ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.5 by pcg, Wed Apr 2 21:43:44 2003 UTC vs.
Revision 1.18 by pcg, Sat Oct 4 13:20:07 2003 UTC

147 } 147 }
148} 148}
149 149
150////////////////////////////////////////////////////////////////////////////// 150//////////////////////////////////////////////////////////////////////////////
151 151
152void pkt_queue::put (tap_packet *p) 152void pkt_queue::put (net_packet *p)
153{ 153{
154 if (queue[i]) 154 if (queue[i])
155 { 155 {
156 delete queue[i]; 156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 157 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 160 queue[i] = p;
161 161
162 i = (i + 1) % QUEUEDEPTH; 162 i = (i + 1) % QUEUEDEPTH;
163} 163}
164 164
165tap_packet *pkt_queue::get () 165net_packet *pkt_queue::get ()
166{ 166{
167 tap_packet *p = queue[j]; 167 net_packet *p = queue[j];
168 168
169 if (p) 169 if (p)
170 { 170 {
171 queue[j] = 0; 171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 172 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 197// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 198// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 199// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
201{ 201{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 202 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 206
206 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 208 bool can (u32 host);
208}; 209};
209 210
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 211net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 212
225 { 226 {
226 net_rateinfo ri; 227 net_rateinfo ri;
227 228
228 ri.host = host; 229 ri.host = host;
229 ri.pcnt = 1.; 230 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 231 ri.diff = MAXDIF;
231 ri.last = NOW; 232 ri.last = NOW;
232 233
233 push_front (ri); 234 push_front (ri);
234 235
235 return true; 236 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 243 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 244 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 245
245 ri.last = NOW; 246 ri.last = NOW;
246 247
248 double dif = ri.diff / ri.pcnt;
249
247 bool send = ri.diff / ri.pcnt > CUTOFF; 250 bool send = dif > CUTOFF;
248 251
252 if (dif > MAXDIF)
253 {
254 ri.pcnt = 1.;
255 ri.diff = MAXDIF;
256 }
249 if (send) 257 else if (send)
250 ri.pcnt++; 258 ri.pcnt++;
251 259
252 push_front (ri); 260 push_front (ri);
253 261
254 return send; 262 return send;
285 hmac_gen (ctx); 293 hmac_gen (ctx);
286 294
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 295 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 296}
289 297
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 298void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 299{
292 this->type = type; 300 type = type_;
293 301
294 int src = THISNODE->id; 302 int src = THISNODE->id;
295 303
296 src1 = src; 304 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 305 srcdst = ((src >> 8) << 4) | (dst >> 8);
467 set_hdr (type, dst); 475 set_hdr (type, dst);
468} 476}
469 477
470bool config_packet::chk_config () const 478bool config_packet::chk_config () const
471{ 479{
472 return prot_major == PROTOCOL_MAJOR 480 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 481 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 482 else if (randsize != RAND_SIZE)
475 && flags == curflags () 483 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
484 else if (hmaclen != HMACLENGTH)
485 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
486 else if (flags != curflags ())
487 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 488 else if (challengelen != sizeof (rsachallenge))
489 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 490 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
491 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 492 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
493 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 494 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
495 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
496 else
497 return true;
498
499 return false;
480} 500}
481 501
482struct auth_req_packet : config_packet 502struct auth_req_packet : config_packet
483{ 503{
484 char magic[8]; 504 char magic[8];
546}; 566};
547 567
548///////////////////////////////////////////////////////////////////////////// 568/////////////////////////////////////////////////////////////////////////////
549 569
550void 570void
571connection::connection_established ()
572{
573 if (ictx && octx)
574 {
575 connectmode = conf->connectmode;
576
577 rekey.start (NOW + ::conf.rekey);
578 keepalive.start (NOW + ::conf.keepalive);
579
580 // send queued packets
581 if (ictx && octx)
582 {
583 while (tap_packet *p = (tap_packet *)data_queue.get ())
584 {
585 send_data_packet (p);
586 delete p;
587 }
588
589 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
590 {
591 send_vpn_packet (p, si, IPTOS_RELIABILITY);
592 delete p;
593 }
594 }
595 }
596 else
597 {
598 retry_cnt = 0;
599 establish_connection.start (NOW + 5);
600 keepalive.reset ();
601 rekey.reset ();
602 }
603}
604
605void
551connection::reset_dstaddr () 606connection::reset_si ()
552{ 607{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 608 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 609
588 // mask out protocols we cannot establish 610 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 611 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 612 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 613
592 if (protocol) 614 si.set (conf, protocol);
615}
616
617// ensure sockinfo is valid, forward if necessary
618const sockinfo &
619connection::forward_si (const sockinfo &si) const
620{
621 if (!si.valid ())
622 {
623 connection *r = vpn->find_router ();
624
625 if (r)
626 {
627 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
628 conf->nodename, r->conf->nodename);
629 return r->si;
630 }
631 else
632 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
633 conf->nodename);
593 { 634 }
594 rsachallenge chg;
595 635
596 rsa_cache.gen (pkt->id, chg); 636 return si;
637}
597 638
598 if (0 > RSA_public_encrypt (sizeof chg, 639void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 640connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 641{
601 fatal ("RSA_public_encrypt error"); 642 if (!vpn->send_vpn_packet (pkt, si, tos))
643 reset_connection ();
644}
602 645
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 646void
647connection::send_ping (const sockinfo &si, u8 pong)
648{
649 ping_packet *pkt = new ping_packet;
604 650
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 651 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
652 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
653
654 delete pkt;
655}
656
657void
658connection::send_reset (const sockinfo &si)
659{
660 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
661 {
662 config_packet *pkt = new config_packet;
663
664 pkt->setup (vpn_packet::PT_RESET, conf->id);
665 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 666
607 delete pkt; 667 delete pkt;
608 } 668 }
609 else 669}
610 ; // silently fail 670
671void
672connection::send_auth_request (const sockinfo &si, bool initiate)
673{
674 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
675
676 rsachallenge chg;
677
678 rsa_cache.gen (pkt->id, chg);
679
680 if (0 > RSA_public_encrypt (sizeof chg,
681 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
682 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
683 fatal ("RSA_public_encrypt error");
684
685 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
686
687 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
688
689 delete pkt;
611} 690}
612 691
613void 692void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 693connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 694{
656 if (retry_int < 3600 * 8) 735 if (retry_int < 3600 * 8)
657 retry_cnt++; 736 retry_cnt++;
658 737
659 w.at = NOW + retry_int; 738 w.at = NOW + retry_int;
660 739
661 if (conf->hostname) 740 reset_si ();
741
742 if (si.prot && !si.host)
743 vpn->send_connect_request (conf->id);
744 else
662 { 745 {
663 reset_dstaddr (); 746 const sockinfo &dsi = forward_si (si);
747
664 if (si.host && auth_rate_limiter.can (si)) 748 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 749 {
666 if (retry_cnt < 4) 750 if (retry_cnt < 4)
667 send_auth_request (si, true); 751 send_auth_request (dsi, true);
668 else 752 else
669 send_ping (si, 0); 753 send_ping (dsi, 0);
670 } 754 }
671 } 755 }
672 else
673 vpn->connect_request (conf->id);
674 } 756 }
675} 757}
676 758
677void 759void
678connection::reset_connection () 760connection::reset_connection ()
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 803connection::send_data_packet (tap_packet *pkt, bool broadcast)
722{ 804{
723 vpndata_packet *p = new vpndata_packet; 805 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 806 int tos = 0;
725 807
808 // I am not hilarious about peeking into packets, but so be it.
726 if (conf->inherit_tos 809 if (conf->inherit_tos
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 812 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 813
743 if (ictx && octx) 826 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 827 send_data_packet (pkt, broadcast);
745 else 828 else
746 { 829 {
747 if (!broadcast)//DDDD 830 if (!broadcast)//DDDD
748 queue.put (new tap_packet (*pkt)); 831 data_queue.put (new tap_packet (*pkt));
832
833 establish_connection ();
834 }
835}
836
837void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
838{
839 if (ictx && octx)
840 send_vpn_packet (pkt, si, tos);
841 else
842 {
843 vpn_queue.put (new vpn_packet (*pkt));
749 844
750 establish_connection (); 845 establish_connection ();
751 } 846 }
752} 847}
753 848
815 rsachallenge k; 910 rsachallenge k;
816 911
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 912 if (0 > RSA_private_decrypt (sizeof (p->encr),
818 (unsigned char *)&p->encr, (unsigned char *)&k, 913 (unsigned char *)&p->encr, (unsigned char *)&k,
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821 conf->nodename, (const char *)rsi); 916 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
822 else 917 else
823 { 918 {
824 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;)
826 keepalive.reset ();
827 rekey.reset ();
828
829 delete ictx;
830 ictx = 0;
831
832 delete octx; 919 delete octx;
833 920
834 octx = new crypto_ctx (k, 1); 921 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 922 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836 923
837 conf->protocols = p->protocols; 924 conf->protocols = p->protocols;
925
838 send_auth_response (rsi, p->id, k); 926 send_auth_response (rsi, p->id, k);
927
928 connection_established ();
839 929
840 break; 930 break;
841 } 931 }
842 } 932 }
933 else
934 slog (L_WARN, _("%s(%s): protocol mismatch"),
935 conf->nodename, (const char *)rsi);
843 936
844 send_reset (rsi); 937 send_reset (rsi);
845 } 938 }
846 939
847 break; 940 break;
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 953 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 954
862 rsachallenge chg; 955 rsachallenge chg;
863 956
864 if (!rsa_cache.find (p->id, chg)) 957 if (!rsa_cache.find (p->id, chg))
958 {
865 slog (L_ERR, _("%s(%s): unrequested auth response"), 959 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866 conf->nodename, (const char *)rsi); 960 conf->nodename, (const char *)rsi);
961 break;
962 }
867 else 963 else
868 { 964 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0); 965 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870 966
871 if (!p->hmac_chk (cctx)) 967 if (!p->hmac_chk (cctx))
968 {
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 969 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 970 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 971 conf->nodename, (const char *)rsi);
972 break;
973 }
875 else 974 else
876 { 975 {
877 rsaresponse h; 976 rsaresponse h;
878 977
879 rsa_hash (p->id, chg, h); 978 rsa_hash (p->id, chg, h);
885 delete ictx; ictx = cctx; 984 delete ictx; ictx = cctx;
886 985
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 986 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 987
889 si = rsi; 988 si = rsi;
989 protocol = rsi.prot;
890 990
891 rekey.set (NOW + ::conf.rekey); 991 connection_established ();
892 keepalive.set (NOW + ::conf.keepalive);
893 992
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 993 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 994 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 995 p->prot_major, p->prot_minor);
907 996
908 if (::conf.script_node_up) 997 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 998 run_script (run_script_cb (this, &connection::script_node_up), false);
910 999
933 1022
934 if (ictx && octx) 1023 if (ictx && octx)
935 { 1024 {
936 vpndata_packet *p = (vpndata_packet *)pkt; 1025 vpndata_packet *p = (vpndata_packet *)pkt;
937 1026
938 if (rsi == si) 1027 if (!p->hmac_chk (ictx))
1028 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1029 "could be an attack, or just corruption or an synchronization error"),
1030 conf->nodename, (const char *)rsi);
1031 else
939 { 1032 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else 1033 u32 seqno;
1034 tap_packet *d = p->unpack (this, seqno);
1035
1036 if (iseqno.recv_ok (seqno))
945 { 1037 {
946 u32 seqno; 1038 vpn->tap->send (d);
947 tap_packet *d = p->unpack (this, seqno);
948 1039
949 if (iseqno.recv_ok (seqno)) 1040 if (p->dst () == 0) // re-broadcast
1041 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1042 {
1043 connection *c = *i;
1044
1045 if (c->conf != THISNODE && c->conf != conf)
1046 c->inject_data_packet (d);
1047 }
1048
1049 if (si != rsi)
950 { 1050 {
951 vpn->tap->send (d); 1051 // fast re-sync on connection changes, useful especially for tcp/ip
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break; 1052 si = rsi;
1053
1054 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1055 conf->nodename, (const char *)si, (const char *)rsi);
965 } 1056 }
1057
1058 delete d;
1059
1060 break;
966 } 1061 }
967 } 1062 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 } 1063 }
971 1064
972 send_reset (rsi); 1065 send_reset (rsi);
973 break; 1066 break;
974 1067
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1069 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1070 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1071 connect_req_packet *p = (connect_req_packet *) pkt;
979 1072
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1073 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1074 connection *c = vpn->conns[p->id - 1];
981 conf->protocols = p->protocols; 1075 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983 1076
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1077 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1078 conf->id, p->id, c->ictx && c->octx);
986 1079
987 if (c->ictx && c->octx) 1080 if (c->ictx && c->octx)
989 // send connect_info packets to both sides, in case one is 1082 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1083 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1084 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1085 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1086 }
1087 else
1088 c->establish_connection ();
994 } 1089 }
995 1090
996 break; 1091 break;
997 1092
998 case vpn_packet::PT_CONNECT_INFO: 1093 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1094 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1095 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1096 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1097
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1098 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1099
1005 connection *c = vpn->conns[p->id - 1]; 1100 connection *c = vpn->conns[p->id - 1];
1101
1102 c->conf->protocols = p->protocols;
1103 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1104 p->si.upgrade_protocol (protocol, c->conf);
1006 1105
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1106 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1107 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1108
1109 const sockinfo &dsi = forward_si (p->si);
1110
1111 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1112 c->send_auth_request (dsi, true);
1011 } 1113 }
1012 1114
1013 break; 1115 break;
1014 1116
1015 default: 1117 default:
1031 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1133 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1032 { 1134 {
1033 send_ping (si); 1135 send_ping (si);
1034 w.at = NOW + 5; 1136 w.at = NOW + 5;
1035 } 1137 }
1138 else if (NOW < last_activity + ::conf.keepalive + 10)
1139 // hold ondemand connections implicitly a few seconds longer
1140 // should delete octx, though, or something like that ;)
1141 w.at = last_activity + ::conf.keepalive + 10;
1036 else 1142 else
1037 reset_connection (); 1143 reset_connection ();
1038} 1144}
1039 1145
1040void connection::connect_request (int id) 1146void connection::send_connect_request (int id)
1041{ 1147{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1148 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1149
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1150 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1151 p->hmac_set (octx);
1075 putenv ("STATE=down"); 1181 putenv ("STATE=down");
1076 1182
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1183 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078} 1184}
1079 1185
1080// send a vpn packet out to other hosts
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094#if ENABLE_TCP
1095 case PROT_TCPv4:
1096 vpn->send_tcpv4_packet (pkt, si, tos);
1097 break;
1098#endif
1099 }
1100}
1101
1102connection::connection(struct vpn *vpn_) 1186connection::connection(struct vpn *vpn_)
1103: vpn(vpn_) 1187: vpn(vpn_)
1104, rekey (this, &connection::rekey_cb) 1188, rekey (this, &connection::rekey_cb)
1105, keepalive (this, &connection::keepalive_cb) 1189, keepalive (this, &connection::keepalive_cb)
1106, establish_connection (this, &connection::establish_connection_cb) 1190, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines