ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.9 by pcg, Sun Apr 6 04:31:51 2003 UTC vs.
Revision 1.13 by pcg, Fri Aug 8 07:52:26 2003 UTC

147 } 147 }
148} 148}
149 149
150////////////////////////////////////////////////////////////////////////////// 150//////////////////////////////////////////////////////////////////////////////
151 151
152void pkt_queue::put (tap_packet *p) 152void pkt_queue::put (net_packet *p)
153{ 153{
154 if (queue[i]) 154 if (queue[i])
155 { 155 {
156 delete queue[i]; 156 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 157 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 160 queue[i] = p;
161 161
162 i = (i + 1) % QUEUEDEPTH; 162 i = (i + 1) % QUEUEDEPTH;
163} 163}
164 164
165tap_packet *pkt_queue::get () 165net_packet *pkt_queue::get ()
166{ 166{
167 tap_packet *p = queue[j]; 167 net_packet *p = queue[j];
168 168
169 if (p) 169 if (p)
170 { 170 {
171 queue[j] = 0; 171 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 172 j = (j + 1) % QUEUEDEPTH;
200struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
201{ 201{
202 static const double ALPHA = 1. - 1. / 180.; // allow bursts 202 static const double ALPHA = 1. - 1. / 180.; // allow bursts
203 static const double CUTOFF = 10.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 206
206 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 208 bool can (u32 host);
208}; 209};
209 210
225 { 226 {
226 net_rateinfo ri; 227 net_rateinfo ri;
227 228
228 ri.host = host; 229 ri.host = host;
229 ri.pcnt = 1.; 230 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 231 ri.diff = MAXDIF;
231 ri.last = NOW; 232 ri.last = NOW;
232 233
233 push_front (ri); 234 push_front (ri);
234 235
235 return true; 236 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 243 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 244 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 245
245 ri.last = NOW; 246 ri.last = NOW;
246 247
248 double dif = ri.diff / ri.pcnt;
249
247 bool send = ri.diff / ri.pcnt > CUTOFF; 250 bool send = dif > CUTOFF;
248 251
252 if (dif > MAXDIF)
253 {
254 ri.pcnt = 1.;
255 ri.diff = MAXDIF;
256 }
249 if (send) 257 else if (send)
250 ri.pcnt++; 258 ri.pcnt++;
251 259
252 push_front (ri); 260 push_front (ri);
253 261
254 return send; 262 return send;
544 len = sizeof (*this) - sizeof (net_packet); 552 len = sizeof (*this) - sizeof (net_packet);
545 } 553 }
546}; 554};
547 555
548///////////////////////////////////////////////////////////////////////////// 556/////////////////////////////////////////////////////////////////////////////
557
558void
559connection::connection_established ()
560{
561 if (ictx && octx)
562 {
563 connectmode = conf->connectmode;
564
565 rekey.start (NOW + ::conf.rekey);
566 keepalive.start (NOW + ::conf.keepalive);
567
568 // send queued packets
569 if (ictx && octx)
570 {
571 while (tap_packet *p = (tap_packet *)data_queue.get ())
572 {
573 send_data_packet (p);
574 delete p;
575 }
576
577 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
578 {
579 send_vpn_packet (p, si, IPTOS_RELIABILITY);
580 delete p;
581 }
582 }
583 }
584 else
585 {
586 retry_cnt = 0;
587 establish_connection.start (NOW + 5);
588 keepalive.reset ();
589 rekey.reset ();
590 }
591}
549 592
550void 593void
551connection::reset_si () 594connection::reset_si ()
552{ 595{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 596 protocol = best_protocol (THISNODE->protocols & conf->protocols);
580 623
581 return si; 624 return si;
582} 625}
583 626
584void 627void
628connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
629{
630 if (!vpn->send_vpn_packet (pkt, si, tos))
631 reset_connection ();
632}
633
634void
585connection::send_ping (const sockinfo &si, u8 pong) 635connection::send_ping (const sockinfo &si, u8 pong)
586{ 636{
587 ping_packet *pkt = new ping_packet; 637 ping_packet *pkt = new ping_packet;
588 638
589 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 639 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
590 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 640 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
591 641
592 delete pkt; 642 delete pkt;
593} 643}
594 644
595void 645void
598 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 648 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
599 { 649 {
600 config_packet *pkt = new config_packet; 650 config_packet *pkt = new config_packet;
601 651
602 pkt->setup (vpn_packet::PT_RESET, conf->id); 652 pkt->setup (vpn_packet::PT_RESET, conf->id);
603 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 653 send_vpn_packet (pkt, si, IPTOS_MINCOST);
604 654
605 delete pkt; 655 delete pkt;
606 } 656 }
607} 657}
608 658
620 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 670 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
621 fatal ("RSA_public_encrypt error"); 671 fatal ("RSA_public_encrypt error");
622 672
623 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 673 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
624 674
625 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 675 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
626 676
627 delete pkt; 677 delete pkt;
628} 678}
629 679
630void 680void
638 688
639 pkt->hmac_set (octx); 689 pkt->hmac_set (octx);
640 690
641 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 691 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
642 692
643 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 693 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
644 694
645 delete pkt; 695 delete pkt;
646} 696}
647 697
648void 698void
652 conf->id, rid, (const char *)rsi); 702 conf->id, rid, (const char *)rsi);
653 703
654 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 704 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
655 705
656 r->hmac_set (octx); 706 r->hmac_set (octx);
657 vpn->send_vpn_packet (r, si); 707 send_vpn_packet (r, si);
658 708
659 delete r; 709 delete r;
660} 710}
661 711
662void 712void
676 w.at = NOW + retry_int; 726 w.at = NOW + retry_int;
677 727
678 reset_si (); 728 reset_si ();
679 729
680 if (si.prot && !si.host) 730 if (si.prot && !si.host)
681 vpn->connect_request (conf->id); 731 vpn->send_connect_request (conf->id);
682 else 732 else
683 { 733 {
684 const sockinfo &dsi = forward_si (si); 734 const sockinfo &dsi = forward_si (si);
685 735
686 if (dsi.valid () && auth_rate_limiter.can (dsi)) 736 if (dsi.valid () && auth_rate_limiter.can (dsi))
741connection::send_data_packet (tap_packet *pkt, bool broadcast) 791connection::send_data_packet (tap_packet *pkt, bool broadcast)
742{ 792{
743 vpndata_packet *p = new vpndata_packet; 793 vpndata_packet *p = new vpndata_packet;
744 int tos = 0; 794 int tos = 0;
745 795
796 // I am not hilarious about peeking into packets, but so be it.
746 if (conf->inherit_tos 797 if (conf->inherit_tos
747 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 798 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
748 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 799 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
749 tos = (*pkt)[15] & IPTOS_TOS_MASK; 800 tos = (*pkt)[15] & IPTOS_TOS_MASK;
750 801
751 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 802 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
752 vpn->send_vpn_packet (p, si, tos); 803 send_vpn_packet (p, si, tos);
753 804
754 delete p; 805 delete p;
755 806
756 if (oseqno > MAX_SEQNO) 807 if (oseqno > MAX_SEQNO)
757 rekey (); 808 rekey ();
763 if (ictx && octx) 814 if (ictx && octx)
764 send_data_packet (pkt, broadcast); 815 send_data_packet (pkt, broadcast);
765 else 816 else
766 { 817 {
767 if (!broadcast)//DDDD 818 if (!broadcast)//DDDD
768 queue.put (new tap_packet (*pkt)); 819 data_queue.put (new tap_packet (*pkt));
769 820
770 establish_connection (); 821 establish_connection ();
771 } 822 }
772} 823}
773 824
774void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 825void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
775{ 826{
776 if (ictx && octx) 827 if (ictx && octx)
777 vpn->send_vpn_packet (pkt, si, tos); 828 send_vpn_packet (pkt, si, tos);
778 else 829 else
830 {
831 vpn_queue.put (new vpn_packet (*pkt));
832
779 establish_connection (); 833 establish_connection ();
834 }
780} 835}
781 836
782void 837void
783connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 838connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
784{ 839{
847 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
848 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
849 conf->nodename, (const char *)rsi); 904 conf->nodename, (const char *)rsi);
850 else 905 else
851 { 906 {
852 retry_cnt = 0;
853 establish_connection.start (NOW + 8); //? ;)
854 keepalive.reset ();
855 rekey.reset ();
856
857 delete ictx;
858 ictx = 0;
859
860 delete octx; 907 delete octx;
861 908
862 octx = new crypto_ctx (k, 1); 909 octx = new crypto_ctx (k, 1);
863 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 910 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
864 911
865 conf->protocols = p->protocols; 912 conf->protocols = p->protocols;
913
866 send_auth_response (rsi, p->id, k); 914 send_auth_response (rsi, p->id, k);
915
916 connection_established ();
867 917
868 break; 918 break;
869 } 919 }
870 } 920 }
871 921
888 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 938 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
889 939
890 rsachallenge chg; 940 rsachallenge chg;
891 941
892 if (!rsa_cache.find (p->id, chg)) 942 if (!rsa_cache.find (p->id, chg))
943 {
893 slog (L_ERR, _("%s(%s): unrequested auth response"), 944 slog (L_ERR, _("%s(%s): unrequested auth response"),
894 conf->nodename, (const char *)rsi); 945 conf->nodename, (const char *)rsi);
946 break;
947 }
895 else 948 else
896 { 949 {
897 crypto_ctx *cctx = new crypto_ctx (chg, 0); 950 crypto_ctx *cctx = new crypto_ctx (chg, 0);
898 951
899 if (!p->hmac_chk (cctx)) 952 if (!p->hmac_chk (cctx))
915 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 968 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
916 969
917 si = rsi; 970 si = rsi;
918 protocol = rsi.prot; 971 protocol = rsi.prot;
919 972
920 rekey.start (NOW + ::conf.rekey); 973 connection_established ();
921 keepalive.start (NOW + ::conf.keepalive);
922
923 // send queued packets
924 while (tap_packet *p = queue.get ())
925 {
926 send_data_packet (p);
927 delete p;
928 }
929
930 connectmode = conf->connectmode;
931 974
932 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 975 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
933 conf->nodename, (const char *)rsi, 976 conf->nodename, (const char *)rsi,
934 p->prot_major, p->prot_minor); 977 p->prot_major, p->prot_minor);
935 978
961 1004
962 if (ictx && octx) 1005 if (ictx && octx)
963 { 1006 {
964 vpndata_packet *p = (vpndata_packet *)pkt; 1007 vpndata_packet *p = (vpndata_packet *)pkt;
965 1008
966 if (rsi == si) 1009 if (!p->hmac_chk (ictx))
1010 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1011 "could be an attack, or just corruption or an synchronization error"),
1012 conf->nodename, (const char *)rsi);
1013 else
967 { 1014 {
968 if (!p->hmac_chk (ictx))
969 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
970 "could be an attack, or just corruption or an synchronization error"),
971 conf->nodename, (const char *)rsi);
972 else 1015 u32 seqno;
1016 tap_packet *d = p->unpack (this, seqno);
1017
1018 if (iseqno.recv_ok (seqno))
973 { 1019 {
974 u32 seqno; 1020 vpn->tap->send (d);
975 tap_packet *d = p->unpack (this, seqno);
976 1021
977 if (iseqno.recv_ok (seqno)) 1022 if (p->dst () == 0) // re-broadcast
1023 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1024 {
1025 connection *c = *i;
1026
1027 if (c->conf != THISNODE && c->conf != conf)
1028 c->inject_data_packet (d);
1029 }
1030
1031 if (si != rsi)
978 { 1032 {
979 vpn->tap->send (d); 1033 // fast re-sync on conneciton changes, useful especially for tcp/ip
980
981 if (p->dst () == 0) // re-broadcast
982 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
983 {
984 connection *c = *i;
985
986 if (c->conf != THISNODE && c->conf != conf)
987 c->inject_data_packet (d);
988 }
989
990 delete d;
991
992 break; 1034 si = rsi;
1035
1036 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1037 conf->nodename, (const char *)si, (const char *)rsi);
993 } 1038 }
1039
1040 delete d;
1041
1042 break;
994 } 1043 }
995 } 1044 }
996 else
997 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
998 } 1045 }
999 1046
1000 send_reset (rsi); 1047 send_reset (rsi);
1001 break; 1048 break;
1002 1049
1017 // send connect_info packets to both sides, in case one is 1064 // send connect_info packets to both sides, in case one is
1018 // behind a nat firewall (or both ;) 1065 // behind a nat firewall (or both ;)
1019 c->send_connect_info (conf->id, si, conf->protocols); 1066 c->send_connect_info (conf->id, si, conf->protocols);
1020 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1067 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1021 } 1068 }
1069 else
1070 c->establish_connection ();
1022 } 1071 }
1023 1072
1024 break; 1073 break;
1025 1074
1026 case vpn_packet::PT_CONNECT_INFO: 1075 case vpn_packet::PT_CONNECT_INFO:
1066 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1115 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1067 { 1116 {
1068 send_ping (si); 1117 send_ping (si);
1069 w.at = NOW + 5; 1118 w.at = NOW + 5;
1070 } 1119 }
1120 else if (NOW < last_activity + ::conf.keepalive + 10)
1121 // hold ondemand connections implicitly a few seconds longer
1122 // should delete octx, though, or something like that ;)
1123 w.at = last_activity + ::conf.keepalive + 10;
1071 else 1124 else
1072 reset_connection (); 1125 reset_connection ();
1073} 1126}
1074 1127
1075void connection::connect_request (int id) 1128void connection::send_connect_request (int id)
1076{ 1129{
1077 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1130 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1078 1131
1079 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1132 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1080 p->hmac_set (octx); 1133 p->hmac_set (octx);
1081 vpn->send_vpn_packet (p, si); 1134 send_vpn_packet (p, si);
1082 1135
1083 delete p; 1136 delete p;
1084} 1137}
1085 1138
1086void connection::script_node () 1139void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines