… | |
… | |
546 | }; |
546 | }; |
547 | |
547 | |
548 | ///////////////////////////////////////////////////////////////////////////// |
548 | ///////////////////////////////////////////////////////////////////////////// |
549 | |
549 | |
550 | void |
550 | void |
551 | connection::reset_dstaddr () |
551 | connection::reset_si () |
552 | { |
552 | { |
553 | protocol = best_protocol (THISNODE->protocols & conf->protocols); |
553 | protocol = best_protocol (THISNODE->protocols & conf->protocols); |
554 | |
554 | |
555 | // mask out protocols we cannot establish |
555 | // mask out protocols we cannot establish |
556 | if (!conf->udp_port) protocol &= ~PROT_UDPv4; |
556 | if (!conf->udp_port) protocol &= ~PROT_UDPv4; |
557 | if (!conf->tcp_port) protocol &= ~PROT_TCPv4; |
557 | if (!conf->tcp_port) protocol &= ~PROT_TCPv4; |
558 | |
558 | |
559 | si.set (conf, protocol); |
559 | si.set (conf, protocol); |
|
|
560 | } |
|
|
561 | |
|
|
562 | // ensure sockinfo is valid, forward if necessary |
|
|
563 | const sockinfo & |
|
|
564 | connection::forward_si (const sockinfo &si) const |
|
|
565 | { |
|
|
566 | if (!si.valid ()) |
|
|
567 | { |
|
|
568 | connection *r = vpn->find_router (); |
|
|
569 | |
|
|
570 | if (r) |
|
|
571 | { |
|
|
572 | slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"), |
|
|
573 | conf->nodename, r->conf->nodename); |
|
|
574 | return r->si; |
|
|
575 | } |
|
|
576 | else |
|
|
577 | slog (L_DEBUG, _("%s: node unreachable, no common protocol"), |
|
|
578 | conf->nodename); |
|
|
579 | } |
|
|
580 | |
|
|
581 | return si; |
560 | } |
582 | } |
561 | |
583 | |
562 | void |
584 | void |
563 | connection::send_ping (const sockinfo &si, u8 pong) |
585 | connection::send_ping (const sockinfo &si, u8 pong) |
564 | { |
586 | { |
… | |
… | |
598 | conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) |
620 | conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) |
599 | fatal ("RSA_public_encrypt error"); |
621 | fatal ("RSA_public_encrypt error"); |
600 | |
622 | |
601 | slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); |
623 | slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); |
602 | |
624 | |
603 | vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly |
625 | vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly |
|
|
626 | |
604 | |
627 | |
605 | delete pkt; |
628 | delete pkt; |
606 | } |
629 | } |
607 | |
630 | |
608 | void |
631 | void |
… | |
… | |
651 | if (retry_int < 3600 * 8) |
674 | if (retry_int < 3600 * 8) |
652 | retry_cnt++; |
675 | retry_cnt++; |
653 | |
676 | |
654 | w.at = NOW + retry_int; |
677 | w.at = NOW + retry_int; |
655 | |
678 | |
656 | if (conf->hostname) |
679 | reset_si (); |
|
|
680 | |
|
|
681 | if (si.prot && !si.host) |
|
|
682 | vpn->connect_request (conf->id); |
|
|
683 | else |
657 | { |
684 | { |
658 | reset_dstaddr (); |
685 | const sockinfo &dsi = forward_si (si); |
659 | |
686 | |
660 | if (si.valid () && auth_rate_limiter.can (si)) |
687 | if (dsi.valid () && auth_rate_limiter.can (dsi)) |
661 | { |
688 | { |
662 | if (retry_cnt < 4) |
689 | if (retry_cnt < 4) |
663 | send_auth_request (si, true); |
690 | send_auth_request (dsi, true); |
664 | else |
691 | else |
665 | send_ping (si, 0); |
692 | send_ping (dsi, 0); |
666 | } |
693 | } |
667 | } |
694 | } |
668 | else |
|
|
669 | vpn->connect_request (conf->id); |
|
|
670 | } |
695 | } |
671 | } |
696 | } |
672 | |
697 | |
673 | void |
698 | void |
674 | connection::reset_connection () |
699 | connection::reset_connection () |
… | |
… | |
743 | if (!broadcast)//DDDD |
768 | if (!broadcast)//DDDD |
744 | queue.put (new tap_packet (*pkt)); |
769 | queue.put (new tap_packet (*pkt)); |
745 | |
770 | |
746 | establish_connection (); |
771 | establish_connection (); |
747 | } |
772 | } |
|
|
773 | } |
|
|
774 | |
|
|
775 | void connection::inject_vpn_packet (vpn_packet *pkt, int tos) |
|
|
776 | { |
|
|
777 | if (ictx && octx) |
|
|
778 | vpn->send_vpn_packet (pkt, si, tos); |
|
|
779 | else |
|
|
780 | establish_connection (); |
748 | } |
781 | } |
749 | |
782 | |
750 | void |
783 | void |
751 | connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) |
784 | connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) |
752 | { |
785 | { |
… | |
… | |
881 | delete ictx; ictx = cctx; |
914 | delete ictx; ictx = cctx; |
882 | |
915 | |
883 | iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid |
916 | iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid |
884 | |
917 | |
885 | si = rsi; |
918 | si = rsi; |
|
|
919 | protocol = rsi.prot; |
886 | |
920 | |
887 | rekey.start (NOW + ::conf.rekey); |
921 | rekey.start (NOW + ::conf.rekey); |
888 | keepalive.start (NOW + ::conf.keepalive); |
922 | keepalive.start (NOW + ::conf.keepalive); |
889 | |
923 | |
890 | // send queued packets |
924 | // send queued packets |
… | |
… | |
894 | delete p; |
928 | delete p; |
895 | } |
929 | } |
896 | |
930 | |
897 | connectmode = conf->connectmode; |
931 | connectmode = conf->connectmode; |
898 | |
932 | |
899 | slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), |
933 | slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), |
900 | conf->nodename, (const char *)rsi, |
934 | conf->nodename, (const char *)rsi, |
901 | strprotocol (protocol), |
|
|
902 | p->prot_major, p->prot_minor); |
935 | p->prot_major, p->prot_minor); |
903 | |
936 | |
904 | if (::conf.script_node_up) |
937 | if (::conf.script_node_up) |
905 | run_script (run_script_cb (this, &connection::script_node_up), false); |
938 | run_script (run_script_cb (this, &connection::script_node_up), false); |
906 | |
939 | |
… | |
… | |
972 | if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) |
1005 | if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) |
973 | { |
1006 | { |
974 | connect_req_packet *p = (connect_req_packet *) pkt; |
1007 | connect_req_packet *p = (connect_req_packet *) pkt; |
975 | |
1008 | |
976 | assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything |
1009 | assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything |
|
|
1010 | connection *c = vpn->conns[p->id - 1]; |
977 | conf->protocols = p->protocols; |
1011 | conf->protocols = p->protocols; |
978 | connection *c = vpn->conns[p->id - 1]; |
|
|
979 | |
1012 | |
980 | slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", |
1013 | slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", |
981 | conf->id, p->id, c->ictx && c->octx); |
1014 | conf->id, p->id, c->ictx && c->octx); |
982 | |
1015 | |
983 | if (c->ictx && c->octx) |
1016 | if (c->ictx && c->octx) |
… | |
… | |
995 | if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) |
1028 | if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) |
996 | { |
1029 | { |
997 | connect_info_packet *p = (connect_info_packet *) pkt; |
1030 | connect_info_packet *p = (connect_info_packet *) pkt; |
998 | |
1031 | |
999 | assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything |
1032 | assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything |
1000 | conf->protocols = p->protocols; |
1033 | |
1001 | connection *c = vpn->conns[p->id - 1]; |
1034 | connection *c = vpn->conns[p->id - 1]; |
|
|
1035 | |
|
|
1036 | c->conf->protocols = p->protocols; |
|
|
1037 | protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); |
|
|
1038 | p->si.upgrade_protocol (protocol, c->conf); |
1002 | |
1039 | |
1003 | slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", |
1040 | slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", |
1004 | conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); |
1041 | conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); |
1005 | |
1042 | |
|
|
1043 | const sockinfo &dsi = forward_si (p->si); |
|
|
1044 | |
|
|
1045 | if (dsi.valid ()) |
1006 | c->send_auth_request (p->si, true); |
1046 | c->send_auth_request (dsi, true); |
1007 | } |
1047 | } |
1008 | |
1048 | |
1009 | break; |
1049 | break; |
1010 | |
1050 | |
1011 | default: |
1051 | default: |