ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.1 by pcg, Wed Apr 2 03:06:22 2003 UTC vs.
Revision 1.13 by pcg, Fri Aug 8 07:52:26 2003 UTC

22# include "lzf/lzf.h" 22# include "lzf/lzf.h"
23} 23}
24 24
25#include <list> 25#include <list>
26 26
27#include <openssl/rand.h>
28#include <openssl/evp.h>
29#include <openssl/rsa.h>
30#include <openssl/err.h>
31
27#include "gettext.h" 32#include "gettext.h"
28 33
29#include "conf.h" 34#include "conf.h"
30#include "slog.h" 35#include "slog.h"
31#include "device.h" 36#include "device.h"
32#include "protocol.h" 37#include "vpn.h"
33#include "connection.h" 38#include "connection.h"
34 39
35#if !HAVE_RAND_PSEUDO_BYTES 40#if !HAVE_RAND_PSEUDO_BYTES
36# define RAND_pseudo_bytes RAND_bytes 41# define RAND_pseudo_bytes RAND_bytes
37#endif 42#endif
80 rsachallenge chg; 85 rsachallenge chg;
81}; 86};
82 87
83struct rsa_cache : list<rsa_entry> 88struct rsa_cache : list<rsa_entry>
84{ 89{
85 void cleaner_cb (tstamp &ts); time_watcher cleaner; 90 void cleaner_cb (time_watcher &w); time_watcher cleaner;
86 91
87 bool find (const rsaid &id, rsachallenge &chg) 92 bool find (const rsaid &id, rsachallenge &chg)
88 { 93 {
89 for (iterator i = begin (); i != end (); ++i) 94 for (iterator i = begin (); i != end (); ++i)
90 { 95 {
124 : cleaner (this, &rsa_cache::cleaner_cb) 129 : cleaner (this, &rsa_cache::cleaner_cb)
125 { } 130 { }
126 131
127} rsa_cache; 132} rsa_cache;
128 133
129void rsa_cache::cleaner_cb (tstamp &ts) 134void rsa_cache::cleaner_cb (time_watcher &w)
130{ 135{
131 if (empty ()) 136 if (empty ())
132 ts = TSTAMP_CANCEL; 137 w.at = TSTAMP_CANCEL;
133 else 138 else
134 { 139 {
135 ts = NOW + RSA_TTL; 140 w.at = NOW + RSA_TTL;
136 141
137 for (iterator i = begin (); i != end (); ) 142 for (iterator i = begin (); i != end (); )
138 if (i->expire <= NOW) 143 if (i->expire <= NOW)
139 i = erase (i); 144 i = erase (i);
140 else 145 else
142 } 147 }
143} 148}
144 149
145////////////////////////////////////////////////////////////////////////////// 150//////////////////////////////////////////////////////////////////////////////
146 151
147void pkt_queue::put (tap_packet *p) 152void pkt_queue::put (net_packet *p)
148{ 153{
149 if (queue[i]) 154 if (queue[i])
150 { 155 {
151 delete queue[i]; 156 delete queue[i];
152 j = (j + 1) % QUEUEDEPTH; 157 j = (j + 1) % QUEUEDEPTH;
155 queue[i] = p; 160 queue[i] = p;
156 161
157 i = (i + 1) % QUEUEDEPTH; 162 i = (i + 1) % QUEUEDEPTH;
158} 163}
159 164
160tap_packet *pkt_queue::get () 165net_packet *pkt_queue::get ()
161{ 166{
162 tap_packet *p = queue[j]; 167 net_packet *p = queue[j];
163 168
164 if (p) 169 if (p)
165 { 170 {
166 queue[j] = 0; 171 queue[j] = 0;
167 j = (j + 1) % QUEUEDEPTH; 172 j = (j + 1) % QUEUEDEPTH;
192// only do action once every x seconds per host whole allowing bursts. 197// only do action once every x seconds per host whole allowing bursts.
193// this implementation ("splay list" ;) is inefficient, 198// this implementation ("splay list" ;) is inefficient,
194// but low on resources. 199// but low on resources.
195struct net_rate_limiter : list<net_rateinfo> 200struct net_rate_limiter : list<net_rateinfo>
196{ 201{
197 static const double ALPHA = 1. - 1. / 90.; // allow bursts 202 static const double ALPHA = 1. - 1. / 180.; // allow bursts
198 static const double CUTOFF = 20.; // one event every CUTOFF seconds 203 static const double CUTOFF = 10.; // one event every CUTOFF seconds
199 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
205 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
200 206
201 bool can (const sockinfo &si) { return can((u32)si.host); } 207 bool can (const sockinfo &si) { return can((u32)si.host); }
202 bool can (u32 host); 208 bool can (u32 host);
203}; 209};
204 210
220 { 226 {
221 net_rateinfo ri; 227 net_rateinfo ri;
222 228
223 ri.host = host; 229 ri.host = host;
224 ri.pcnt = 1.; 230 ri.pcnt = 1.;
225 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 231 ri.diff = MAXDIF;
226 ri.last = NOW; 232 ri.last = NOW;
227 233
228 push_front (ri); 234 push_front (ri);
229 235
230 return true; 236 return true;
237 ri.pcnt = ri.pcnt * ALPHA; 243 ri.pcnt = ri.pcnt * ALPHA;
238 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 244 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
239 245
240 ri.last = NOW; 246 ri.last = NOW;
241 247
248 double dif = ri.diff / ri.pcnt;
249
242 bool send = ri.diff / ri.pcnt > CUTOFF; 250 bool send = dif > CUTOFF;
243 251
252 if (dif > MAXDIF)
253 {
254 ri.pcnt = 1.;
255 ri.diff = MAXDIF;
256 }
244 if (send) 257 else if (send)
245 ri.pcnt++; 258 ri.pcnt++;
246 259
247 push_front (ri); 260 push_front (ri);
248 261
249 return send; 262 return send;
280 hmac_gen (ctx); 293 hmac_gen (ctx);
281 294
282 return !memcmp (hmac, hmac_digest, HMACLENGTH); 295 return !memcmp (hmac, hmac_digest, HMACLENGTH);
283} 296}
284 297
285void vpn_packet::set_hdr (ptype type, unsigned int dst) 298void vpn_packet::set_hdr (ptype type_, unsigned int dst)
286{ 299{
287 this->type = type; 300 type = type_;
288 301
289 int src = THISNODE->id; 302 int src = THISNODE->id;
290 303
291 src1 = src; 304 src1 = src;
292 srcdst = ((src >> 8) << 4) | (dst >> 8); 305 srcdst = ((src >> 8) << 4) | (dst >> 8);
541}; 554};
542 555
543///////////////////////////////////////////////////////////////////////////// 556/////////////////////////////////////////////////////////////////////////////
544 557
545void 558void
559connection::connection_established ()
560{
561 if (ictx && octx)
562 {
563 connectmode = conf->connectmode;
564
565 rekey.start (NOW + ::conf.rekey);
566 keepalive.start (NOW + ::conf.keepalive);
567
568 // send queued packets
569 if (ictx && octx)
570 {
571 while (tap_packet *p = (tap_packet *)data_queue.get ())
572 {
573 send_data_packet (p);
574 delete p;
575 }
576
577 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
578 {
579 send_vpn_packet (p, si, IPTOS_RELIABILITY);
580 delete p;
581 }
582 }
583 }
584 else
585 {
586 retry_cnt = 0;
587 establish_connection.start (NOW + 5);
588 keepalive.reset ();
589 rekey.reset ();
590 }
591}
592
593void
546connection::reset_dstaddr () 594connection::reset_si ()
547{ 595{
596 protocol = best_protocol (THISNODE->protocols & conf->protocols);
597
598 // mask out protocols we cannot establish
599 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
600 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
601
548 si.set (conf); 602 si.set (conf, protocol);
603}
604
605// ensure sockinfo is valid, forward if necessary
606const sockinfo &
607connection::forward_si (const sockinfo &si) const
608{
609 if (!si.valid ())
610 {
611 connection *r = vpn->find_router ();
612
613 if (r)
614 {
615 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
616 conf->nodename, r->conf->nodename);
617 return r->si;
618 }
619 else
620 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
621 conf->nodename);
622 }
623
624 return si;
625}
626
627void
628connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
629{
630 if (!vpn->send_vpn_packet (pkt, si, tos))
631 reset_connection ();
549} 632}
550 633
551void 634void
552connection::send_ping (const sockinfo &si, u8 pong) 635connection::send_ping (const sockinfo &si, u8 pong)
553{ 636{
575 658
576void 659void
577connection::send_auth_request (const sockinfo &si, bool initiate) 660connection::send_auth_request (const sockinfo &si, bool initiate)
578{ 661{
579 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 662 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
580
581 protocol = best_protocol (THISNODE->protocols & conf->protocols);
582 663
583 rsachallenge chg; 664 rsachallenge chg;
584 665
585 rsa_cache.gen (pkt->id, chg); 666 rsa_cache.gen (pkt->id, chg);
586 667
589 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 670 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
590 fatal ("RSA_public_encrypt error"); 671 fatal ("RSA_public_encrypt error");
591 672
592 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 673 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
593 674
594 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 675 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
595 676
596 delete pkt; 677 delete pkt;
597} 678}
598 679
599void 680void
627 708
628 delete r; 709 delete r;
629} 710}
630 711
631void 712void
632connection::establish_connection_cb (tstamp &ts) 713connection::establish_connection_cb (time_watcher &w)
633{ 714{
634 if (ictx || conf == THISNODE 715 if (ictx || conf == THISNODE
635 || connectmode == conf_node::C_NEVER 716 || connectmode == conf_node::C_NEVER
636 || connectmode == conf_node::C_DISABLED) 717 || connectmode == conf_node::C_DISABLED)
637 ts = TSTAMP_CANCEL; 718 w.at = TSTAMP_CANCEL;
638 else if (ts <= NOW) 719 else if (w.at <= NOW)
639 { 720 {
640 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 721 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
641 722
642 if (retry_int < 3600 * 8) 723 if (retry_int < 3600 * 8)
643 retry_cnt++; 724 retry_cnt++;
644 725
645 ts = NOW + retry_int; 726 w.at = NOW + retry_int;
646 727
647 if (conf->hostname) 728 reset_si ();
729
730 if (si.prot && !si.host)
731 vpn->send_connect_request (conf->id);
732 else
648 { 733 {
649 reset_dstaddr (); 734 const sockinfo &dsi = forward_si (si);
735
650 if (si.host && auth_rate_limiter.can (si)) 736 if (dsi.valid () && auth_rate_limiter.can (dsi))
651 { 737 {
652 if (retry_cnt < 4) 738 if (retry_cnt < 4)
653 send_auth_request (si, true); 739 send_auth_request (dsi, true);
654 else 740 else
655 send_ping (si, 0); 741 send_ping (dsi, 0);
656 } 742 }
657 } 743 }
658 else
659 vpn->connect_request (conf->id);
660 } 744 }
661} 745}
662 746
663void 747void
664connection::reset_connection () 748connection::reset_connection ()
693 777
694 reset_connection (); 778 reset_connection ();
695} 779}
696 780
697void 781void
698connection::rekey_cb (tstamp &ts) 782connection::rekey_cb (time_watcher &w)
699{ 783{
700 ts = TSTAMP_CANCEL; 784 w.at = TSTAMP_CANCEL;
701 785
702 reset_connection (); 786 reset_connection ();
703 establish_connection (); 787 establish_connection ();
704} 788}
705 789
707connection::send_data_packet (tap_packet *pkt, bool broadcast) 791connection::send_data_packet (tap_packet *pkt, bool broadcast)
708{ 792{
709 vpndata_packet *p = new vpndata_packet; 793 vpndata_packet *p = new vpndata_packet;
710 int tos = 0; 794 int tos = 0;
711 795
796 // I am not hilarious about peeking into packets, but so be it.
712 if (conf->inherit_tos 797 if (conf->inherit_tos
713 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 798 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
714 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 799 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
715 tos = (*pkt)[15] & IPTOS_TOS_MASK; 800 tos = (*pkt)[15] & IPTOS_TOS_MASK;
716 801
729 if (ictx && octx) 814 if (ictx && octx)
730 send_data_packet (pkt, broadcast); 815 send_data_packet (pkt, broadcast);
731 else 816 else
732 { 817 {
733 if (!broadcast)//DDDD 818 if (!broadcast)//DDDD
734 queue.put (new tap_packet (*pkt)); 819 data_queue.put (new tap_packet (*pkt));
820
821 establish_connection ();
822 }
823}
824
825void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
826{
827 if (ictx && octx)
828 send_vpn_packet (pkt, si, tos);
829 else
830 {
831 vpn_queue.put (new vpn_packet (*pkt));
735 832
736 establish_connection (); 833 establish_connection ();
737 } 834 }
738} 835}
739 836
745 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 842 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
746 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 843 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
747 844
748 switch (pkt->typ ()) 845 switch (pkt->typ ())
749 { 846 {
750 case vpn_packet::PT_PING: 847 case vpn_packet::PT_PING:
751 // we send pings instead of auth packets after some retries, 848 // we send pings instead of auth packets after some retries,
752 // so reset the retry counter and establish a connection 849 // so reset the retry counter and establish a connection
753 // when we receive a ping. 850 // when we receive a ping.
754 if (!ictx) 851 if (!ictx)
852 {
853 if (auth_rate_limiter.can (rsi))
854 send_auth_request (rsi, true);
855 }
856 else
857 send_ping (rsi, 1); // pong
858
859 break;
860
861 case vpn_packet::PT_PONG:
862 break;
863
864 case vpn_packet::PT_RESET:
755 { 865 {
756 if (auth_rate_limiter.can (rsi)) 866 reset_connection ();
757 send_auth_request (rsi, true); 867
868 config_packet *p = (config_packet *) pkt;
869
870 if (!p->chk_config ())
871 {
872 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
873 conf->nodename, (const char *)rsi);
874 connectmode = conf_node::C_DISABLED;
875 }
876 else if (connectmode == conf_node::C_ALWAYS)
877 establish_connection ();
758 } 878 }
759 else
760 send_ping (rsi, 1); // pong
761
762 break; 879 break;
763 880
764 case vpn_packet::PT_PONG:
765 break;
766
767 case vpn_packet::PT_RESET: 881 case vpn_packet::PT_AUTH_REQ:
768 { 882 if (auth_rate_limiter.can (rsi))
769 reset_connection ();
770
771 config_packet *p = (config_packet *) pkt;
772
773 if (!p->chk_config ())
774 { 883 {
775 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 884 auth_req_packet *p = (auth_req_packet *) pkt;
885
886 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
887
888 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
889 {
890 if (p->prot_minor != PROTOCOL_MINOR)
891 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
892 conf->nodename, (const char *)rsi,
893 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
894
895 if (p->initiate)
896 send_auth_request (rsi, false);
897
898 rsachallenge k;
899
900 if (0 > RSA_private_decrypt (sizeof (p->encr),
901 (unsigned char *)&p->encr, (unsigned char *)&k,
902 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
776 conf->nodename, (const char *)rsi); 904 conf->nodename, (const char *)rsi);
777 connectmode = conf_node::C_DISABLED; 905 else
906 {
907 delete octx;
908
909 octx = new crypto_ctx (k, 1);
910 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
911
912 conf->protocols = p->protocols;
913
914 send_auth_response (rsi, p->id, k);
915
916 connection_established ();
917
918 break;
919 }
920 }
921
922 send_reset (rsi);
778 } 923 }
779 else if (connectmode == conf_node::C_ALWAYS) 924
780 establish_connection ();
781 }
782 break; 925 break;
783 926
784 case vpn_packet::PT_AUTH_REQ: 927 case vpn_packet::PT_AUTH_RES:
785 if (auth_rate_limiter.can (rsi))
786 { 928 {
787 auth_req_packet *p = (auth_req_packet *) pkt; 929 auth_res_packet *p = (auth_res_packet *) pkt;
788 930
789 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 931 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
790 932
791 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 933 if (p->chk_config ())
792 { 934 {
793 if (p->prot_minor != PROTOCOL_MINOR) 935 if (p->prot_minor != PROTOCOL_MINOR)
794 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 936 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
795 conf->nodename, (const char *)rsi, 937 conf->nodename, (const char *)rsi,
796 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 938 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
797 939
798 if (p->initiate)
799 send_auth_request (rsi, false);
800
801 rsachallenge k; 940 rsachallenge chg;
802 941
803 if (0 > RSA_private_decrypt (sizeof (p->encr), 942 if (!rsa_cache.find (p->id, chg))
804 (unsigned char *)&p->encr, (unsigned char *)&k, 943 {
805 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 944 slog (L_ERR, _("%s(%s): unrequested auth response"),
806 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
807 conf->nodename, (const char *)rsi); 945 conf->nodename, (const char *)rsi);
946 break;
947 }
808 else 948 else
809 { 949 {
810 retry_cnt = 0; 950 crypto_ctx *cctx = new crypto_ctx (chg, 0);
811 establish_connection.set (NOW + 8); //? ;) 951
812 keepalive.reset (); 952 if (!p->hmac_chk (cctx))
953 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
954 "could be an attack, or just corruption or an synchronization error"),
955 conf->nodename, (const char *)rsi);
813 rekey.reset (); 956 else
957 {
958 rsaresponse h;
814 959
960 rsa_hash (p->id, chg, h);
961
962 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
963 {
964 prot_minor = p->prot_minor;
965
966 delete ictx; ictx = cctx;
967
968 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
969
970 si = rsi;
971 protocol = rsi.prot;
972
973 connection_established ();
974
975 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
976 conf->nodename, (const char *)rsi,
977 p->prot_major, p->prot_minor);
978
979 if (::conf.script_node_up)
980 run_script (run_script_cb (this, &connection::script_node_up), false);
981
982 break;
983 }
984 else
985 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
986 conf->nodename, (const char *)rsi);
987 }
988
815 delete ictx; 989 delete cctx;
816 ictx = 0;
817
818 delete octx;
819
820 octx = new crypto_ctx (k, 1);
821 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
822
823 conf->protocols = p->protocols;
824 send_auth_response (rsi, p->id, k);
825
826 break;
827 } 990 }
828 } 991 }
829
830 send_reset (rsi);
831 } 992 }
832 993
994 send_reset (rsi);
833 break; 995 break;
834 996
835 case vpn_packet::PT_AUTH_RES: 997 case vpn_packet::PT_DATA_COMPRESSED:
836 { 998#if !ENABLE_COMPRESSION
837 auth_res_packet *p = (auth_res_packet *) pkt; 999 send_reset (rsi);
1000 break;
1001#endif
838 1002
839 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1003 case vpn_packet::PT_DATA_UNCOMPRESSED:
840 1004
841 if (p->chk_config ()) 1005 if (ictx && octx)
842 { 1006 {
843 if (p->prot_minor != PROTOCOL_MINOR) 1007 vpndata_packet *p = (vpndata_packet *)pkt;
844 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
845 conf->nodename, (const char *)rsi,
846 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
847 1008
848 rsachallenge chg; 1009 if (!p->hmac_chk (ictx))
849 1010 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
850 if (!rsa_cache.find (p->id, chg)) 1011 "could be an attack, or just corruption or an synchronization error"),
851 slog (L_ERR, _("%s(%s): unrequested auth response"),
852 conf->nodename, (const char *)rsi); 1012 conf->nodename, (const char *)rsi);
853 else 1013 else
854 { 1014 {
855 crypto_ctx *cctx = new crypto_ctx (chg, 0);
856
857 if (!p->hmac_chk (cctx))
858 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
859 "could be an attack, or just corruption or an synchronization error"),
860 conf->nodename, (const char *)rsi);
861 else 1015 u32 seqno;
1016 tap_packet *d = p->unpack (this, seqno);
1017
1018 if (iseqno.recv_ok (seqno))
862 { 1019 {
863 rsaresponse h; 1020 vpn->tap->send (d);
864 1021
865 rsa_hash (p->id, chg, h); 1022 if (p->dst () == 0) // re-broadcast
1023 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1024 {
1025 connection *c = *i;
866 1026
867 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h)) 1027 if (c->conf != THISNODE && c->conf != conf)
1028 c->inject_data_packet (d);
1029 }
1030
1031 if (si != rsi)
868 { 1032 {
869 prot_minor = p->prot_minor; 1033 // fast re-sync on conneciton changes, useful especially for tcp/ip
870
871 delete ictx; ictx = cctx;
872
873 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
874
875 si = rsi; 1034 si = rsi;
876 1035
877 rekey.set (NOW + ::conf.rekey); 1036 slog (L_INFO, _("%s(%s): socket address changed to %s"),
878 keepalive.set (NOW + ::conf.keepalive);
879
880 // send queued packets
881 while (tap_packet *p = queue.get ())
882 {
883 send_data_packet (p);
884 delete p;
885 }
886
887 connectmode = conf->connectmode;
888
889 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
890 conf->nodename, (const char *)rsi, 1037 conf->nodename, (const char *)si, (const char *)rsi);
891 strprotocol (protocol),
892 p->prot_major, p->prot_minor);
893
894 if (::conf.script_node_up)
895 run_script (run_script_cb (this, &connection::script_node_up), false);
896
897 break;
898 } 1038 }
1039
899 else 1040 delete d;
900 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1041
901 conf->nodename, (const char *)rsi); 1042 break;
902 } 1043 }
903
904 delete cctx;
905 } 1044 }
906 } 1045 }
907 }
908 1046
909 send_reset (rsi); 1047 send_reset (rsi);
910 break; 1048 break;
911 1049
912 case vpn_packet::PT_DATA_COMPRESSED:
913#if !ENABLE_COMPRESSION
914 send_reset (rsi);
915 break;
916#endif
917
918 case vpn_packet::PT_DATA_UNCOMPRESSED:
919
920 if (ictx && octx)
921 {
922 vpndata_packet *p = (vpndata_packet *)pkt;
923
924 if (rsi == si)
925 {
926 if (!p->hmac_chk (ictx))
927 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
928 "could be an attack, or just corruption or an synchronization error"),
929 conf->nodename, (const char *)rsi);
930 else
931 {
932 u32 seqno;
933 tap_packet *d = p->unpack (this, seqno);
934
935 if (iseqno.recv_ok (seqno))
936 {
937 vpn->tap->send (d);
938
939 if (p->dst () == 0) // re-broadcast
940 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
941 {
942 connection *c = *i;
943
944 if (c->conf != THISNODE && c->conf != conf)
945 c->inject_data_packet (d);
946 }
947
948 delete d;
949
950 break;
951 }
952 }
953 }
954 else
955 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
956 }
957
958 send_reset (rsi);
959 break;
960
961 case vpn_packet::PT_CONNECT_REQ: 1050 case vpn_packet::PT_CONNECT_REQ:
962 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1051 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
963 { 1052 {
964 connect_req_packet *p = (connect_req_packet *) pkt; 1053 connect_req_packet *p = (connect_req_packet *) pkt;
965 1054
966 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1055 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
967 conf->protocols = p->protocols;
968 connection *c = vpn->conns[p->id - 1]; 1056 connection *c = vpn->conns[p->id - 1];
1057 conf->protocols = p->protocols;
969 1058
970 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1059 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
971 conf->id, p->id, c->ictx && c->octx); 1060 conf->id, p->id, c->ictx && c->octx);
972 1061
973 if (c->ictx && c->octx) 1062 if (c->ictx && c->octx)
974 { 1063 {
975 // send connect_info packets to both sides, in case one is 1064 // send connect_info packets to both sides, in case one is
976 // behind a nat firewall (or both ;) 1065 // behind a nat firewall (or both ;)
977 c->send_connect_info (conf->id, si, conf->protocols); 1066 c->send_connect_info (conf->id, si, conf->protocols);
978 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1067 send_connect_info (c->conf->id, c->si, c->conf->protocols);
979 } 1068 }
1069 else
1070 c->establish_connection ();
980 } 1071 }
981 1072
982 break; 1073 break;
983 1074
984 case vpn_packet::PT_CONNECT_INFO: 1075 case vpn_packet::PT_CONNECT_INFO:
985 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1076 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
986 { 1077 {
987 connect_info_packet *p = (connect_info_packet *) pkt; 1078 connect_info_packet *p = (connect_info_packet *) pkt;
988 1079
989 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1080 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
990 conf->protocols = p->protocols; 1081
991 connection *c = vpn->conns[p->id - 1]; 1082 connection *c = vpn->conns[p->id - 1];
992 1083
1084 c->conf->protocols = p->protocols;
1085 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1086 p->si.upgrade_protocol (protocol, c->conf);
1087
993 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1088 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
994 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1089 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
995 1090
1091 const sockinfo &dsi = forward_si (p->si);
1092
1093 if (dsi.valid ())
996 c->send_auth_request (p->si, true); 1094 c->send_auth_request (dsi, true);
997 } 1095 }
998 1096
999 break; 1097 break;
1000 1098
1001 default: 1099 default:
1002 send_reset (rsi); 1100 send_reset (rsi);
1003 break; 1101 break;
1004
1005 } 1102 }
1006} 1103}
1007 1104
1008void connection::keepalive_cb (tstamp &ts) 1105void connection::keepalive_cb (time_watcher &w)
1009{ 1106{
1010 if (NOW >= last_activity + ::conf.keepalive + 30) 1107 if (NOW >= last_activity + ::conf.keepalive + 30)
1011 { 1108 {
1012 reset_connection (); 1109 reset_connection ();
1013 establish_connection (); 1110 establish_connection ();
1014 } 1111 }
1015 else if (NOW < last_activity + ::conf.keepalive) 1112 else if (NOW < last_activity + ::conf.keepalive)
1016 ts = last_activity + ::conf.keepalive; 1113 w.at = last_activity + ::conf.keepalive;
1017 else if (conf->connectmode != conf_node::C_ONDEMAND 1114 else if (conf->connectmode != conf_node::C_ONDEMAND
1018 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1115 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1019 { 1116 {
1020 send_ping (si); 1117 send_ping (si);
1021 ts = NOW + 5; 1118 w.at = NOW + 5;
1022 } 1119 }
1120 else if (NOW < last_activity + ::conf.keepalive + 10)
1121 // hold ondemand connections implicitly a few seconds longer
1122 // should delete octx, though, or something like that ;)
1123 w.at = last_activity + ::conf.keepalive + 10;
1023 else 1124 else
1024 reset_connection (); 1125 reset_connection ();
1025} 1126}
1026 1127
1027void connection::connect_request (int id) 1128void connection::send_connect_request (int id)
1028{ 1129{
1029 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1130 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1030 1131
1031 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1132 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1032 p->hmac_set (octx); 1133 p->hmac_set (octx);
1035 delete p; 1136 delete p;
1036} 1137}
1037 1138
1038void connection::script_node () 1139void connection::script_node ()
1039{ 1140{
1040 vpn->script_if_up (0); 1141 vpn->script_if_up ();
1041 1142
1042 char *env; 1143 char *env;
1043 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1144 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1044 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1145 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1045 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1146 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1046 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1147 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1047} 1148}
1048 1149
1049const char *connection::script_node_up (int) 1150const char *connection::script_node_up ()
1050{ 1151{
1051 script_node (); 1152 script_node ();
1052 1153
1053 putenv ("STATE=up"); 1154 putenv ("STATE=up");
1054 1155
1055 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1156 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1056} 1157}
1057 1158
1058const char *connection::script_node_down (int) 1159const char *connection::script_node_down ()
1059{ 1160{
1060 script_node (); 1161 script_node ();
1061 1162
1062 putenv ("STATE=down"); 1163 putenv ("STATE=down");
1063 1164
1064 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1165 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1065}
1066
1067// send a vpn packet out to other hosts
1068void
1069connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1070{
1071 if (protocol & PROT_IPv4)
1072 vpn->send_ipv4_packet (pkt, si, tos);
1073 else
1074 vpn->send_udpv4_packet (pkt, si, tos);
1075} 1166}
1076 1167
1077connection::connection(struct vpn *vpn_) 1168connection::connection(struct vpn *vpn_)
1078: vpn(vpn_) 1169: vpn(vpn_)
1079, rekey (this, &connection::rekey_cb) 1170, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines