conf->nodename, (const char *)rsi);
-                else
+                u32 seqno;
+                tap_packet *d = p->unpack (this, seqno);
+                if (iseqno.recv_ok (seqno))
                   {
-                    u32 seqno;
+                    vpn->tap->send (d);
-                    tap_packet *d = p->unpack (this, seqno);
-                    if (iseqno.recv_ok (seqno))
+                    if (p->dst () == 0) // re-broadcast
+                      for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
+                        {
+                          connection *c = *i;
+                          if (c->conf != THISNODE && c->conf != conf)
+                            c->inject_data_packet (d);
+                        }
+                    if (si != rsi)
                       {
-                        vpn->tap->send (d);
+                        // fast re-sync on connection changes, useful especially for tcp/ip
-                        if (p->dst () == 0) // re-broadcast
-                          for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
-                            {
-                              connection *c = *i;
-                              if (c->conf != THISNODE && c->conf != conf)
-                                c->inject_data_packet (d);
-                            }
-                        delete d;
-                        break;
+                        si = rsi;
+                        slog (L_INFO, _("%s(%s): socket address changed to %s"),
+                              conf->nodename, (const char *)si, (const char *)rsi);
                       }
+                    delete d;
+                    break;
                   }
               }
-            else
-              slog (L_ERR,  _("received data packet from unknown source %s"), (const char *)rsi);
           }
         send_reset (rsi);
         break;
                 // send connect_info packets to both sides, in case one is
                 // behind a nat firewall (or both ;)
                 c->send_connect_info (conf->id, si, conf->protocols);
                 send_connect_info (c->conf->id, c->si, c->conf->protocols);
               }
+            else
+              c->establish_connection ();
           }
         break;
       case vpn_packet::PT_CONNECT_INFO:
             protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
             p->si.upgrade_protocol (protocol, c->conf);
             slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
                            conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
-            //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
-            //      p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
-            //      protocol, p->si.prot);
+            const sockinfo &dsi = forward_si (p->si);
+            if (dsi.valid ())
-            c->send_auth_request (p->si, true);
+              c->send_auth_request (dsi, true);
           }
         break;
       default:
            || THISNODE->connectmode != conf_node::C_ONDEMAND)
     {
       send_ping (si);
       w.at = NOW + 5;
     }
+  else if (NOW < last_activity + ::conf.keepalive + 10)
+    // hold ondemand connections implicitly a few seconds longer
+    // should delete octx, though, or something like that ;)
+    w.at = last_activity + ::conf.keepalive + 10;
   else
     reset_connection ();
 }
-void connection::connect_request (int id)
+void connection::send_connect_request (int id)
 {
   connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
   slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
   p->hmac_set (octx);
-  vpn->send_vpn_packet (p, si);
+  send_vpn_packet (p, si);
   delete p;
 }
 void connection::script_node ()

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs. Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs.
Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC