ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.3 by pcg, Wed Apr 2 05:15:00 2003 UTC vs.
Revision 1.19 by pcg, Tue Oct 14 03:22:09 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include <sys/socket.h>
41#ifdef HAVE_NETINET_IN_H
42# include <netinet/in.h>
43#endif
44#include <arpa/inet.h>
45#include <net/if.h>
46#ifdef HAVE_NETINET_IN_SYSTM_H
47# include <netinet/in_systm.h>
48#endif
49#ifdef HAVE_NETINET_IP_H
50# include <netinet/ip.h>
51#endif
52
53#ifndef IPTOS_TOS_MASK
54# define IPTOS_TOS_MASK (IPTOS_LOWDELAY | IPTOS_THROUGHPUT | IPTOS_RELIABILITY | IPTOS_MINCOST)
55#endif
56
40#if !HAVE_RAND_PSEUDO_BYTES 57#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 58# define RAND_pseudo_bytes RAND_bytes
42#endif 59#endif
43 60
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
85 rsachallenge chg; 102 rsachallenge chg;
86}; 103};
87 104
88struct rsa_cache : list<rsa_entry> 105struct rsa_cache : list<rsa_entry>
89{ 106{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 107 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 108
92 bool find (const rsaid &id, rsachallenge &chg) 109 bool find (const rsaid &id, rsachallenge &chg)
93 { 110 {
94 for (iterator i = begin (); i != end (); ++i) 111 for (iterator i = begin (); i != end (); ++i)
95 { 112 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 146 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 147 { }
131 148
132} rsa_cache; 149} rsa_cache;
133 150
134void rsa_cache::cleaner_cb (tstamp &ts) 151void rsa_cache::cleaner_cb (time_watcher &w)
135{ 152{
136 if (empty ()) 153 if (empty ())
137 ts = TSTAMP_CANCEL; 154 w.at = TSTAMP_CANCEL;
138 else 155 else
139 { 156 {
140 ts = NOW + RSA_TTL; 157 w.at = NOW + RSA_TTL;
141 158
142 for (iterator i = begin (); i != end (); ) 159 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 160 if (i->expire <= NOW)
144 i = erase (i); 161 i = erase (i);
145 else 162 else
147 } 164 }
148} 165}
149 166
150////////////////////////////////////////////////////////////////////////////// 167//////////////////////////////////////////////////////////////////////////////
151 168
152void pkt_queue::put (tap_packet *p) 169void pkt_queue::put (net_packet *p)
153{ 170{
154 if (queue[i]) 171 if (queue[i])
155 { 172 {
156 delete queue[i]; 173 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 177 queue[i] = p;
161 178
162 i = (i + 1) % QUEUEDEPTH; 179 i = (i + 1) % QUEUEDEPTH;
163} 180}
164 181
165tap_packet *pkt_queue::get () 182net_packet *pkt_queue::get ()
166{ 183{
167 tap_packet *p = queue[j]; 184 net_packet *p = queue[j];
168 185
169 if (p) 186 if (p)
170 { 187 {
171 queue[j] = 0; 188 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 189 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 214// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 215// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 216// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 217struct net_rate_limiter : list<net_rateinfo>
201{ 218{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 219 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 220 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 221 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
222 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 223
206 bool can (const sockinfo &si) { return can((u32)si.host); } 224 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 225 bool can (u32 host);
208}; 226};
209 227
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 228net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 229
225 { 243 {
226 net_rateinfo ri; 244 net_rateinfo ri;
227 245
228 ri.host = host; 246 ri.host = host;
229 ri.pcnt = 1.; 247 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 248 ri.diff = MAXDIF;
231 ri.last = NOW; 249 ri.last = NOW;
232 250
233 push_front (ri); 251 push_front (ri);
234 252
235 return true; 253 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 260 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 261 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 262
245 ri.last = NOW; 263 ri.last = NOW;
246 264
265 double dif = ri.diff / ri.pcnt;
266
247 bool send = ri.diff / ri.pcnt > CUTOFF; 267 bool send = dif > CUTOFF;
248 268
269 if (dif > MAXDIF)
270 {
271 ri.pcnt = 1.;
272 ri.diff = MAXDIF;
273 }
249 if (send) 274 else if (send)
250 ri.pcnt++; 275 ri.pcnt++;
251 276
252 push_front (ri); 277 push_front (ri);
253 278
254 return send; 279 return send;
285 hmac_gen (ctx); 310 hmac_gen (ctx);
286 311
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 312 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 313}
289 314
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 315void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 316{
292 this->type = type; 317 type = type_;
293 318
294 int src = THISNODE->id; 319 int src = THISNODE->id;
295 320
296 src1 = src; 321 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 322 srcdst = ((src >> 8) << 4) | (dst >> 8);
467 set_hdr (type, dst); 492 set_hdr (type, dst);
468} 493}
469 494
470bool config_packet::chk_config () const 495bool config_packet::chk_config () const
471{ 496{
472 return prot_major == PROTOCOL_MAJOR 497 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 498 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 499 else if (randsize != RAND_SIZE)
475 && flags == curflags () 500 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
503 else if (flags != curflags ())
504 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 505 else if (challengelen != sizeof (rsachallenge))
506 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 507 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
508 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 509 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
510 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 511 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
512 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
513 else
514 return true;
515
516 return false;
480} 517}
481 518
482struct auth_req_packet : config_packet 519struct auth_req_packet : config_packet
483{ 520{
484 char magic[8]; 521 char magic[8];
546}; 583};
547 584
548///////////////////////////////////////////////////////////////////////////// 585/////////////////////////////////////////////////////////////////////////////
549 586
550void 587void
588connection::connection_established ()
589{
590 if (ictx && octx)
591 {
592 connectmode = conf->connectmode;
593
594 rekey.start (NOW + ::conf.rekey);
595 keepalive.start (NOW + ::conf.keepalive);
596
597 // send queued packets
598 if (ictx && octx)
599 {
600 while (tap_packet *p = (tap_packet *)data_queue.get ())
601 {
602 send_data_packet (p);
603 delete p;
604 }
605
606 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
607 {
608 send_vpn_packet (p, si, IPTOS_RELIABILITY);
609 delete p;
610 }
611 }
612 }
613 else
614 {
615 retry_cnt = 0;
616 establish_connection.start (NOW + 5);
617 keepalive.reset ();
618 rekey.reset ();
619 }
620}
621
622void
551connection::reset_dstaddr () 623connection::reset_si ()
552{ 624{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 625 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 626
588 // mask out protocols we cannot establish 627 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 628 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 629 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 630
592 if (protocol) 631 si.set (conf, protocol);
632}
633
634// ensure sockinfo is valid, forward if necessary
635const sockinfo &
636connection::forward_si (const sockinfo &si) const
637{
638 if (!si.valid ())
639 {
640 connection *r = vpn->find_router ();
641
642 if (r)
643 {
644 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
645 conf->nodename, r->conf->nodename);
646 return r->si;
647 }
648 else
649 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
650 conf->nodename);
593 { 651 }
594 rsachallenge chg;
595 652
596 rsa_cache.gen (pkt->id, chg); 653 return si;
654}
597 655
598 if (0 > RSA_public_encrypt (sizeof chg, 656void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 657connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 658{
601 fatal ("RSA_public_encrypt error"); 659 if (!vpn->send_vpn_packet (pkt, si, tos))
660 reset_connection ();
661}
602 662
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 663void
664connection::send_ping (const sockinfo &si, u8 pong)
665{
666 ping_packet *pkt = new ping_packet;
604 667
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 668 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
669 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
670
671 delete pkt;
672}
673
674void
675connection::send_reset (const sockinfo &si)
676{
677 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
678 {
679 config_packet *pkt = new config_packet;
680
681 pkt->setup (vpn_packet::PT_RESET, conf->id);
682 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 683
607 delete pkt; 684 delete pkt;
608 } 685 }
609 else 686}
610 ; // silently fail 687
688void
689connection::send_auth_request (const sockinfo &si, bool initiate)
690{
691 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
692
693 rsachallenge chg;
694
695 rsa_cache.gen (pkt->id, chg);
696
697 if (0 > RSA_public_encrypt (sizeof chg,
698 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
699 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
700 fatal ("RSA_public_encrypt error");
701
702 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
703
704 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
705
706 delete pkt;
611} 707}
612 708
613void 709void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 710connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 711{
641 737
642 delete r; 738 delete r;
643} 739}
644 740
645void 741void
646connection::establish_connection_cb (tstamp &ts) 742connection::establish_connection_cb (time_watcher &w)
647{ 743{
648 if (ictx || conf == THISNODE 744 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 745 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 746 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 747 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 748 else if (w.at <= NOW)
653 { 749 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 750 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 751
656 if (retry_int < 3600 * 8) 752 if (retry_int < 3600 * 8)
657 retry_cnt++; 753 retry_cnt++;
658 754
659 ts = NOW + retry_int; 755 w.at = NOW + retry_int;
660 756
661 if (conf->hostname) 757 reset_si ();
758
759 if (si.prot && !si.host)
760 vpn->send_connect_request (conf->id);
761 else
662 { 762 {
663 reset_dstaddr (); 763 const sockinfo &dsi = forward_si (si);
764
664 if (si.host && auth_rate_limiter.can (si)) 765 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 766 {
666 if (retry_cnt < 4) 767 if (retry_cnt < 4)
667 send_auth_request (si, true); 768 send_auth_request (dsi, true);
668 else 769 else
669 send_ping (si, 0); 770 send_ping (dsi, 0);
670 } 771 }
671 } 772 }
672 else
673 vpn->connect_request (conf->id);
674 } 773 }
675} 774}
676 775
677void 776void
678connection::reset_connection () 777connection::reset_connection ()
707 806
708 reset_connection (); 807 reset_connection ();
709} 808}
710 809
711void 810void
712connection::rekey_cb (tstamp &ts) 811connection::rekey_cb (time_watcher &w)
713{ 812{
714 ts = TSTAMP_CANCEL; 813 w.at = TSTAMP_CANCEL;
715 814
716 reset_connection (); 815 reset_connection ();
717 establish_connection (); 816 establish_connection ();
718} 817}
719 818
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 820connection::send_data_packet (tap_packet *pkt, bool broadcast)
722{ 821{
723 vpndata_packet *p = new vpndata_packet; 822 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 823 int tos = 0;
725 824
825 // I am not hilarious about peeking into packets, but so be it.
726 if (conf->inherit_tos 826 if (conf->inherit_tos
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 827 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 828 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 829 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 830
743 if (ictx && octx) 843 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 844 send_data_packet (pkt, broadcast);
745 else 845 else
746 { 846 {
747 if (!broadcast)//DDDD 847 if (!broadcast)//DDDD
748 queue.put (new tap_packet (*pkt)); 848 data_queue.put (new tap_packet (*pkt));
849
850 establish_connection ();
851 }
852}
853
854void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
855{
856 if (ictx && octx)
857 send_vpn_packet (pkt, si, tos);
858 else
859 {
860 vpn_queue.put (new vpn_packet (*pkt));
749 861
750 establish_connection (); 862 establish_connection ();
751 } 863 }
752} 864}
753 865
815 rsachallenge k; 927 rsachallenge k;
816 928
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 929 if (0 > RSA_private_decrypt (sizeof (p->encr),
818 (unsigned char *)&p->encr, (unsigned char *)&k, 930 (unsigned char *)&p->encr, (unsigned char *)&k,
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 931 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 932 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821 conf->nodename, (const char *)rsi); 933 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
822 else 934 else
823 { 935 {
824 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;)
826 keepalive.reset ();
827 rekey.reset ();
828
829 delete ictx;
830 ictx = 0;
831
832 delete octx; 936 delete octx;
833 937
834 octx = new crypto_ctx (k, 1); 938 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 939 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836 940
837 conf->protocols = p->protocols; 941 conf->protocols = p->protocols;
942
838 send_auth_response (rsi, p->id, k); 943 send_auth_response (rsi, p->id, k);
944
945 connection_established ();
839 946
840 break; 947 break;
841 } 948 }
842 } 949 }
950 else
951 slog (L_WARN, _("%s(%s): protocol mismatch"),
952 conf->nodename, (const char *)rsi);
843 953
844 send_reset (rsi); 954 send_reset (rsi);
845 } 955 }
846 956
847 break; 957 break;
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 970 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 971
862 rsachallenge chg; 972 rsachallenge chg;
863 973
864 if (!rsa_cache.find (p->id, chg)) 974 if (!rsa_cache.find (p->id, chg))
975 {
865 slog (L_ERR, _("%s(%s): unrequested auth response"), 976 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866 conf->nodename, (const char *)rsi); 977 conf->nodename, (const char *)rsi);
978 break;
979 }
867 else 980 else
868 { 981 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0); 982 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870 983
871 if (!p->hmac_chk (cctx)) 984 if (!p->hmac_chk (cctx))
985 {
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 986 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 987 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 988 conf->nodename, (const char *)rsi);
989 break;
990 }
875 else 991 else
876 { 992 {
877 rsaresponse h; 993 rsaresponse h;
878 994
879 rsa_hash (p->id, chg, h); 995 rsa_hash (p->id, chg, h);
885 delete ictx; ictx = cctx; 1001 delete ictx; ictx = cctx;
886 1002
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1003 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 1004
889 si = rsi; 1005 si = rsi;
1006 protocol = rsi.prot;
890 1007
891 rekey.set (NOW + ::conf.rekey); 1008 connection_established ();
892 keepalive.set (NOW + ::conf.keepalive);
893 1009
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 1010 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 1011 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 1012 p->prot_major, p->prot_minor);
907 1013
908 if (::conf.script_node_up) 1014 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 1015 run_script (run_script_cb (this, &connection::script_node_up), false);
910 1016
933 1039
934 if (ictx && octx) 1040 if (ictx && octx)
935 { 1041 {
936 vpndata_packet *p = (vpndata_packet *)pkt; 1042 vpndata_packet *p = (vpndata_packet *)pkt;
937 1043
938 if (rsi == si) 1044 if (!p->hmac_chk (ictx))
1045 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1046 "could be an attack, or just corruption or an synchronization error"),
1047 conf->nodename, (const char *)rsi);
1048 else
939 { 1049 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else 1050 u32 seqno;
1051 tap_packet *d = p->unpack (this, seqno);
1052
1053 if (iseqno.recv_ok (seqno))
945 { 1054 {
946 u32 seqno; 1055 vpn->tap->send (d);
947 tap_packet *d = p->unpack (this, seqno);
948 1056
949 if (iseqno.recv_ok (seqno)) 1057 if (p->dst () == 0) // re-broadcast
1058 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1059 {
1060 connection *c = *i;
1061
1062 if (c->conf != THISNODE && c->conf != conf)
1063 c->inject_data_packet (d);
1064 }
1065
1066 if (si != rsi)
950 { 1067 {
951 vpn->tap->send (d); 1068 // fast re-sync on connection changes, useful especially for tcp/ip
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break; 1069 si = rsi;
1070
1071 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1072 conf->nodename, (const char *)si, (const char *)rsi);
965 } 1073 }
1074
1075 delete d;
1076
1077 break;
966 } 1078 }
967 } 1079 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 } 1080 }
971 1081
972 send_reset (rsi); 1082 send_reset (rsi);
973 break; 1083 break;
974 1084
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1086 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1087 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1088 connect_req_packet *p = (connect_req_packet *) pkt;
979 1089
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1090 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1091 connection *c = vpn->conns[p->id - 1];
981 conf->protocols = p->protocols; 1092 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983 1093
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1094 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1095 conf->id, p->id, c->ictx && c->octx);
986 1096
987 if (c->ictx && c->octx) 1097 if (c->ictx && c->octx)
989 // send connect_info packets to both sides, in case one is 1099 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1100 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1101 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1102 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1103 }
1104 else
1105 c->establish_connection ();
994 } 1106 }
995 1107
996 break; 1108 break;
997 1109
998 case vpn_packet::PT_CONNECT_INFO: 1110 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1111 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1112 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1113 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1114
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1115 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1116
1005 connection *c = vpn->conns[p->id - 1]; 1117 connection *c = vpn->conns[p->id - 1];
1118
1119 c->conf->protocols = p->protocols;
1120 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1121 p->si.upgrade_protocol (protocol, c->conf);
1006 1122
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1123 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1124 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1125
1126 const sockinfo &dsi = forward_si (p->si);
1127
1128 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1129 c->send_auth_request (dsi, true);
1011 } 1130 }
1012 1131
1013 break; 1132 break;
1014 1133
1015 default: 1134 default:
1016 send_reset (rsi); 1135 send_reset (rsi);
1017 break; 1136 break;
1018 } 1137 }
1019} 1138}
1020 1139
1021void connection::keepalive_cb (tstamp &ts) 1140void connection::keepalive_cb (time_watcher &w)
1022{ 1141{
1023 if (NOW >= last_activity + ::conf.keepalive + 30) 1142 if (NOW >= last_activity + ::conf.keepalive + 30)
1024 { 1143 {
1025 reset_connection (); 1144 reset_connection ();
1026 establish_connection (); 1145 establish_connection ();
1027 } 1146 }
1028 else if (NOW < last_activity + ::conf.keepalive) 1147 else if (NOW < last_activity + ::conf.keepalive)
1029 ts = last_activity + ::conf.keepalive; 1148 w.at = last_activity + ::conf.keepalive;
1030 else if (conf->connectmode != conf_node::C_ONDEMAND 1149 else if (conf->connectmode != conf_node::C_ONDEMAND
1031 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1150 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1032 { 1151 {
1033 send_ping (si); 1152 send_ping (si);
1034 ts = NOW + 5; 1153 w.at = NOW + 5;
1035 } 1154 }
1155 else if (NOW < last_activity + ::conf.keepalive + 10)
1156 // hold ondemand connections implicitly a few seconds longer
1157 // should delete octx, though, or something like that ;)
1158 w.at = last_activity + ::conf.keepalive + 10;
1036 else 1159 else
1037 reset_connection (); 1160 reset_connection ();
1038} 1161}
1039 1162
1040void connection::connect_request (int id) 1163void connection::send_connect_request (int id)
1041{ 1164{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1165 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1166
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1167 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1168 p->hmac_set (octx);
1075 putenv ("STATE=down"); 1198 putenv ("STATE=down");
1076 1199
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1200 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078} 1201}
1079 1202
1080// send a vpn packet out to other hosts
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094 case PROT_TCPv4:
1095 vpn->send_tcpv4_packet (pkt, si, tos);
1096 break;
1097 }
1098}
1099
1100connection::connection(struct vpn *vpn_) 1203connection::connection(struct vpn *vpn_)
1101: vpn(vpn_) 1204: vpn(vpn_)
1102, rekey (this, &connection::rekey_cb) 1205, rekey (this, &connection::rekey_cb)
1103, keepalive (this, &connection::keepalive_cb) 1206, keepalive (this, &connection::keepalive_cb)
1104, establish_connection (this, &connection::establish_connection_cb) 1207, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines