ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.19 by pcg, Tue Oct 14 03:22:09 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include <sys/socket.h>
41#ifdef HAVE_NETINET_IN_H
42# include <netinet/in.h>
43#endif
44#include <arpa/inet.h>
45#include <net/if.h>
46#ifdef HAVE_NETINET_IN_SYSTM_H
47# include <netinet/in_systm.h>
48#endif
49#ifdef HAVE_NETINET_IP_H
50# include <netinet/ip.h>
51#endif
52
53#ifndef IPTOS_TOS_MASK
54# define IPTOS_TOS_MASK (IPTOS_LOWDELAY | IPTOS_THROUGHPUT | IPTOS_RELIABILITY | IPTOS_MINCOST)
55#endif
56
40#if !HAVE_RAND_PSEUDO_BYTES 57#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 58# define RAND_pseudo_bytes RAND_bytes
42#endif 59#endif
43 60
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
85 rsachallenge chg; 102 rsachallenge chg;
86}; 103};
87 104
88struct rsa_cache : list<rsa_entry> 105struct rsa_cache : list<rsa_entry>
89{ 106{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 107 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 108
92 bool find (const rsaid &id, rsachallenge &chg) 109 bool find (const rsaid &id, rsachallenge &chg)
93 { 110 {
94 for (iterator i = begin (); i != end (); ++i) 111 for (iterator i = begin (); i != end (); ++i)
95 { 112 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 146 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 147 { }
131 148
132} rsa_cache; 149} rsa_cache;
133 150
134void rsa_cache::cleaner_cb (tstamp &ts) 151void rsa_cache::cleaner_cb (time_watcher &w)
135{ 152{
136 if (empty ()) 153 if (empty ())
137 ts = TSTAMP_CANCEL; 154 w.at = TSTAMP_CANCEL;
138 else 155 else
139 { 156 {
140 ts = NOW + RSA_TTL; 157 w.at = NOW + RSA_TTL;
141 158
142 for (iterator i = begin (); i != end (); ) 159 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 160 if (i->expire <= NOW)
144 i = erase (i); 161 i = erase (i);
145 else 162 else
147 } 164 }
148} 165}
149 166
150////////////////////////////////////////////////////////////////////////////// 167//////////////////////////////////////////////////////////////////////////////
151 168
152void pkt_queue::put (tap_packet *p) 169void pkt_queue::put (net_packet *p)
153{ 170{
154 if (queue[i]) 171 if (queue[i])
155 { 172 {
156 delete queue[i]; 173 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 177 queue[i] = p;
161 178
162 i = (i + 1) % QUEUEDEPTH; 179 i = (i + 1) % QUEUEDEPTH;
163} 180}
164 181
165tap_packet *pkt_queue::get () 182net_packet *pkt_queue::get ()
166{ 183{
167 tap_packet *p = queue[j]; 184 net_packet *p = queue[j];
168 185
169 if (p) 186 if (p)
170 { 187 {
171 queue[j] = 0; 188 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 189 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 214// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 215// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 216// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 217struct net_rate_limiter : list<net_rateinfo>
201{ 218{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 219 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 220 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 221 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
222 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 223
206 bool can (const sockinfo &si) { return can((u32)si.host); } 224 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 225 bool can (u32 host);
208}; 226};
209 227
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 228net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 229
225 { 243 {
226 net_rateinfo ri; 244 net_rateinfo ri;
227 245
228 ri.host = host; 246 ri.host = host;
229 ri.pcnt = 1.; 247 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 248 ri.diff = MAXDIF;
231 ri.last = NOW; 249 ri.last = NOW;
232 250
233 push_front (ri); 251 push_front (ri);
234 252
235 return true; 253 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 260 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 261 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 262
245 ri.last = NOW; 263 ri.last = NOW;
246 264
265 double dif = ri.diff / ri.pcnt;
266
247 bool send = ri.diff / ri.pcnt > CUTOFF; 267 bool send = dif > CUTOFF;
248 268
269 if (dif > MAXDIF)
270 {
271 ri.pcnt = 1.;
272 ri.diff = MAXDIF;
273 }
249 if (send) 274 else if (send)
250 ri.pcnt++; 275 ri.pcnt++;
251 276
252 push_front (ri); 277 push_front (ri);
253 278
254 return send; 279 return send;
285 hmac_gen (ctx); 310 hmac_gen (ctx);
286 311
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 312 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 313}
289 314
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 315void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 316{
292 this->type = type; 317 type = type_;
293 318
294 int src = THISNODE->id; 319 int src = THISNODE->id;
295 320
296 src1 = src; 321 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 322 srcdst = ((src >> 8) << 4) | (dst >> 8);
467 set_hdr (type, dst); 492 set_hdr (type, dst);
468} 493}
469 494
470bool config_packet::chk_config () const 495bool config_packet::chk_config () const
471{ 496{
472 return prot_major == PROTOCOL_MAJOR 497 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 498 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 499 else if (randsize != RAND_SIZE)
475 && flags == curflags () 500 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
503 else if (flags != curflags ())
504 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 505 else if (challengelen != sizeof (rsachallenge))
506 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 507 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
508 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 509 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
510 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 511 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
512 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
513 else
514 return true;
515
516 return false;
480} 517}
481 518
482struct auth_req_packet : config_packet 519struct auth_req_packet : config_packet
483{ 520{
484 char magic[8]; 521 char magic[8];
546}; 583};
547 584
548///////////////////////////////////////////////////////////////////////////// 585/////////////////////////////////////////////////////////////////////////////
549 586
550void 587void
588connection::connection_established ()
589{
590 if (ictx && octx)
591 {
592 connectmode = conf->connectmode;
593
594 rekey.start (NOW + ::conf.rekey);
595 keepalive.start (NOW + ::conf.keepalive);
596
597 // send queued packets
598 if (ictx && octx)
599 {
600 while (tap_packet *p = (tap_packet *)data_queue.get ())
601 {
602 send_data_packet (p);
603 delete p;
604 }
605
606 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
607 {
608 send_vpn_packet (p, si, IPTOS_RELIABILITY);
609 delete p;
610 }
611 }
612 }
613 else
614 {
615 retry_cnt = 0;
616 establish_connection.start (NOW + 5);
617 keepalive.reset ();
618 rekey.reset ();
619 }
620}
621
622void
551connection::reset_dstaddr () 623connection::reset_si ()
552{ 624{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 625 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 626
588 // mask out protocols we cannot establish 627 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 628 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 629 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 630
592 if (protocol) 631 si.set (conf, protocol);
632}
633
634// ensure sockinfo is valid, forward if necessary
635const sockinfo &
636connection::forward_si (const sockinfo &si) const
637{
638 if (!si.valid ())
639 {
640 connection *r = vpn->find_router ();
641
642 if (r)
643 {
644 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
645 conf->nodename, r->conf->nodename);
646 return r->si;
647 }
648 else
649 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
650 conf->nodename);
593 { 651 }
594 rsachallenge chg;
595 652
596 rsa_cache.gen (pkt->id, chg); 653 return si;
654}
597 655
598 if (0 > RSA_public_encrypt (sizeof chg, 656void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 657connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 658{
601 fatal ("RSA_public_encrypt error"); 659 if (!vpn->send_vpn_packet (pkt, si, tos))
660 reset_connection ();
661}
602 662
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 663void
664connection::send_ping (const sockinfo &si, u8 pong)
665{
666 ping_packet *pkt = new ping_packet;
604 667
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 668 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
669 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
670
671 delete pkt;
672}
673
674void
675connection::send_reset (const sockinfo &si)
676{
677 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
678 {
679 config_packet *pkt = new config_packet;
680
681 pkt->setup (vpn_packet::PT_RESET, conf->id);
682 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 683
607 delete pkt; 684 delete pkt;
608 } 685 }
609 else 686}
610 ; // silently fail 687
688void
689connection::send_auth_request (const sockinfo &si, bool initiate)
690{
691 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
692
693 rsachallenge chg;
694
695 rsa_cache.gen (pkt->id, chg);
696
697 if (0 > RSA_public_encrypt (sizeof chg,
698 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
699 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
700 fatal ("RSA_public_encrypt error");
701
702 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
703
704 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
705
706 delete pkt;
611} 707}
612 708
613void 709void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 710connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 711{
641 737
642 delete r; 738 delete r;
643} 739}
644 740
645void 741void
646connection::establish_connection_cb (tstamp &ts) 742connection::establish_connection_cb (time_watcher &w)
647{ 743{
648 if (ictx || conf == THISNODE 744 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 745 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 746 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 747 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 748 else if (w.at <= NOW)
653 { 749 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 750 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 751
656 if (retry_int < 3600 * 8) 752 if (retry_int < 3600 * 8)
657 retry_cnt++; 753 retry_cnt++;
658 754
659 ts = NOW + retry_int; 755 w.at = NOW + retry_int;
660 756
661 if (conf->hostname) 757 reset_si ();
758
759 if (si.prot && !si.host)
760 vpn->send_connect_request (conf->id);
761 else
662 { 762 {
663 reset_dstaddr (); 763 const sockinfo &dsi = forward_si (si);
764
664 if (si.host && auth_rate_limiter.can (si)) 765 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 766 {
666 if (retry_cnt < 4) 767 if (retry_cnt < 4)
667 send_auth_request (si, true); 768 send_auth_request (dsi, true);
668 else 769 else
669 send_ping (si, 0); 770 send_ping (dsi, 0);
670 } 771 }
671 } 772 }
672 else
673 vpn->connect_request (conf->id);
674 } 773 }
675} 774}
676 775
677void 776void
678connection::reset_connection () 777connection::reset_connection ()
707 806
708 reset_connection (); 807 reset_connection ();
709} 808}
710 809
711void 810void
712connection::rekey_cb (tstamp &ts) 811connection::rekey_cb (time_watcher &w)
713{ 812{
714 ts = TSTAMP_CANCEL; 813 w.at = TSTAMP_CANCEL;
715 814
716 reset_connection (); 815 reset_connection ();
717 establish_connection (); 816 establish_connection ();
718} 817}
719 818
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 820connection::send_data_packet (tap_packet *pkt, bool broadcast)
722{ 821{
723 vpndata_packet *p = new vpndata_packet; 822 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 823 int tos = 0;
725 824
825 // I am not hilarious about peeking into packets, but so be it.
726 if (conf->inherit_tos 826 if (conf->inherit_tos
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 827 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 828 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 829 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 830
743 if (ictx && octx) 843 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 844 send_data_packet (pkt, broadcast);
745 else 845 else
746 { 846 {
747 if (!broadcast)//DDDD 847 if (!broadcast)//DDDD
748 queue.put (new tap_packet (*pkt)); 848 data_queue.put (new tap_packet (*pkt));
849
850 establish_connection ();
851 }
852}
853
854void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
855{
856 if (ictx && octx)
857 send_vpn_packet (pkt, si, tos);
858 else
859 {
860 vpn_queue.put (new vpn_packet (*pkt));
749 861
750 establish_connection (); 862 establish_connection ();
751 } 863 }
752} 864}
753 865
759 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 871 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
760 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 872 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
761 873
762 switch (pkt->typ ()) 874 switch (pkt->typ ())
763 { 875 {
764 case vpn_packet::PT_PING: 876 case vpn_packet::PT_PING:
765 // we send pings instead of auth packets after some retries, 877 // we send pings instead of auth packets after some retries,
766 // so reset the retry counter and establish a connection 878 // so reset the retry counter and establish a connection
767 // when we receive a ping. 879 // when we receive a ping.
768 if (!ictx) 880 if (!ictx)
881 {
882 if (auth_rate_limiter.can (rsi))
883 send_auth_request (rsi, true);
884 }
885 else
886 send_ping (rsi, 1); // pong
887
888 break;
889
890 case vpn_packet::PT_PONG:
891 break;
892
893 case vpn_packet::PT_RESET:
769 { 894 {
770 if (auth_rate_limiter.can (rsi)) 895 reset_connection ();
771 send_auth_request (rsi, true); 896
897 config_packet *p = (config_packet *) pkt;
898
899 if (!p->chk_config ())
900 {
901 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
902 conf->nodename, (const char *)rsi);
903 connectmode = conf_node::C_DISABLED;
904 }
905 else if (connectmode == conf_node::C_ALWAYS)
906 establish_connection ();
772 } 907 }
773 else
774 send_ping (rsi, 1); // pong
775
776 break; 908 break;
777 909
778 case vpn_packet::PT_PONG:
779 break;
780
781 case vpn_packet::PT_RESET: 910 case vpn_packet::PT_AUTH_REQ:
782 { 911 if (auth_rate_limiter.can (rsi))
783 reset_connection ();
784
785 config_packet *p = (config_packet *) pkt;
786
787 if (!p->chk_config ())
788 { 912 {
913 auth_req_packet *p = (auth_req_packet *) pkt;
914
915 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
916
917 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
918 {
919 if (p->prot_minor != PROTOCOL_MINOR)
920 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
921 conf->nodename, (const char *)rsi,
922 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
923
924 if (p->initiate)
925 send_auth_request (rsi, false);
926
927 rsachallenge k;
928
929 if (0 > RSA_private_decrypt (sizeof (p->encr),
930 (unsigned char *)&p->encr, (unsigned char *)&k,
931 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
932 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
933 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
934 else
935 {
936 delete octx;
937
938 octx = new crypto_ctx (k, 1);
939 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
940
941 conf->protocols = p->protocols;
942
943 send_auth_response (rsi, p->id, k);
944
945 connection_established ();
946
947 break;
948 }
949 }
950 else
789 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 951 slog (L_WARN, _("%s(%s): protocol mismatch"),
790 conf->nodename, (const char *)rsi); 952 conf->nodename, (const char *)rsi);
791 connectmode = conf_node::C_DISABLED; 953
954 send_reset (rsi);
792 } 955 }
793 else if (connectmode == conf_node::C_ALWAYS) 956
794 establish_connection ();
795 }
796 break; 957 break;
797 958
798 case vpn_packet::PT_AUTH_REQ: 959 case vpn_packet::PT_AUTH_RES:
799 if (auth_rate_limiter.can (rsi))
800 { 960 {
801 auth_req_packet *p = (auth_req_packet *) pkt; 961 auth_res_packet *p = (auth_res_packet *) pkt;
802 962
803 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 963 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
804 964
805 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 965 if (p->chk_config ())
806 { 966 {
807 if (p->prot_minor != PROTOCOL_MINOR) 967 if (p->prot_minor != PROTOCOL_MINOR)
808 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 968 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
809 conf->nodename, (const char *)rsi, 969 conf->nodename, (const char *)rsi,
810 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 970 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
811 971
812 if (p->initiate)
813 send_auth_request (rsi, false);
814
815 rsachallenge k; 972 rsachallenge chg;
816 973
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 974 if (!rsa_cache.find (p->id, chg))
818 (unsigned char *)&p->encr, (unsigned char *)&k, 975 {
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 976 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821 conf->nodename, (const char *)rsi); 977 conf->nodename, (const char *)rsi);
978 break;
979 }
822 else 980 else
823 { 981 {
824 retry_cnt = 0; 982 crypto_ctx *cctx = new crypto_ctx (chg, 0);
825 establish_connection.set (NOW + 8); //? ;) 983
826 keepalive.reset (); 984 if (!p->hmac_chk (cctx))
985 {
986 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
987 "could be an attack, or just corruption or an synchronization error"),
988 conf->nodename, (const char *)rsi);
989 break;
990 }
827 rekey.reset (); 991 else
992 {
993 rsaresponse h;
828 994
995 rsa_hash (p->id, chg, h);
996
997 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
998 {
999 prot_minor = p->prot_minor;
1000
1001 delete ictx; ictx = cctx;
1002
1003 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1004
1005 si = rsi;
1006 protocol = rsi.prot;
1007
1008 connection_established ();
1009
1010 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
1011 conf->nodename, (const char *)rsi,
1012 p->prot_major, p->prot_minor);
1013
1014 if (::conf.script_node_up)
1015 run_script (run_script_cb (this, &connection::script_node_up), false);
1016
1017 break;
1018 }
1019 else
1020 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
1021 conf->nodename, (const char *)rsi);
1022 }
1023
829 delete ictx; 1024 delete cctx;
830 ictx = 0;
831
832 delete octx;
833
834 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836
837 conf->protocols = p->protocols;
838 send_auth_response (rsi, p->id, k);
839
840 break;
841 } 1025 }
842 } 1026 }
843
844 send_reset (rsi);
845 } 1027 }
846 1028
1029 send_reset (rsi);
847 break; 1030 break;
848 1031
849 case vpn_packet::PT_AUTH_RES: 1032 case vpn_packet::PT_DATA_COMPRESSED:
850 { 1033#if !ENABLE_COMPRESSION
851 auth_res_packet *p = (auth_res_packet *) pkt; 1034 send_reset (rsi);
1035 break;
1036#endif
852 1037
853 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1038 case vpn_packet::PT_DATA_UNCOMPRESSED:
854 1039
855 if (p->chk_config ()) 1040 if (ictx && octx)
856 { 1041 {
857 if (p->prot_minor != PROTOCOL_MINOR) 1042 vpndata_packet *p = (vpndata_packet *)pkt;
858 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
859 conf->nodename, (const char *)rsi,
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 1043
862 rsachallenge chg; 1044 if (!p->hmac_chk (ictx))
863 1045 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
864 if (!rsa_cache.find (p->id, chg)) 1046 "could be an attack, or just corruption or an synchronization error"),
865 slog (L_ERR, _("%s(%s): unrequested auth response"),
866 conf->nodename, (const char *)rsi); 1047 conf->nodename, (const char *)rsi);
867 else 1048 else
868 { 1049 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870
871 if (!p->hmac_chk (cctx))
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi);
875 else 1050 u32 seqno;
1051 tap_packet *d = p->unpack (this, seqno);
1052
1053 if (iseqno.recv_ok (seqno))
876 { 1054 {
877 rsaresponse h; 1055 vpn->tap->send (d);
878 1056
879 rsa_hash (p->id, chg, h); 1057 if (p->dst () == 0) // re-broadcast
1058 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1059 {
1060 connection *c = *i;
880 1061
881 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h)) 1062 if (c->conf != THISNODE && c->conf != conf)
1063 c->inject_data_packet (d);
1064 }
1065
1066 if (si != rsi)
882 { 1067 {
883 prot_minor = p->prot_minor; 1068 // fast re-sync on connection changes, useful especially for tcp/ip
884
885 delete ictx; ictx = cctx;
886
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888
889 si = rsi; 1069 si = rsi;
890 1070
891 rekey.set (NOW + ::conf.rekey); 1071 slog (L_INFO, _("%s(%s): socket address changed to %s"),
892 keepalive.set (NOW + ::conf.keepalive);
893
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 1072 conf->nodename, (const char *)si, (const char *)rsi);
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor);
907
908 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false);
910
911 break;
912 } 1073 }
1074
913 else 1075 delete d;
914 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1076
915 conf->nodename, (const char *)rsi); 1077 break;
916 } 1078 }
917
918 delete cctx;
919 } 1079 }
920 } 1080 }
921 }
922 1081
923 send_reset (rsi); 1082 send_reset (rsi);
924 break; 1083 break;
925 1084
926 case vpn_packet::PT_DATA_COMPRESSED:
927#if !ENABLE_COMPRESSION
928 send_reset (rsi);
929 break;
930#endif
931
932 case vpn_packet::PT_DATA_UNCOMPRESSED:
933
934 if (ictx && octx)
935 {
936 vpndata_packet *p = (vpndata_packet *)pkt;
937
938 if (rsi == si)
939 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else
945 {
946 u32 seqno;
947 tap_packet *d = p->unpack (this, seqno);
948
949 if (iseqno.recv_ok (seqno))
950 {
951 vpn->tap->send (d);
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break;
965 }
966 }
967 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 }
971
972 send_reset (rsi);
973 break;
974
975 case vpn_packet::PT_CONNECT_REQ: 1085 case vpn_packet::PT_CONNECT_REQ:
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1086 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1087 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1088 connect_req_packet *p = (connect_req_packet *) pkt;
979 1089
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1090 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
981 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1]; 1091 connection *c = vpn->conns[p->id - 1];
1092 conf->protocols = p->protocols;
983 1093
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1094 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1095 conf->id, p->id, c->ictx && c->octx);
986 1096
987 if (c->ictx && c->octx) 1097 if (c->ictx && c->octx)
988 { 1098 {
989 // send connect_info packets to both sides, in case one is 1099 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1100 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1101 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1102 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1103 }
1104 else
1105 c->establish_connection ();
994 } 1106 }
995 1107
996 break; 1108 break;
997 1109
998 case vpn_packet::PT_CONNECT_INFO: 1110 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1111 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1112 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1113 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1114
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1115 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1116
1005 connection *c = vpn->conns[p->id - 1]; 1117 connection *c = vpn->conns[p->id - 1];
1006 1118
1119 c->conf->protocols = p->protocols;
1120 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1121 p->si.upgrade_protocol (protocol, c->conf);
1122
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1123 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1124 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1125
1126 const sockinfo &dsi = forward_si (p->si);
1127
1128 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1129 c->send_auth_request (dsi, true);
1011 } 1130 }
1012 1131
1013 break; 1132 break;
1014 1133
1015 default: 1134 default:
1016 send_reset (rsi); 1135 send_reset (rsi);
1017 break; 1136 break;
1018
1019 } 1137 }
1020} 1138}
1021 1139
1022void connection::keepalive_cb (tstamp &ts) 1140void connection::keepalive_cb (time_watcher &w)
1023{ 1141{
1024 if (NOW >= last_activity + ::conf.keepalive + 30) 1142 if (NOW >= last_activity + ::conf.keepalive + 30)
1025 { 1143 {
1026 reset_connection (); 1144 reset_connection ();
1027 establish_connection (); 1145 establish_connection ();
1028 } 1146 }
1029 else if (NOW < last_activity + ::conf.keepalive) 1147 else if (NOW < last_activity + ::conf.keepalive)
1030 ts = last_activity + ::conf.keepalive; 1148 w.at = last_activity + ::conf.keepalive;
1031 else if (conf->connectmode != conf_node::C_ONDEMAND 1149 else if (conf->connectmode != conf_node::C_ONDEMAND
1032 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1150 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1033 { 1151 {
1034 send_ping (si); 1152 send_ping (si);
1035 ts = NOW + 5; 1153 w.at = NOW + 5;
1036 } 1154 }
1155 else if (NOW < last_activity + ::conf.keepalive + 10)
1156 // hold ondemand connections implicitly a few seconds longer
1157 // should delete octx, though, or something like that ;)
1158 w.at = last_activity + ::conf.keepalive + 10;
1037 else 1159 else
1038 reset_connection (); 1160 reset_connection ();
1039} 1161}
1040 1162
1041void connection::connect_request (int id) 1163void connection::send_connect_request (int id)
1042{ 1164{
1043 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1165 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1044 1166
1045 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1167 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1046 p->hmac_set (octx); 1168 p->hmac_set (octx);
1049 delete p; 1171 delete p;
1050} 1172}
1051 1173
1052void connection::script_node () 1174void connection::script_node ()
1053{ 1175{
1054 vpn->script_if_up (0); 1176 vpn->script_if_up ();
1055 1177
1056 char *env; 1178 char *env;
1057 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1179 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1058 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1180 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1059 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1181 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1060 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1182 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1061} 1183}
1062 1184
1063const char *connection::script_node_up (int) 1185const char *connection::script_node_up ()
1064{ 1186{
1065 script_node (); 1187 script_node ();
1066 1188
1067 putenv ("STATE=up"); 1189 putenv ("STATE=up");
1068 1190
1069 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1191 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1070} 1192}
1071 1193
1072const char *connection::script_node_down (int) 1194const char *connection::script_node_down ()
1073{ 1195{
1074 script_node (); 1196 script_node ();
1075 1197
1076 putenv ("STATE=down"); 1198 putenv ("STATE=down");
1077 1199
1078 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1200 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1079}
1080
1081// send a vpn packet out to other hosts
1082void
1083connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1084{
1085 if (protocol & PROT_IPv4)
1086 vpn->send_ipv4_packet (pkt, si, tos);
1087 else
1088 vpn->send_udpv4_packet (pkt, si, tos);
1089} 1201}
1090 1202
1091connection::connection(struct vpn *vpn_) 1203connection::connection(struct vpn *vpn_)
1092: vpn(vpn_) 1204: vpn(vpn_)
1093, rekey (this, &connection::rekey_cb) 1205, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines