ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.2 by pcg, Wed Apr 2 03:25:17 2003 UTC vs.
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC

85 rsachallenge chg; 85 rsachallenge chg;
86}; 86};
87 87
88struct rsa_cache : list<rsa_entry> 88struct rsa_cache : list<rsa_entry>
89{ 89{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 90 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 91
92 bool find (const rsaid &id, rsachallenge &chg) 92 bool find (const rsaid &id, rsachallenge &chg)
93 { 93 {
94 for (iterator i = begin (); i != end (); ++i) 94 for (iterator i = begin (); i != end (); ++i)
95 { 95 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 129 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 130 { }
131 131
132} rsa_cache; 132} rsa_cache;
133 133
134void rsa_cache::cleaner_cb (tstamp &ts) 134void rsa_cache::cleaner_cb (time_watcher &w)
135{ 135{
136 if (empty ()) 136 if (empty ())
137 ts = TSTAMP_CANCEL; 137 w.at = TSTAMP_CANCEL;
138 else 138 else
139 { 139 {
140 ts = NOW + RSA_TTL; 140 w.at = NOW + RSA_TTL;
141 141
142 for (iterator i = begin (); i != end (); ) 142 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 143 if (i->expire <= NOW)
144 i = erase (i); 144 i = erase (i);
145 else 145 else
285 hmac_gen (ctx); 285 hmac_gen (ctx);
286 286
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 287 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 288}
289 289
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 290void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 291{
292 this->type = type; 292 type = type_;
293 293
294 int src = THISNODE->id; 294 int src = THISNODE->id;
295 295
296 src1 = src; 296 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 297 srcdst = ((src >> 8) << 4) | (dst >> 8);
548///////////////////////////////////////////////////////////////////////////// 548/////////////////////////////////////////////////////////////////////////////
549 549
550void 550void
551connection::reset_dstaddr () 551connection::reset_dstaddr ()
552{ 552{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 553 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 554
588 // mask out protocols we cannot establish 555 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 556 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 558
592 if (protocol) 559 si.set (conf, protocol);
593 { 560}
594 rsachallenge chg;
595 561
596 rsa_cache.gen (pkt->id, chg); 562void
563connection::send_ping (const sockinfo &si, u8 pong)
564{
565 ping_packet *pkt = new ping_packet;
597 566
598 if (0 > RSA_public_encrypt (sizeof chg, 567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
601 fatal ("RSA_public_encrypt error");
602 569
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 570 delete pkt;
571}
604 572
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 573void
574connection::send_reset (const sockinfo &si)
575{
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 {
578 config_packet *pkt = new config_packet;
579
580 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 582
607 delete pkt; 583 delete pkt;
608 } 584 }
609 else 585}
610 ; // silently fail 586
587void
588connection::send_auth_request (const sockinfo &si, bool initiate)
589{
590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
591
592 rsachallenge chg;
593
594 rsa_cache.gen (pkt->id, chg);
595
596 if (0 > RSA_public_encrypt (sizeof chg,
597 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error");
600
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
604
605 delete pkt;
611} 606}
612 607
613void 608void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 609connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 610{
621 616
622 pkt->hmac_set (octx); 617 pkt->hmac_set (octx);
623 618
624 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
625 620
626 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
627 622
628 delete pkt; 623 delete pkt;
629} 624}
630 625
631void 626void
635 conf->id, rid, (const char *)rsi); 630 conf->id, rid, (const char *)rsi);
636 631
637 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
638 633
639 r->hmac_set (octx); 634 r->hmac_set (octx);
640 send_vpn_packet (r, si); 635 vpn->send_vpn_packet (r, si);
641 636
642 delete r; 637 delete r;
643} 638}
644 639
645void 640void
646connection::establish_connection_cb (tstamp &ts) 641connection::establish_connection_cb (time_watcher &w)
647{ 642{
648 if (ictx || conf == THISNODE 643 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 644 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 645 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 646 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 647 else if (w.at <= NOW)
653 { 648 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 649 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 650
656 if (retry_int < 3600 * 8) 651 if (retry_int < 3600 * 8)
657 retry_cnt++; 652 retry_cnt++;
658 653
659 ts = NOW + retry_int; 654 w.at = NOW + retry_int;
660 655
661 if (conf->hostname) 656 if (conf->hostname)
662 { 657 {
663 reset_dstaddr (); 658 reset_dstaddr ();
659
664 if (si.host && auth_rate_limiter.can (si)) 660 if (si.valid () && auth_rate_limiter.can (si))
665 { 661 {
666 if (retry_cnt < 4) 662 if (retry_cnt < 4)
667 send_auth_request (si, true); 663 send_auth_request (si, true);
668 else 664 else
669 send_ping (si, 0); 665 send_ping (si, 0);
707 703
708 reset_connection (); 704 reset_connection ();
709} 705}
710 706
711void 707void
712connection::rekey_cb (tstamp &ts) 708connection::rekey_cb (time_watcher &w)
713{ 709{
714 ts = TSTAMP_CANCEL; 710 w.at = TSTAMP_CANCEL;
715 711
716 reset_connection (); 712 reset_connection ();
717 establish_connection (); 713 establish_connection ();
718} 714}
719 715
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 725 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 726
731 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732 send_vpn_packet (p, si, tos); 728 vpn->send_vpn_packet (p, si, tos);
733 729
734 delete p; 730 delete p;
735 731
736 if (oseqno > MAX_SEQNO) 732 if (oseqno > MAX_SEQNO)
737 rekey (); 733 rekey ();
759 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 755 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
760 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 756 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
761 757
762 switch (pkt->typ ()) 758 switch (pkt->typ ())
763 { 759 {
764 case vpn_packet::PT_PING: 760 case vpn_packet::PT_PING:
765 // we send pings instead of auth packets after some retries, 761 // we send pings instead of auth packets after some retries,
766 // so reset the retry counter and establish a connection 762 // so reset the retry counter and establish a connection
767 // when we receive a ping. 763 // when we receive a ping.
768 if (!ictx) 764 if (!ictx)
765 {
766 if (auth_rate_limiter.can (rsi))
767 send_auth_request (rsi, true);
768 }
769 else
770 send_ping (rsi, 1); // pong
771
772 break;
773
774 case vpn_packet::PT_PONG:
775 break;
776
777 case vpn_packet::PT_RESET:
769 { 778 {
770 if (auth_rate_limiter.can (rsi)) 779 reset_connection ();
771 send_auth_request (rsi, true); 780
781 config_packet *p = (config_packet *) pkt;
782
783 if (!p->chk_config ())
784 {
785 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
786 conf->nodename, (const char *)rsi);
787 connectmode = conf_node::C_DISABLED;
788 }
789 else if (connectmode == conf_node::C_ALWAYS)
790 establish_connection ();
772 } 791 }
773 else
774 send_ping (rsi, 1); // pong
775
776 break; 792 break;
777 793
778 case vpn_packet::PT_PONG:
779 break;
780
781 case vpn_packet::PT_RESET: 794 case vpn_packet::PT_AUTH_REQ:
782 { 795 if (auth_rate_limiter.can (rsi))
783 reset_connection ();
784
785 config_packet *p = (config_packet *) pkt;
786
787 if (!p->chk_config ())
788 { 796 {
789 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 797 auth_req_packet *p = (auth_req_packet *) pkt;
798
799 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
800
801 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
802 {
803 if (p->prot_minor != PROTOCOL_MINOR)
804 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
805 conf->nodename, (const char *)rsi,
806 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
807
808 if (p->initiate)
809 send_auth_request (rsi, false);
810
811 rsachallenge k;
812
813 if (0 > RSA_private_decrypt (sizeof (p->encr),
814 (unsigned char *)&p->encr, (unsigned char *)&k,
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
790 conf->nodename, (const char *)rsi); 817 conf->nodename, (const char *)rsi);
791 connectmode = conf_node::C_DISABLED; 818 else
819 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx;
829
830 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832
833 conf->protocols = p->protocols;
834 send_auth_response (rsi, p->id, k);
835
836 break;
837 }
838 }
839
840 send_reset (rsi);
792 } 841 }
793 else if (connectmode == conf_node::C_ALWAYS) 842
794 establish_connection ();
795 }
796 break; 843 break;
797 844
798 case vpn_packet::PT_AUTH_REQ: 845 case vpn_packet::PT_AUTH_RES:
799 if (auth_rate_limiter.can (rsi))
800 { 846 {
801 auth_req_packet *p = (auth_req_packet *) pkt; 847 auth_res_packet *p = (auth_res_packet *) pkt;
802 848
803 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 849 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
804 850
805 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 851 if (p->chk_config ())
806 { 852 {
807 if (p->prot_minor != PROTOCOL_MINOR) 853 if (p->prot_minor != PROTOCOL_MINOR)
808 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 854 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
809 conf->nodename, (const char *)rsi, 855 conf->nodename, (const char *)rsi,
810 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 856 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
811 857
812 if (p->initiate)
813 send_auth_request (rsi, false);
814
815 rsachallenge k; 858 rsachallenge chg;
816 859
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 860 if (!rsa_cache.find (p->id, chg))
818 (unsigned char *)&p->encr, (unsigned char *)&k, 861 slog (L_ERR, _("%s(%s): unrequested auth response"),
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821 conf->nodename, (const char *)rsi); 862 conf->nodename, (const char *)rsi);
822 else 863 else
823 { 864 {
824 retry_cnt = 0; 865 crypto_ctx *cctx = new crypto_ctx (chg, 0);
825 establish_connection.set (NOW + 8); //? ;) 866
826 keepalive.reset (); 867 if (!p->hmac_chk (cctx))
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi);
827 rekey.reset (); 871 else
872 {
873 rsaresponse h;
828 874
875 rsa_hash (p->id, chg, h);
876
877 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
878 {
879 prot_minor = p->prot_minor;
880
881 delete ictx; ictx = cctx;
882
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884
885 si = rsi;
886 protocol = rsi.prot;
887
888 rekey.start (NOW + ::conf.rekey);
889 keepalive.start (NOW + ::conf.keepalive);
890
891 // send queued packets
892 while (tap_packet *p = queue.get ())
893 {
894 send_data_packet (p);
895 delete p;
896 }
897
898 connectmode = conf->connectmode;
899
900 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
901 conf->nodename, (const char *)rsi,
902 p->prot_major, p->prot_minor);
903
904 if (::conf.script_node_up)
905 run_script (run_script_cb (this, &connection::script_node_up), false);
906
907 break;
908 }
909 else
910 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
911 conf->nodename, (const char *)rsi);
912 }
913
829 delete ictx; 914 delete cctx;
830 ictx = 0;
831
832 delete octx;
833
834 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836
837 conf->protocols = p->protocols;
838 send_auth_response (rsi, p->id, k);
839
840 break;
841 } 915 }
842 } 916 }
843
844 send_reset (rsi);
845 } 917 }
846 918
919 send_reset (rsi);
847 break; 920 break;
848 921
849 case vpn_packet::PT_AUTH_RES: 922 case vpn_packet::PT_DATA_COMPRESSED:
850 { 923#if !ENABLE_COMPRESSION
851 auth_res_packet *p = (auth_res_packet *) pkt; 924 send_reset (rsi);
925 break;
926#endif
852 927
853 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 928 case vpn_packet::PT_DATA_UNCOMPRESSED:
854 929
855 if (p->chk_config ()) 930 if (ictx && octx)
856 { 931 {
857 if (p->prot_minor != PROTOCOL_MINOR) 932 vpndata_packet *p = (vpndata_packet *)pkt;
858 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
859 conf->nodename, (const char *)rsi,
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 933
862 rsachallenge chg; 934 if (rsi == si)
863
864 if (!rsa_cache.find (p->id, chg))
865 slog (L_ERR, _("%s(%s): unrequested auth response"),
866 conf->nodename, (const char *)rsi);
867 else
868 { 935 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870
871 if (!p->hmac_chk (cctx)) 936 if (!p->hmac_chk (ictx))
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 938 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 939 conf->nodename, (const char *)rsi);
875 else 940 else
876 { 941 {
877 rsaresponse h; 942 u32 seqno;
943 tap_packet *d = p->unpack (this, seqno);
878 944
879 rsa_hash (p->id, chg, h); 945 if (iseqno.recv_ok (seqno))
880
881 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
882 { 946 {
883 prot_minor = p->prot_minor; 947 vpn->tap->send (d);
884 948
885 delete ictx; ictx = cctx; 949 if (p->dst () == 0) // re-broadcast
886 950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888
889 si = rsi;
890
891 rekey.set (NOW + ::conf.rekey);
892 keepalive.set (NOW + ::conf.keepalive);
893
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 { 951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
897 send_data_packet (p); 955 c->inject_data_packet (d);
898 delete p;
899 } 956 }
900 957
901 connectmode = conf->connectmode; 958 delete d;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor);
907
908 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false);
910 959
911 break; 960 break;
912 } 961 }
913 else
914 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
915 conf->nodename, (const char *)rsi);
916 } 962 }
963 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 }
917 967
918 delete cctx; 968 send_reset (rsi);
969 break;
970
971 case vpn_packet::PT_CONNECT_REQ:
972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973 {
974 connect_req_packet *p = (connect_req_packet *) pkt;
975
976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
977 connection *c = vpn->conns[p->id - 1];
978 conf->protocols = p->protocols;
979
980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981 conf->id, p->id, c->ictx && c->octx);
982
983 if (c->ictx && c->octx)
984 {
985 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols);
919 } 989 }
920 } 990 }
921 }
922 991
923 send_reset (rsi);
924 break; 992 break;
925 993
926 case vpn_packet::PT_DATA_COMPRESSED:
927#if !ENABLE_COMPRESSION
928 send_reset (rsi);
929 break;
930#endif
931
932 case vpn_packet::PT_DATA_UNCOMPRESSED:
933
934 if (ictx && octx)
935 {
936 vpndata_packet *p = (vpndata_packet *)pkt;
937
938 if (rsi == si)
939 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else
945 {
946 u32 seqno;
947 tap_packet *d = p->unpack (this, seqno);
948
949 if (iseqno.recv_ok (seqno))
950 {
951 vpn->tap->send (d);
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break;
965 }
966 }
967 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 }
971
972 send_reset (rsi);
973 break;
974
975 case vpn_packet::PT_CONNECT_REQ: 994 case vpn_packet::PT_CONNECT_INFO:
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 996 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 997 connect_info_packet *p = (connect_info_packet *) pkt;
979 998
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
981 conf->protocols = p->protocols; 1000
982 connection *c = vpn->conns[p->id - 1]; 1001 connection *c = vpn->conns[p->id - 1];
983 1002
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx);
986
987 if (c->ictx && c->octx)
988 {
989 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 }
994 }
995
996 break;
997
998 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 {
1001 connect_info_packet *p = (connect_info_packet *) pkt;
1002
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1003 c->conf->protocols = p->protocols;
1005 connection *c = vpn->conns[p->id - 1]; 1004 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1005 p->si.upgrade_protocol (protocol, c->conf);
1006 1006
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
1010 // p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
1011 // protocol, p->si.prot);
1009 1012
1010 c->send_auth_request (p->si, true); 1013 c->send_auth_request (p->si, true);
1011 } 1014 }
1012 1015
1013 break; 1016 break;
1014 1017
1015 default: 1018 default:
1016 send_reset (rsi); 1019 send_reset (rsi);
1017 break; 1020 break;
1018
1019 } 1021 }
1020} 1022}
1021 1023
1022void connection::keepalive_cb (tstamp &ts) 1024void connection::keepalive_cb (time_watcher &w)
1023{ 1025{
1024 if (NOW >= last_activity + ::conf.keepalive + 30) 1026 if (NOW >= last_activity + ::conf.keepalive + 30)
1025 { 1027 {
1026 reset_connection (); 1028 reset_connection ();
1027 establish_connection (); 1029 establish_connection ();
1028 } 1030 }
1029 else if (NOW < last_activity + ::conf.keepalive) 1031 else if (NOW < last_activity + ::conf.keepalive)
1030 ts = last_activity + ::conf.keepalive; 1032 w.at = last_activity + ::conf.keepalive;
1031 else if (conf->connectmode != conf_node::C_ONDEMAND 1033 else if (conf->connectmode != conf_node::C_ONDEMAND
1032 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1034 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1033 { 1035 {
1034 send_ping (si); 1036 send_ping (si);
1035 ts = NOW + 5; 1037 w.at = NOW + 5;
1036 } 1038 }
1037 else 1039 else
1038 reset_connection (); 1040 reset_connection ();
1039} 1041}
1040 1042
1042{ 1044{
1043 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1045 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1044 1046
1045 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1047 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1046 p->hmac_set (octx); 1048 p->hmac_set (octx);
1047 send_vpn_packet (p, si); 1049 vpn->send_vpn_packet (p, si);
1048 1050
1049 delete p; 1051 delete p;
1050} 1052}
1051 1053
1052void connection::script_node () 1054void connection::script_node ()
1053{ 1055{
1054 vpn->script_if_up (0); 1056 vpn->script_if_up ();
1055 1057
1056 char *env; 1058 char *env;
1057 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1059 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1058 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1060 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1059 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1061 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1060 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1062 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1061} 1063}
1062 1064
1063const char *connection::script_node_up (int) 1065const char *connection::script_node_up ()
1064{ 1066{
1065 script_node (); 1067 script_node ();
1066 1068
1067 putenv ("STATE=up"); 1069 putenv ("STATE=up");
1068 1070
1069 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1071 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1070} 1072}
1071 1073
1072const char *connection::script_node_down (int) 1074const char *connection::script_node_down ()
1073{ 1075{
1074 script_node (); 1076 script_node ();
1075 1077
1076 putenv ("STATE=down"); 1078 putenv ("STATE=down");
1077 1079
1078 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1080 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1079}
1080
1081// send a vpn packet out to other hosts
1082void
1083connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1084{
1085 if (protocol & PROT_IPv4)
1086 vpn->send_ipv4_packet (pkt, si, tos);
1087 else
1088 vpn->send_udpv4_packet (pkt, si, tos);
1089} 1081}
1090 1082
1091connection::connection(struct vpn *vpn_) 1083connection::connection(struct vpn *vpn_)
1092: vpn(vpn_) 1084: vpn(vpn_)
1093, rekey (this, &connection::rekey_cb) 1085, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines