ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.3 by pcg, Wed Apr 2 05:15:00 2003 UTC vs.
Revision 1.20 by pcg, Tue Oct 14 15:48:15 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include "netcompat.h"
41
40#if !HAVE_RAND_PSEUDO_BYTES 42#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 43# define RAND_pseudo_bytes RAND_bytes
42#endif 44#endif
43 45
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 46#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
85 rsachallenge chg; 87 rsachallenge chg;
86}; 88};
87 89
88struct rsa_cache : list<rsa_entry> 90struct rsa_cache : list<rsa_entry>
89{ 91{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 92 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 93
92 bool find (const rsaid &id, rsachallenge &chg) 94 bool find (const rsaid &id, rsachallenge &chg)
93 { 95 {
94 for (iterator i = begin (); i != end (); ++i) 96 for (iterator i = begin (); i != end (); ++i)
95 { 97 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 131 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 132 { }
131 133
132} rsa_cache; 134} rsa_cache;
133 135
134void rsa_cache::cleaner_cb (tstamp &ts) 136void rsa_cache::cleaner_cb (time_watcher &w)
135{ 137{
136 if (empty ()) 138 if (empty ())
137 ts = TSTAMP_CANCEL; 139 w.at = TSTAMP_CANCEL;
138 else 140 else
139 { 141 {
140 ts = NOW + RSA_TTL; 142 w.at = NOW + RSA_TTL;
141 143
142 for (iterator i = begin (); i != end (); ) 144 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 145 if (i->expire <= NOW)
144 i = erase (i); 146 i = erase (i);
145 else 147 else
147 } 149 }
148} 150}
149 151
150////////////////////////////////////////////////////////////////////////////// 152//////////////////////////////////////////////////////////////////////////////
151 153
152void pkt_queue::put (tap_packet *p) 154void pkt_queue::put (net_packet *p)
153{ 155{
154 if (queue[i]) 156 if (queue[i])
155 { 157 {
156 delete queue[i]; 158 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 159 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 162 queue[i] = p;
161 163
162 i = (i + 1) % QUEUEDEPTH; 164 i = (i + 1) % QUEUEDEPTH;
163} 165}
164 166
165tap_packet *pkt_queue::get () 167net_packet *pkt_queue::get ()
166{ 168{
167 tap_packet *p = queue[j]; 169 net_packet *p = queue[j];
168 170
169 if (p) 171 if (p)
170 { 172 {
171 queue[j] = 0; 173 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 199// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 200// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 201// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 202struct net_rate_limiter : list<net_rateinfo>
201{ 203{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 204 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 205 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 206 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
207 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 208
206 bool can (const sockinfo &si) { return can((u32)si.host); } 209 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 210 bool can (u32 host);
208}; 211};
209 212
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 213net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 214
225 { 228 {
226 net_rateinfo ri; 229 net_rateinfo ri;
227 230
228 ri.host = host; 231 ri.host = host;
229 ri.pcnt = 1.; 232 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 233 ri.diff = MAXDIF;
231 ri.last = NOW; 234 ri.last = NOW;
232 235
233 push_front (ri); 236 push_front (ri);
234 237
235 return true; 238 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 245 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 246 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 247
245 ri.last = NOW; 248 ri.last = NOW;
246 249
250 double dif = ri.diff / ri.pcnt;
251
247 bool send = ri.diff / ri.pcnt > CUTOFF; 252 bool send = dif > CUTOFF;
248 253
254 if (dif > MAXDIF)
255 {
256 ri.pcnt = 1.;
257 ri.diff = MAXDIF;
258 }
249 if (send) 259 else if (send)
250 ri.pcnt++; 260 ri.pcnt++;
251 261
252 push_front (ri); 262 push_front (ri);
253 263
254 return send; 264 return send;
285 hmac_gen (ctx); 295 hmac_gen (ctx);
286 296
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 297 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 298}
289 299
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 300void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 301{
292 this->type = type; 302 type = type_;
293 303
294 int src = THISNODE->id; 304 int src = THISNODE->id;
295 305
296 src1 = src; 306 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 307 srcdst = ((src >> 8) << 4) | (dst >> 8);
467 set_hdr (type, dst); 477 set_hdr (type, dst);
468} 478}
469 479
470bool config_packet::chk_config () const 480bool config_packet::chk_config () const
471{ 481{
472 return prot_major == PROTOCOL_MAJOR 482 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 483 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 484 else if (randsize != RAND_SIZE)
475 && flags == curflags () 485 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
486 else if (hmaclen != HMACLENGTH)
487 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
488 else if (flags != curflags ())
489 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 490 else if (challengelen != sizeof (rsachallenge))
491 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 492 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
493 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 494 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
495 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 496 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
497 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
498 else
499 return true;
500
501 return false;
480} 502}
481 503
482struct auth_req_packet : config_packet 504struct auth_req_packet : config_packet
483{ 505{
484 char magic[8]; 506 char magic[8];
546}; 568};
547 569
548///////////////////////////////////////////////////////////////////////////// 570/////////////////////////////////////////////////////////////////////////////
549 571
550void 572void
573connection::connection_established ()
574{
575 if (ictx && octx)
576 {
577 connectmode = conf->connectmode;
578
579 rekey.start (NOW + ::conf.rekey);
580 keepalive.start (NOW + ::conf.keepalive);
581
582 // send queued packets
583 if (ictx && octx)
584 {
585 while (tap_packet *p = (tap_packet *)data_queue.get ())
586 {
587 send_data_packet (p);
588 delete p;
589 }
590
591 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
592 {
593 send_vpn_packet (p, si, IPTOS_RELIABILITY);
594 delete p;
595 }
596 }
597 }
598 else
599 {
600 retry_cnt = 0;
601 establish_connection.start (NOW + 5);
602 keepalive.reset ();
603 rekey.reset ();
604 }
605}
606
607void
551connection::reset_dstaddr () 608connection::reset_si ()
552{ 609{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 610 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 611
588 // mask out protocols we cannot establish 612 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 613 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 614 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 615
592 if (protocol) 616 si.set (conf, protocol);
617}
618
619// ensure sockinfo is valid, forward if necessary
620const sockinfo &
621connection::forward_si (const sockinfo &si) const
622{
623 if (!si.valid ())
624 {
625 connection *r = vpn->find_router ();
626
627 if (r)
628 {
629 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
630 conf->nodename, r->conf->nodename);
631 return r->si;
632 }
633 else
634 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
635 conf->nodename);
593 { 636 }
594 rsachallenge chg;
595 637
596 rsa_cache.gen (pkt->id, chg); 638 return si;
639}
597 640
598 if (0 > RSA_public_encrypt (sizeof chg, 641void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 642connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 643{
601 fatal ("RSA_public_encrypt error"); 644 if (!vpn->send_vpn_packet (pkt, si, tos))
645 reset_connection ();
646}
602 647
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 648void
649connection::send_ping (const sockinfo &si, u8 pong)
650{
651 ping_packet *pkt = new ping_packet;
604 652
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 653 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
654 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
655
656 delete pkt;
657}
658
659void
660connection::send_reset (const sockinfo &si)
661{
662 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
663 {
664 config_packet *pkt = new config_packet;
665
666 pkt->setup (vpn_packet::PT_RESET, conf->id);
667 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 668
607 delete pkt; 669 delete pkt;
608 } 670 }
609 else 671}
610 ; // silently fail 672
673void
674connection::send_auth_request (const sockinfo &si, bool initiate)
675{
676 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
677
678 rsachallenge chg;
679
680 rsa_cache.gen (pkt->id, chg);
681
682 if (0 > RSA_public_encrypt (sizeof chg,
683 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
684 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
685 fatal ("RSA_public_encrypt error");
686
687 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
688
689 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
690
691 delete pkt;
611} 692}
612 693
613void 694void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 695connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 696{
641 722
642 delete r; 723 delete r;
643} 724}
644 725
645void 726void
646connection::establish_connection_cb (tstamp &ts) 727connection::establish_connection_cb (time_watcher &w)
647{ 728{
648 if (ictx || conf == THISNODE 729 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 730 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 731 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 732 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 733 else if (w.at <= NOW)
653 { 734 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 735 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 736
656 if (retry_int < 3600 * 8) 737 if (retry_int < 3600 * 8)
657 retry_cnt++; 738 retry_cnt++;
658 739
659 ts = NOW + retry_int; 740 w.at = NOW + retry_int;
660 741
661 if (conf->hostname) 742 reset_si ();
743
744 if (si.prot && !si.host)
745 vpn->send_connect_request (conf->id);
746 else
662 { 747 {
663 reset_dstaddr (); 748 const sockinfo &dsi = forward_si (si);
749
664 if (si.host && auth_rate_limiter.can (si)) 750 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 751 {
666 if (retry_cnt < 4) 752 if (retry_cnt < 4)
667 send_auth_request (si, true); 753 send_auth_request (dsi, true);
668 else 754 else
669 send_ping (si, 0); 755 send_ping (dsi, 0);
670 } 756 }
671 } 757 }
672 else
673 vpn->connect_request (conf->id);
674 } 758 }
675} 759}
676 760
677void 761void
678connection::reset_connection () 762connection::reset_connection ()
707 791
708 reset_connection (); 792 reset_connection ();
709} 793}
710 794
711void 795void
712connection::rekey_cb (tstamp &ts) 796connection::rekey_cb (time_watcher &w)
713{ 797{
714 ts = TSTAMP_CANCEL; 798 w.at = TSTAMP_CANCEL;
715 799
716 reset_connection (); 800 reset_connection ();
717 establish_connection (); 801 establish_connection ();
718} 802}
719 803
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 805connection::send_data_packet (tap_packet *pkt, bool broadcast)
722{ 806{
723 vpndata_packet *p = new vpndata_packet; 807 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 808 int tos = 0;
725 809
810 // I am not hilarious about peeking into packets, but so be it.
726 if (conf->inherit_tos 811 if (conf->inherit_tos
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 812 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 813 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 814 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 815
743 if (ictx && octx) 828 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 829 send_data_packet (pkt, broadcast);
745 else 830 else
746 { 831 {
747 if (!broadcast)//DDDD 832 if (!broadcast)//DDDD
748 queue.put (new tap_packet (*pkt)); 833 data_queue.put (new tap_packet (*pkt));
834
835 establish_connection ();
836 }
837}
838
839void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
840{
841 if (ictx && octx)
842 send_vpn_packet (pkt, si, tos);
843 else
844 {
845 vpn_queue.put (new vpn_packet (*pkt));
749 846
750 establish_connection (); 847 establish_connection ();
751 } 848 }
752} 849}
753 850
815 rsachallenge k; 912 rsachallenge k;
816 913
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 914 if (0 > RSA_private_decrypt (sizeof (p->encr),
818 (unsigned char *)&p->encr, (unsigned char *)&k, 915 (unsigned char *)&p->encr, (unsigned char *)&k,
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 916 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 917 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821 conf->nodename, (const char *)rsi); 918 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
822 else 919 else
823 { 920 {
824 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;)
826 keepalive.reset ();
827 rekey.reset ();
828
829 delete ictx;
830 ictx = 0;
831
832 delete octx; 921 delete octx;
833 922
834 octx = new crypto_ctx (k, 1); 923 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 924 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836 925
837 conf->protocols = p->protocols; 926 conf->protocols = p->protocols;
927
838 send_auth_response (rsi, p->id, k); 928 send_auth_response (rsi, p->id, k);
929
930 connection_established ();
839 931
840 break; 932 break;
841 } 933 }
842 } 934 }
935 else
936 slog (L_WARN, _("%s(%s): protocol mismatch"),
937 conf->nodename, (const char *)rsi);
843 938
844 send_reset (rsi); 939 send_reset (rsi);
845 } 940 }
846 941
847 break; 942 break;
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 955 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 956
862 rsachallenge chg; 957 rsachallenge chg;
863 958
864 if (!rsa_cache.find (p->id, chg)) 959 if (!rsa_cache.find (p->id, chg))
960 {
865 slog (L_ERR, _("%s(%s): unrequested auth response"), 961 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866 conf->nodename, (const char *)rsi); 962 conf->nodename, (const char *)rsi);
963 break;
964 }
867 else 965 else
868 { 966 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0); 967 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870 968
871 if (!p->hmac_chk (cctx)) 969 if (!p->hmac_chk (cctx))
970 {
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 971 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 972 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 973 conf->nodename, (const char *)rsi);
974 break;
975 }
875 else 976 else
876 { 977 {
877 rsaresponse h; 978 rsaresponse h;
878 979
879 rsa_hash (p->id, chg, h); 980 rsa_hash (p->id, chg, h);
885 delete ictx; ictx = cctx; 986 delete ictx; ictx = cctx;
886 987
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 988 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 989
889 si = rsi; 990 si = rsi;
991 protocol = rsi.prot;
890 992
891 rekey.set (NOW + ::conf.rekey); 993 connection_established ();
892 keepalive.set (NOW + ::conf.keepalive);
893 994
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 995 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 996 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 997 p->prot_major, p->prot_minor);
907 998
908 if (::conf.script_node_up) 999 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 1000 run_script (run_script_cb (this, &connection::script_node_up), false);
910 1001
933 1024
934 if (ictx && octx) 1025 if (ictx && octx)
935 { 1026 {
936 vpndata_packet *p = (vpndata_packet *)pkt; 1027 vpndata_packet *p = (vpndata_packet *)pkt;
937 1028
938 if (rsi == si) 1029 if (!p->hmac_chk (ictx))
1030 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1031 "could be an attack, or just corruption or an synchronization error"),
1032 conf->nodename, (const char *)rsi);
1033 else
939 { 1034 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else 1035 u32 seqno;
1036 tap_packet *d = p->unpack (this, seqno);
1037
1038 if (iseqno.recv_ok (seqno))
945 { 1039 {
946 u32 seqno; 1040 vpn->tap->send (d);
947 tap_packet *d = p->unpack (this, seqno);
948 1041
949 if (iseqno.recv_ok (seqno)) 1042 if (p->dst () == 0) // re-broadcast
1043 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1044 {
1045 connection *c = *i;
1046
1047 if (c->conf != THISNODE && c->conf != conf)
1048 c->inject_data_packet (d);
1049 }
1050
1051 if (si != rsi)
950 { 1052 {
951 vpn->tap->send (d); 1053 // fast re-sync on connection changes, useful especially for tcp/ip
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break; 1054 si = rsi;
1055
1056 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1057 conf->nodename, (const char *)si, (const char *)rsi);
965 } 1058 }
1059
1060 delete d;
1061
1062 break;
966 } 1063 }
967 } 1064 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 } 1065 }
971 1066
972 send_reset (rsi); 1067 send_reset (rsi);
973 break; 1068 break;
974 1069
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1071 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1072 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1073 connect_req_packet *p = (connect_req_packet *) pkt;
979 1074
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1075 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1076 connection *c = vpn->conns[p->id - 1];
981 conf->protocols = p->protocols; 1077 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983 1078
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1079 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1080 conf->id, p->id, c->ictx && c->octx);
986 1081
987 if (c->ictx && c->octx) 1082 if (c->ictx && c->octx)
989 // send connect_info packets to both sides, in case one is 1084 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1085 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1086 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1087 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1088 }
1089 else
1090 c->establish_connection ();
994 } 1091 }
995 1092
996 break; 1093 break;
997 1094
998 case vpn_packet::PT_CONNECT_INFO: 1095 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1096 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1097 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1098 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1099
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1100 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1101
1005 connection *c = vpn->conns[p->id - 1]; 1102 connection *c = vpn->conns[p->id - 1];
1103
1104 c->conf->protocols = p->protocols;
1105 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1106 p->si.upgrade_protocol (protocol, c->conf);
1006 1107
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1108 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1109 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1110
1111 const sockinfo &dsi = forward_si (p->si);
1112
1113 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1114 c->send_auth_request (dsi, true);
1011 } 1115 }
1012 1116
1013 break; 1117 break;
1014 1118
1015 default: 1119 default:
1016 send_reset (rsi); 1120 send_reset (rsi);
1017 break; 1121 break;
1018 } 1122 }
1019} 1123}
1020 1124
1021void connection::keepalive_cb (tstamp &ts) 1125void connection::keepalive_cb (time_watcher &w)
1022{ 1126{
1023 if (NOW >= last_activity + ::conf.keepalive + 30) 1127 if (NOW >= last_activity + ::conf.keepalive + 30)
1024 { 1128 {
1025 reset_connection (); 1129 reset_connection ();
1026 establish_connection (); 1130 establish_connection ();
1027 } 1131 }
1028 else if (NOW < last_activity + ::conf.keepalive) 1132 else if (NOW < last_activity + ::conf.keepalive)
1029 ts = last_activity + ::conf.keepalive; 1133 w.at = last_activity + ::conf.keepalive;
1030 else if (conf->connectmode != conf_node::C_ONDEMAND 1134 else if (conf->connectmode != conf_node::C_ONDEMAND
1031 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1135 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1032 { 1136 {
1033 send_ping (si); 1137 send_ping (si);
1034 ts = NOW + 5; 1138 w.at = NOW + 5;
1035 } 1139 }
1140 else if (NOW < last_activity + ::conf.keepalive + 10)
1141 // hold ondemand connections implicitly a few seconds longer
1142 // should delete octx, though, or something like that ;)
1143 w.at = last_activity + ::conf.keepalive + 10;
1036 else 1144 else
1037 reset_connection (); 1145 reset_connection ();
1038} 1146}
1039 1147
1040void connection::connect_request (int id) 1148void connection::send_connect_request (int id)
1041{ 1149{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1150 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1151
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1152 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1153 p->hmac_set (octx);
1075 putenv ("STATE=down"); 1183 putenv ("STATE=down");
1076 1184
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1185 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078} 1186}
1079 1187
1080// send a vpn packet out to other hosts
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094 case PROT_TCPv4:
1095 vpn->send_tcpv4_packet (pkt, si, tos);
1096 break;
1097 }
1098}
1099
1100connection::connection(struct vpn *vpn_) 1188connection::connection(struct vpn *vpn_)
1101: vpn(vpn_) 1189: vpn(vpn_)
1102, rekey (this, &connection::rekey_cb) 1190, rekey (this, &connection::rekey_cb)
1103, keepalive (this, &connection::keepalive_cb) 1191, keepalive (this, &connection::keepalive_cb)
1104, establish_connection (this, &connection::establish_connection_cb) 1192, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines