ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.15 by pcg, Fri Aug 8 10:58:28 2003 UTC vs.
Revision 1.22 by pcg, Thu Oct 16 02:41:21 2003 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
35#include "slog.h" 36#include "slog.h"
36#include "device.h" 37#include "device.h"
37#include "vpn.h" 38#include "vpn.h"
38#include "connection.h" 39#include "connection.h"
39 40
41#include "netcompat.h"
42
40#if !HAVE_RAND_PSEUDO_BYTES 43#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 44# define RAND_pseudo_bytes RAND_bytes
42#endif 45#endif
43 46
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 47#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value 208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
206 209
207 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
208 bool can (u32 host); 211 bool can (u32 host);
209}; 212};
210 213
211net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
212 215
798 reset_connection (); 801 reset_connection ();
799 establish_connection (); 802 establish_connection ();
800} 803}
801 804
802void 805void
803connection::send_data_packet (tap_packet *pkt, bool broadcast) 806connection::send_data_packet (tap_packet *pkt)
804{ 807{
805 vpndata_packet *p = new vpndata_packet; 808 vpndata_packet *p = new vpndata_packet;
806 int tos = 0; 809 int tos = 0;
807 810
808 // I am not hilarious about peeking into packets, but so be it. 811 // I am not hilarious about peeking into packets, but so be it.
809 if (conf->inherit_tos 812 if (conf->inherit_tos && pkt->is_ipv4 ())
810 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
811 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
812 tos = (*pkt)[15] & IPTOS_TOS_MASK; 813 tos = (*pkt)[15] & IPTOS_TOS_MASK;
813 814
814 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 815 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
815 send_vpn_packet (p, si, tos); 816 send_vpn_packet (p, si, tos);
816 817
817 delete p; 818 delete p;
818 819
819 if (oseqno > MAX_SEQNO) 820 if (oseqno > MAX_SEQNO)
820 rekey (); 821 rekey ();
821} 822}
822 823
823void 824void
824connection::inject_data_packet (tap_packet *pkt, bool broadcast) 825connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
825{ 826{
826 if (ictx && octx) 827 if (ictx && octx)
827 send_data_packet (pkt, broadcast); 828 send_data_packet (pkt);
828 else 829 else
829 { 830 {
830 if (!broadcast)//DDDD 831 if (!broadcast)//DDDD
831 data_queue.put (new tap_packet (*pkt)); 832 data_queue.put (new tap_packet (*pkt));
832 833
910 rsachallenge k; 911 rsachallenge k;
911 912
912 if (0 > RSA_private_decrypt (sizeof (p->encr), 913 if (0 > RSA_private_decrypt (sizeof (p->encr),
913 (unsigned char *)&p->encr, (unsigned char *)&k, 914 (unsigned char *)&p->encr, (unsigned char *)&k,
914 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 915 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
915 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 916 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
916 conf->nodename, (const char *)rsi); 917 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
917 else 918 else
918 { 919 {
919 delete octx; 920 delete octx;
920 921
921 octx = new crypto_ctx (k, 1); 922 octx = new crypto_ctx (k, 1);
954 955
955 rsachallenge chg; 956 rsachallenge chg;
956 957
957 if (!rsa_cache.find (p->id, chg)) 958 if (!rsa_cache.find (p->id, chg))
958 { 959 {
959 slog (L_ERR, _("%s(%s): unrequested auth response"), 960 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
960 conf->nodename, (const char *)rsi); 961 conf->nodename, (const char *)rsi);
961 break; 962 break;
962 } 963 }
963 else 964 else
964 { 965 {
965 crypto_ctx *cctx = new crypto_ctx (chg, 0); 966 crypto_ctx *cctx = new crypto_ctx (chg, 0);
966 967
967 if (!p->hmac_chk (cctx)) 968 if (!p->hmac_chk (cctx))
969 {
968 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 970 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
969 "could be an attack, or just corruption or an synchronization error"), 971 "could be an attack, or just corruption or an synchronization error"),
970 conf->nodename, (const char *)rsi); 972 conf->nodename, (const char *)rsi);
973 break;
974 }
971 else 975 else
972 { 976 {
973 rsaresponse h; 977 rsaresponse h;
974 978
975 rsa_hash (p->id, chg, h); 979 rsa_hash (p->id, chg, h);
1031 tap_packet *d = p->unpack (this, seqno); 1035 tap_packet *d = p->unpack (this, seqno);
1032 1036
1033 if (iseqno.recv_ok (seqno)) 1037 if (iseqno.recv_ok (seqno))
1034 { 1038 {
1035 vpn->tap->send (d); 1039 vpn->tap->send (d);
1036
1037 if (p->dst () == 0) // re-broadcast
1038 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1039 {
1040 connection *c = *i;
1041
1042 if (c->conf != THISNODE && c->conf != conf)
1043 c->inject_data_packet (d);
1044 }
1045 1040
1046 if (si != rsi) 1041 if (si != rsi)
1047 { 1042 {
1048 // fast re-sync on connection changes, useful especially for tcp/ip 1043 // fast re-sync on connection changes, useful especially for tcp/ip
1049 si = rsi; 1044 si = rsi;

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines