… | |
… | |
35 | #include "slog.h" |
35 | #include "slog.h" |
36 | #include "device.h" |
36 | #include "device.h" |
37 | #include "vpn.h" |
37 | #include "vpn.h" |
38 | #include "connection.h" |
38 | #include "connection.h" |
39 | |
39 | |
|
|
40 | #include <sys/socket.h> |
|
|
41 | #ifdef HAVE_NETINET_IN_H |
|
|
42 | # include <netinet/in.h> |
|
|
43 | #endif |
|
|
44 | #include <arpa/inet.h> |
|
|
45 | #include <net/if.h> |
|
|
46 | #ifdef HAVE_NETINET_IN_SYSTM_H |
|
|
47 | # include <netinet/in_systm.h> |
|
|
48 | #endif |
|
|
49 | #ifdef HAVE_NETINET_IP_H |
|
|
50 | # include <netinet/ip.h> |
|
|
51 | #endif |
|
|
52 | |
|
|
53 | #ifndef IPTOS_TOS_MASK |
|
|
54 | # define IPTOS_TOS_MASK (IPTOS_LOWDELAY | IPTOS_THROUGHPUT | IPTOS_RELIABILITY | IPTOS_MINCOST) |
|
|
55 | #endif |
|
|
56 | |
40 | #if !HAVE_RAND_PSEUDO_BYTES |
57 | #if !HAVE_RAND_PSEUDO_BYTES |
41 | # define RAND_pseudo_bytes RAND_bytes |
58 | # define RAND_pseudo_bytes RAND_bytes |
42 | #endif |
59 | #endif |
43 | |
60 | |
44 | #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic |
61 | #define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic |
… | |
… | |
197 | // only do action once every x seconds per host whole allowing bursts. |
214 | // only do action once every x seconds per host whole allowing bursts. |
198 | // this implementation ("splay list" ;) is inefficient, |
215 | // this implementation ("splay list" ;) is inefficient, |
199 | // but low on resources. |
216 | // but low on resources. |
200 | struct net_rate_limiter : list<net_rateinfo> |
217 | struct net_rate_limiter : list<net_rateinfo> |
201 | { |
218 | { |
202 | static const double ALPHA = 1. - 1. / 180.; // allow bursts |
219 | static const double ALPHA = 1. - 1. / 600.; // allow bursts |
203 | static const double CUTOFF = 10.; // one event every CUTOFF seconds |
220 | static const double CUTOFF = 10.; // one event every CUTOFF seconds |
204 | static const double EXPIRE = CUTOFF * 30.; // expire entries after this time |
221 | static const double EXPIRE = CUTOFF * 30.; // expire entries after this time |
205 | static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value |
222 | static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value |
206 | |
223 | |
207 | bool can (const sockinfo &si) { return can((u32)si.host); } |
224 | bool can (const sockinfo &si) { return can((u32)si.host); } |
208 | bool can (u32 host); |
225 | bool can (u32 host); |
209 | }; |
226 | }; |
210 | |
227 | |
211 | net_rate_limiter auth_rate_limiter, reset_rate_limiter; |
228 | net_rate_limiter auth_rate_limiter, reset_rate_limiter; |
212 | |
229 | |
… | |
… | |
910 | rsachallenge k; |
927 | rsachallenge k; |
911 | |
928 | |
912 | if (0 > RSA_private_decrypt (sizeof (p->encr), |
929 | if (0 > RSA_private_decrypt (sizeof (p->encr), |
913 | (unsigned char *)&p->encr, (unsigned char *)&k, |
930 | (unsigned char *)&p->encr, (unsigned char *)&k, |
914 | ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) |
931 | ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) |
915 | slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), |
932 | slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), |
916 | conf->nodename, (const char *)rsi); |
933 | conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); |
917 | else |
934 | else |
918 | { |
935 | { |
919 | delete octx; |
936 | delete octx; |
920 | |
937 | |
921 | octx = new crypto_ctx (k, 1); |
938 | octx = new crypto_ctx (k, 1); |
… | |
… | |
954 | |
971 | |
955 | rsachallenge chg; |
972 | rsachallenge chg; |
956 | |
973 | |
957 | if (!rsa_cache.find (p->id, chg)) |
974 | if (!rsa_cache.find (p->id, chg)) |
958 | { |
975 | { |
959 | slog (L_ERR, _("%s(%s): unrequested auth response"), |
976 | slog (L_ERR, _("%s(%s): unrequested auth response ignored"), |
960 | conf->nodename, (const char *)rsi); |
977 | conf->nodename, (const char *)rsi); |
961 | break; |
978 | break; |
962 | } |
979 | } |
963 | else |
980 | else |
964 | { |
981 | { |
965 | crypto_ctx *cctx = new crypto_ctx (chg, 0); |
982 | crypto_ctx *cctx = new crypto_ctx (chg, 0); |
966 | |
983 | |
967 | if (!p->hmac_chk (cctx)) |
984 | if (!p->hmac_chk (cctx)) |
|
|
985 | { |
968 | slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" |
986 | slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" |
969 | "could be an attack, or just corruption or an synchronization error"), |
987 | "could be an attack, or just corruption or an synchronization error"), |
970 | conf->nodename, (const char *)rsi); |
988 | conf->nodename, (const char *)rsi); |
|
|
989 | break; |
|
|
990 | } |
971 | else |
991 | else |
972 | { |
992 | { |
973 | rsaresponse h; |
993 | rsaresponse h; |
974 | |
994 | |
975 | rsa_hash (p->id, chg, h); |
995 | rsa_hash (p->id, chg, h); |