ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.108 by root, Fri Oct 11 04:07:24 2013 UTC vs.
Revision 1.112 by root, Fri Sep 12 10:40:43 2014 UTC

43 43
44// openssl 0.9.8 compatibility 44// openssl 0.9.8 compatibility
45#if OPENSSL_VERSION_NUMBER < 0x10100000 45#if OPENSSL_VERSION_NUMBER < 0x10100000
46 #define require101(exp) exp 46 #define require101(exp) exp
47#else 47#else
48 #define require101(exp) equire (exp) 48 #define require101(exp) require (exp)
49#endif 49#endif
50 50
51#include "conf.h" 51#include "conf.h"
52#include "slog.h" 52#include "slog.h"
53#include "device.h" 53#include "device.h"
56#include "hkdf.h" 56#include "hkdf.h"
57 57
58#include "netcompat.h" 58#include "netcompat.h"
59 59
60#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic 60#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
61#define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D
62 61
63#define ULTRA_FAST 1 62#define ULTRA_FAST 1
64#define HLOG 15 63#define HLOG 15
65#include "lzf/lzf.h" 64#include "lzf/lzf.h"
66#include "lzf/lzf_c.c" 65#include "lzf/lzf_c.c"
390bool 389bool
391hmac_packet::hmac_chk (crypto_ctx *ctx) 390hmac_packet::hmac_chk (crypto_ctx *ctx)
392{ 391{
393 unsigned char hmac_digest[EVP_MAX_MD_SIZE]; 392 unsigned char hmac_digest[EVP_MAX_MD_SIZE];
394 hmac_gen (ctx, hmac_digest); 393 hmac_gen (ctx, hmac_digest);
395 return !memcmp (hmac, hmac_digest, HMACLENGTH); 394 return slow_memeq (hmac, hmac_digest, HMACLENGTH);
396} 395}
397 396
398void 397void
399vpn_packet::set_hdr (ptype type_, unsigned int dst) 398vpn_packet::set_hdr (ptype type_, unsigned int dst)
400{ 399{
881 ? (retry_cnt & 3) + 1 880 ? (retry_cnt & 3) + 1
882 : 1 << (retry_cnt >> 2)); 881 : 1 << (retry_cnt >> 2));
883 882
884 reset_si (); 883 reset_si ();
885 884
886 bool slow = si.prot & PROT_SLOW; 885 bool slow = (si.prot & PROT_SLOW) || (conf->low_power || THISNODE->low_power);
887 886
888 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf)) 887 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
889 { 888 {
890 /*TODO*/ /* start the timer so we don't recurse endlessly */ 889 /*TODO*/ /* start the timer so we don't recurse endlessly */
891 w.start (1); 890 w.start (1);
901 900
902 slow = slow || (dsi.prot & PROT_SLOW); 901 slow = slow || (dsi.prot & PROT_SLOW);
903 902
904 if (dsi.valid () && auth_rate_limiter.can (dsi)) 903 if (dsi.valid () && auth_rate_limiter.can (dsi))
905 { 904 {
906 if (retry_cnt < 4) 905 // use ping after the first few retries
906 // TODO: on rekeys, the other node might not interpret ping correctly,
907 // TODO: as it will still have a valid connection
908 if (retry_cnt < 4 && (!conf->low_power || THISNODE->low_power))
907 send_auth_request (dsi, true); 909 send_auth_request (dsi, true);
908 else 910 else
909 send_ping (dsi, 0); 911 send_ping (dsi, 0);
910 } 912 }
911 } 913 }
912 914
913 retry_int *= slow ? 8. : 0.9; 915 retry_int *= slow ? 4. : 0.9;
914 916
915 if (retry_int < conf->max_retry) 917 if (retry_int < conf->max_retry)
916 retry_cnt++; 918 retry_cnt++;
917 else 919 else
918 retry_int = conf->max_retry; 920 retry_int = conf->max_retry;
993 995
994void 996void
995connection::post_inject_queue () 997connection::post_inject_queue ()
996{ 998{
997 // force a connection every now and when when packets are sent (max 1/s) 999 // force a connection every now and when when packets are sent (max 1/s)
998 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary 1000 if (ev_now () - last_establish_attempt >= (conf->low_power || THISNODE->low_power ? 2.95 : 0.95)) // arbitrary
999 establish_connection.stop (); 1001 establish_connection.stop ();
1000 1002
1001 establish_connection (); 1003 establish_connection ();
1002} 1004}
1003 1005
1115 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1117 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1116 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1118 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1117 } 1119 }
1118 else 1120 else
1119 { 1121 {
1120 bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth); 1122 bool chg = !have_rcv_auth || !slow_memeq (&rcv_auth, &auth, sizeof auth);
1121 1123
1122 rcv_auth = auth; 1124 rcv_auth = auth;
1123 have_rcv_auth = true; 1125 have_rcv_auth = true;
1124 1126
1125 send_auth_response (rsi); 1127 send_auth_response (rsi);
1148 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename); 1150 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1149 1151
1150 auth_mac local_mac; 1152 auth_mac local_mac;
1151 auth_hash (snd_auth, p->response.ecdh, local_mac); 1153 auth_hash (snd_auth, p->response.ecdh, local_mac);
1152 1154
1153 if (memcmp (&p->response.mac, local_mac, sizeof local_mac)) 1155 if (!slow_memeq (&p->response.mac, local_mac, sizeof local_mac))
1154 { 1156 {
1155 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."), 1157 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
1156 conf->nodename, (const char *)rsi); 1158 conf->nodename, (const char *)rsi);
1157 } 1159 }
1158 else if (!have_snd_auth) 1160 else if (!have_snd_auth)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines