--- gvpe/src/connection.C	2003/09/01 15:52:03	1.16
+++ gvpe/src/connection.C	2003/10/16 02:28:36	1.21
@@ -37,6 +37,8 @@
 #include "vpn.h"
 #include "connection.h"
 
+#include "netcompat.h"
+
 #if !HAVE_RAND_PSEUDO_BYTES
 # define  RAND_pseudo_bytes RAND_bytes
 #endif
@@ -800,18 +802,16 @@
 }
 
 void
-connection::send_data_packet (tap_packet *pkt, bool broadcast)
+connection::send_data_packet (tap_packet *pkt)
 {
   vpndata_packet *p = new vpndata_packet;
   int tos = 0;
 
   // I am not hilarious about peeking into packets, but so be it.
-  if (conf->inherit_tos
-      && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
-      && ((*pkt)[14] & 0xf0) == 0x40)             // IPv4
+  if (conf->inherit_tos && pkt->is_ipv4 ())
     tos = (*pkt)[15] & IPTOS_TOS_MASK;
 
-  p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
+  p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
   send_vpn_packet (p, si, tos);
 
   delete p;
@@ -821,10 +821,10 @@
 }
 
 void
-connection::inject_data_packet (tap_packet *pkt, bool broadcast)
+connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
 {
   if (ictx && octx)
-    send_data_packet (pkt, broadcast);
+    send_data_packet (pkt);
   else
     {
       if (!broadcast)//DDDD
@@ -912,8 +912,8 @@
                 if (0 > RSA_private_decrypt (sizeof (p->encr),
                                              (unsigned char *)&p->encr, (unsigned char *)&k,
                                              ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
-                  slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
-                        conf->nodename, (const char *)rsi);
+                  slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
+                        conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
                 else
                   {
                     delete octx;
@@ -956,7 +956,7 @@
 
               if (!rsa_cache.find (p->id, chg))
                 {
-                  slog (L_ERR, _("%s(%s): unrequested auth response"),
+                  slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
                         conf->nodename, (const char *)rsi);
                   break;
                 }
@@ -965,9 +965,12 @@
                   crypto_ctx *cctx = new crypto_ctx (chg, 0);
 
                   if (!p->hmac_chk (cctx))
-                    slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
-                                   "could be an attack, or just corruption or an synchronization error"),
-                          conf->nodename, (const char *)rsi);
+                    {
+                      slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
+                                     "could be an attack, or just corruption or an synchronization error"),
+                            conf->nodename, (const char *)rsi);
+                      break;
+                    }
                   else
                     {
                       rsaresponse h;
@@ -1034,15 +1037,6 @@
                   {
                     vpn->tap->send (d);
 
-                    if (p->dst () == 0) // re-broadcast
-                      for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
-                        {
-                          connection *c = *i;
-
-                          if (c->conf != THISNODE && c->conf != conf)
-                            c->inject_data_packet (d);
-                        }
-
                     if (si != rsi)
                       {
                         // fast re-sync on connection changes, useful especially for tcp/ip