ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs.
Revision 1.20 by pcg, Tue Oct 14 15:48:15 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include "netcompat.h"
41
40#if !HAVE_RAND_PSEUDO_BYTES 42#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 43# define RAND_pseudo_bytes RAND_bytes
42#endif 44#endif
43 45
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 46#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
147 } 149 }
148} 150}
149 151
150////////////////////////////////////////////////////////////////////////////// 152//////////////////////////////////////////////////////////////////////////////
151 153
152void pkt_queue::put (tap_packet *p) 154void pkt_queue::put (net_packet *p)
153{ 155{
154 if (queue[i]) 156 if (queue[i])
155 { 157 {
156 delete queue[i]; 158 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 159 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 162 queue[i] = p;
161 163
162 i = (i + 1) % QUEUEDEPTH; 164 i = (i + 1) % QUEUEDEPTH;
163} 165}
164 166
165tap_packet *pkt_queue::get () 167net_packet *pkt_queue::get ()
166{ 168{
167 tap_packet *p = queue[j]; 169 net_packet *p = queue[j];
168 170
169 if (p) 171 if (p)
170 { 172 {
171 queue[j] = 0; 173 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 199// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 200// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 201// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 202struct net_rate_limiter : list<net_rateinfo>
201{ 203{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 204 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 205 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 206 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
207 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 208
206 bool can (const sockinfo &si) { return can((u32)si.host); } 209 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 210 bool can (u32 host);
208}; 211};
209 212
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 213net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 214
225 { 228 {
226 net_rateinfo ri; 229 net_rateinfo ri;
227 230
228 ri.host = host; 231 ri.host = host;
229 ri.pcnt = 1.; 232 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 233 ri.diff = MAXDIF;
231 ri.last = NOW; 234 ri.last = NOW;
232 235
233 push_front (ri); 236 push_front (ri);
234 237
235 return true; 238 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 245 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 246 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 247
245 ri.last = NOW; 248 ri.last = NOW;
246 249
250 double dif = ri.diff / ri.pcnt;
251
247 bool send = ri.diff / ri.pcnt > CUTOFF; 252 bool send = dif > CUTOFF;
248 253
254 if (dif > MAXDIF)
255 {
256 ri.pcnt = 1.;
257 ri.diff = MAXDIF;
258 }
249 if (send) 259 else if (send)
250 ri.pcnt++; 260 ri.pcnt++;
251 261
252 push_front (ri); 262 push_front (ri);
253 263
254 return send; 264 return send;
467 set_hdr (type, dst); 477 set_hdr (type, dst);
468} 478}
469 479
470bool config_packet::chk_config () const 480bool config_packet::chk_config () const
471{ 481{
472 return prot_major == PROTOCOL_MAJOR 482 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 483 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 484 else if (randsize != RAND_SIZE)
475 && flags == curflags () 485 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
486 else if (hmaclen != HMACLENGTH)
487 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
488 else if (flags != curflags ())
489 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 490 else if (challengelen != sizeof (rsachallenge))
491 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 492 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
493 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 494 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
495 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 496 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
497 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
498 else
499 return true;
500
501 return false;
480} 502}
481 503
482struct auth_req_packet : config_packet 504struct auth_req_packet : config_packet
483{ 505{
484 char magic[8]; 506 char magic[8];
546}; 568};
547 569
548///////////////////////////////////////////////////////////////////////////// 570/////////////////////////////////////////////////////////////////////////////
549 571
550void 572void
573connection::connection_established ()
574{
575 if (ictx && octx)
576 {
577 connectmode = conf->connectmode;
578
579 rekey.start (NOW + ::conf.rekey);
580 keepalive.start (NOW + ::conf.keepalive);
581
582 // send queued packets
583 if (ictx && octx)
584 {
585 while (tap_packet *p = (tap_packet *)data_queue.get ())
586 {
587 send_data_packet (p);
588 delete p;
589 }
590
591 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
592 {
593 send_vpn_packet (p, si, IPTOS_RELIABILITY);
594 delete p;
595 }
596 }
597 }
598 else
599 {
600 retry_cnt = 0;
601 establish_connection.start (NOW + 5);
602 keepalive.reset ();
603 rekey.reset ();
604 }
605}
606
607void
551connection::reset_dstaddr () 608connection::reset_si ()
552{ 609{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 610 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 611
555 // mask out protocols we cannot establish 612 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 613 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 614 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558 615
559 si.set (conf, protocol); 616 si.set (conf, protocol);
560} 617}
561 618
619// ensure sockinfo is valid, forward if necessary
620const sockinfo &
621connection::forward_si (const sockinfo &si) const
622{
623 if (!si.valid ())
624 {
625 connection *r = vpn->find_router ();
626
627 if (r)
628 {
629 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
630 conf->nodename, r->conf->nodename);
631 return r->si;
632 }
633 else
634 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
635 conf->nodename);
636 }
637
638 return si;
639}
640
641void
642connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
643{
644 if (!vpn->send_vpn_packet (pkt, si, tos))
645 reset_connection ();
646}
647
562void 648void
563connection::send_ping (const sockinfo &si, u8 pong) 649connection::send_ping (const sockinfo &si, u8 pong)
564{ 650{
565 ping_packet *pkt = new ping_packet; 651 ping_packet *pkt = new ping_packet;
566 652
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569 655
570 delete pkt; 656 delete pkt;
571} 657}
572 658
573void 659void
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 { 663 {
578 config_packet *pkt = new config_packet; 664 config_packet *pkt = new config_packet;
579 665
580 pkt->setup (vpn_packet::PT_RESET, conf->id); 666 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
582 668
583 delete pkt; 669 delete pkt;
584 } 670 }
585} 671}
586 672
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 684 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error"); 685 fatal ("RSA_public_encrypt error");
600 686
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 687 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602 688
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 689 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
604 690
605 delete pkt; 691 delete pkt;
606} 692}
607 693
608void 694void
616 702
617 pkt->hmac_set (octx); 703 pkt->hmac_set (octx);
618 704
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 705 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620 706
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 707 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622 708
623 delete pkt; 709 delete pkt;
624} 710}
625 711
626void 712void
630 conf->id, rid, (const char *)rsi); 716 conf->id, rid, (const char *)rsi);
631 717
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 718 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633 719
634 r->hmac_set (octx); 720 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si); 721 send_vpn_packet (r, si);
636 722
637 delete r; 723 delete r;
638} 724}
639 725
640void 726void
651 if (retry_int < 3600 * 8) 737 if (retry_int < 3600 * 8)
652 retry_cnt++; 738 retry_cnt++;
653 739
654 w.at = NOW + retry_int; 740 w.at = NOW + retry_int;
655 741
656 if (conf->hostname) 742 reset_si ();
743
744 if (si.prot && !si.host)
745 vpn->send_connect_request (conf->id);
746 else
657 { 747 {
658 reset_dstaddr (); 748 const sockinfo &dsi = forward_si (si);
659 749
660 if (si.valid () && auth_rate_limiter.can (si)) 750 if (dsi.valid () && auth_rate_limiter.can (dsi))
661 { 751 {
662 if (retry_cnt < 4) 752 if (retry_cnt < 4)
663 send_auth_request (si, true); 753 send_auth_request (dsi, true);
664 else 754 else
665 send_ping (si, 0); 755 send_ping (dsi, 0);
666 } 756 }
667 } 757 }
668 else
669 vpn->connect_request (conf->id);
670 } 758 }
671} 759}
672 760
673void 761void
674connection::reset_connection () 762connection::reset_connection ()
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 805connection::send_data_packet (tap_packet *pkt, bool broadcast)
718{ 806{
719 vpndata_packet *p = new vpndata_packet; 807 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 808 int tos = 0;
721 809
810 // I am not hilarious about peeking into packets, but so be it.
722 if (conf->inherit_tos 811 if (conf->inherit_tos
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 812 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 813 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 814 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 815
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 816 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 817 send_vpn_packet (p, si, tos);
729 818
730 delete p; 819 delete p;
731 820
732 if (oseqno > MAX_SEQNO) 821 if (oseqno > MAX_SEQNO)
733 rekey (); 822 rekey ();
739 if (ictx && octx) 828 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 829 send_data_packet (pkt, broadcast);
741 else 830 else
742 { 831 {
743 if (!broadcast)//DDDD 832 if (!broadcast)//DDDD
744 queue.put (new tap_packet (*pkt)); 833 data_queue.put (new tap_packet (*pkt));
834
835 establish_connection ();
836 }
837}
838
839void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
840{
841 if (ictx && octx)
842 send_vpn_packet (pkt, si, tos);
843 else
844 {
845 vpn_queue.put (new vpn_packet (*pkt));
745 846
746 establish_connection (); 847 establish_connection ();
747 } 848 }
748} 849}
749 850
811 rsachallenge k; 912 rsachallenge k;
812 913
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 914 if (0 > RSA_private_decrypt (sizeof (p->encr),
814 (unsigned char *)&p->encr, (unsigned char *)&k, 915 (unsigned char *)&p->encr, (unsigned char *)&k,
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 916 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 917 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 918 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
818 else 919 else
819 { 920 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 921 delete octx;
829 922
830 octx = new crypto_ctx (k, 1); 923 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 924 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 925
833 conf->protocols = p->protocols; 926 conf->protocols = p->protocols;
927
834 send_auth_response (rsi, p->id, k); 928 send_auth_response (rsi, p->id, k);
929
930 connection_established ();
835 931
836 break; 932 break;
837 } 933 }
838 } 934 }
935 else
936 slog (L_WARN, _("%s(%s): protocol mismatch"),
937 conf->nodename, (const char *)rsi);
839 938
840 send_reset (rsi); 939 send_reset (rsi);
841 } 940 }
842 941
843 break; 942 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 955 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 956
858 rsachallenge chg; 957 rsachallenge chg;
859 958
860 if (!rsa_cache.find (p->id, chg)) 959 if (!rsa_cache.find (p->id, chg))
960 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 961 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 962 conf->nodename, (const char *)rsi);
963 break;
964 }
863 else 965 else
864 { 966 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 967 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 968
867 if (!p->hmac_chk (cctx)) 969 if (!p->hmac_chk (cctx))
970 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 971 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 972 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi); 973 conf->nodename, (const char *)rsi);
974 break;
975 }
871 else 976 else
872 { 977 {
873 rsaresponse h; 978 rsaresponse h;
874 979
875 rsa_hash (p->id, chg, h); 980 rsa_hash (p->id, chg, h);
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 988 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 989
885 si = rsi; 990 si = rsi;
886 protocol = rsi.prot; 991 protocol = rsi.prot;
887 992
888 rekey.start (NOW + ::conf.rekey); 993 connection_established ();
889 keepalive.start (NOW + ::conf.keepalive);
890
891 // send queued packets
892 while (tap_packet *p = queue.get ())
893 {
894 send_data_packet (p);
895 delete p;
896 }
897
898 connectmode = conf->connectmode;
899 994
900 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 995 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
901 conf->nodename, (const char *)rsi, 996 conf->nodename, (const char *)rsi,
902 p->prot_major, p->prot_minor); 997 p->prot_major, p->prot_minor);
903 998
929 1024
930 if (ictx && octx) 1025 if (ictx && octx)
931 { 1026 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1027 vpndata_packet *p = (vpndata_packet *)pkt;
933 1028
934 if (rsi == si) 1029 if (!p->hmac_chk (ictx))
1030 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1031 "could be an attack, or just corruption or an synchronization error"),
1032 conf->nodename, (const char *)rsi);
1033 else
935 { 1034 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1035 u32 seqno;
1036 tap_packet *d = p->unpack (this, seqno);
1037
1038 if (iseqno.recv_ok (seqno))
941 { 1039 {
942 u32 seqno; 1040 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1041
945 if (iseqno.recv_ok (seqno)) 1042 if (p->dst () == 0) // re-broadcast
1043 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1044 {
1045 connection *c = *i;
1046
1047 if (c->conf != THISNODE && c->conf != conf)
1048 c->inject_data_packet (d);
1049 }
1050
1051 if (si != rsi)
946 { 1052 {
947 vpn->tap->send (d); 1053 // fast re-sync on connection changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1054 si = rsi;
1055
1056 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1057 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1058 }
1059
1060 delete d;
1061
1062 break;
962 } 1063 }
963 } 1064 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1065 }
967 1066
968 send_reset (rsi); 1067 send_reset (rsi);
969 break; 1068 break;
970 1069
985 // send connect_info packets to both sides, in case one is 1084 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1085 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1086 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1087 send_connect_info (c->conf->id, c->si, c->conf->protocols);
989 } 1088 }
1089 else
1090 c->establish_connection ();
990 } 1091 }
991 1092
992 break; 1093 break;
993 1094
994 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
1004 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1105 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1005 p->si.upgrade_protocol (protocol, c->conf); 1106 p->si.upgrade_protocol (protocol, c->conf);
1006 1107
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1108 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1109 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
1010 // p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
1011 // protocol, p->si.prot);
1012 1110
1111 const sockinfo &dsi = forward_si (p->si);
1112
1113 if (dsi.valid ())
1013 c->send_auth_request (p->si, true); 1114 c->send_auth_request (dsi, true);
1014 } 1115 }
1015 1116
1016 break; 1117 break;
1017 1118
1018 default: 1119 default:
1034 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1135 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1035 { 1136 {
1036 send_ping (si); 1137 send_ping (si);
1037 w.at = NOW + 5; 1138 w.at = NOW + 5;
1038 } 1139 }
1140 else if (NOW < last_activity + ::conf.keepalive + 10)
1141 // hold ondemand connections implicitly a few seconds longer
1142 // should delete octx, though, or something like that ;)
1143 w.at = last_activity + ::conf.keepalive + 10;
1039 else 1144 else
1040 reset_connection (); 1145 reset_connection ();
1041} 1146}
1042 1147
1043void connection::connect_request (int id) 1148void connection::send_connect_request (int id)
1044{ 1149{
1045 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1150 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1046 1151
1047 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1152 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1048 p->hmac_set (octx); 1153 p->hmac_set (octx);
1049 vpn->send_vpn_packet (p, si); 1154 send_vpn_packet (p, si);
1050 1155
1051 delete p; 1156 delete p;
1052} 1157}
1053 1158
1054void connection::script_node () 1159void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines