ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.19 by pcg, Tue Oct 14 03:22:09 2003 UTC

35#include "slog.h" 35#include "slog.h"
36#include "device.h" 36#include "device.h"
37#include "vpn.h" 37#include "vpn.h"
38#include "connection.h" 38#include "connection.h"
39 39
40#include <sys/socket.h>
41#ifdef HAVE_NETINET_IN_H
42# include <netinet/in.h>
43#endif
44#include <arpa/inet.h>
45#include <net/if.h>
46#ifdef HAVE_NETINET_IN_SYSTM_H
47# include <netinet/in_systm.h>
48#endif
49#ifdef HAVE_NETINET_IP_H
50# include <netinet/ip.h>
51#endif
52
53#ifndef IPTOS_TOS_MASK
54# define IPTOS_TOS_MASK (IPTOS_LOWDELAY | IPTOS_THROUGHPUT | IPTOS_RELIABILITY | IPTOS_MINCOST)
55#endif
56
40#if !HAVE_RAND_PSEUDO_BYTES 57#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 58# define RAND_pseudo_bytes RAND_bytes
42#endif 59#endif
43 60
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 61#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
147 } 164 }
148} 165}
149 166
150////////////////////////////////////////////////////////////////////////////// 167//////////////////////////////////////////////////////////////////////////////
151 168
152void pkt_queue::put (tap_packet *p) 169void pkt_queue::put (net_packet *p)
153{ 170{
154 if (queue[i]) 171 if (queue[i])
155 { 172 {
156 delete queue[i]; 173 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 174 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 177 queue[i] = p;
161 178
162 i = (i + 1) % QUEUEDEPTH; 179 i = (i + 1) % QUEUEDEPTH;
163} 180}
164 181
165tap_packet *pkt_queue::get () 182net_packet *pkt_queue::get ()
166{ 183{
167 tap_packet *p = queue[j]; 184 net_packet *p = queue[j];
168 185
169 if (p) 186 if (p)
170 { 187 {
171 queue[j] = 0; 188 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 189 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 214// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 215// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 216// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 217struct net_rate_limiter : list<net_rateinfo>
201{ 218{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 219 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 220 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 221 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
222 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 223
206 bool can (const sockinfo &si) { return can((u32)si.host); } 224 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 225 bool can (u32 host);
208}; 226};
209 227
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 228net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 229
225 { 243 {
226 net_rateinfo ri; 244 net_rateinfo ri;
227 245
228 ri.host = host; 246 ri.host = host;
229 ri.pcnt = 1.; 247 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 248 ri.diff = MAXDIF;
231 ri.last = NOW; 249 ri.last = NOW;
232 250
233 push_front (ri); 251 push_front (ri);
234 252
235 return true; 253 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 260 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 261 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 262
245 ri.last = NOW; 263 ri.last = NOW;
246 264
265 double dif = ri.diff / ri.pcnt;
266
247 bool send = ri.diff / ri.pcnt > CUTOFF; 267 bool send = dif > CUTOFF;
248 268
269 if (dif > MAXDIF)
270 {
271 ri.pcnt = 1.;
272 ri.diff = MAXDIF;
273 }
249 if (send) 274 else if (send)
250 ri.pcnt++; 275 ri.pcnt++;
251 276
252 push_front (ri); 277 push_front (ri);
253 278
254 return send; 279 return send;
467 set_hdr (type, dst); 492 set_hdr (type, dst);
468} 493}
469 494
470bool config_packet::chk_config () const 495bool config_packet::chk_config () const
471{ 496{
472 return prot_major == PROTOCOL_MAJOR 497 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 498 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 499 else if (randsize != RAND_SIZE)
475 && flags == curflags () 500 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
501 else if (hmaclen != HMACLENGTH)
502 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
503 else if (flags != curflags ())
504 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 505 else if (challengelen != sizeof (rsachallenge))
506 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 507 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
508 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 509 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
510 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 511 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
512 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
513 else
514 return true;
515
516 return false;
480} 517}
481 518
482struct auth_req_packet : config_packet 519struct auth_req_packet : config_packet
483{ 520{
484 char magic[8]; 521 char magic[8];
546}; 583};
547 584
548///////////////////////////////////////////////////////////////////////////// 585/////////////////////////////////////////////////////////////////////////////
549 586
550void 587void
588connection::connection_established ()
589{
590 if (ictx && octx)
591 {
592 connectmode = conf->connectmode;
593
594 rekey.start (NOW + ::conf.rekey);
595 keepalive.start (NOW + ::conf.keepalive);
596
597 // send queued packets
598 if (ictx && octx)
599 {
600 while (tap_packet *p = (tap_packet *)data_queue.get ())
601 {
602 send_data_packet (p);
603 delete p;
604 }
605
606 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
607 {
608 send_vpn_packet (p, si, IPTOS_RELIABILITY);
609 delete p;
610 }
611 }
612 }
613 else
614 {
615 retry_cnt = 0;
616 establish_connection.start (NOW + 5);
617 keepalive.reset ();
618 rekey.reset ();
619 }
620}
621
622void
551connection::reset_dstaddr () 623connection::reset_si ()
552{ 624{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 625 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 626
555 // mask out protocols we cannot establish 627 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 628 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 629 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558 630
559 si.set (conf, protocol); 631 si.set (conf, protocol);
560} 632}
561 633
634// ensure sockinfo is valid, forward if necessary
635const sockinfo &
636connection::forward_si (const sockinfo &si) const
637{
638 if (!si.valid ())
639 {
640 connection *r = vpn->find_router ();
641
642 if (r)
643 {
644 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
645 conf->nodename, r->conf->nodename);
646 return r->si;
647 }
648 else
649 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
650 conf->nodename);
651 }
652
653 return si;
654}
655
656void
657connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
658{
659 if (!vpn->send_vpn_packet (pkt, si, tos))
660 reset_connection ();
661}
662
562void 663void
563connection::send_ping (const sockinfo &si, u8 pong) 664connection::send_ping (const sockinfo &si, u8 pong)
564{ 665{
565 ping_packet *pkt = new ping_packet; 666 ping_packet *pkt = new ping_packet;
566 667
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 668 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 669 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569 670
570 delete pkt; 671 delete pkt;
571} 672}
572 673
573void 674void
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 677 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 { 678 {
578 config_packet *pkt = new config_packet; 679 config_packet *pkt = new config_packet;
579 680
580 pkt->setup (vpn_packet::PT_RESET, conf->id); 681 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 682 send_vpn_packet (pkt, si, IPTOS_MINCOST);
582 683
583 delete pkt; 684 delete pkt;
584 } 685 }
585} 686}
586 687
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 699 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error"); 700 fatal ("RSA_public_encrypt error");
600 701
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 702 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602 703
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 704 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
604 705
605 delete pkt; 706 delete pkt;
606} 707}
607 708
608void 709void
616 717
617 pkt->hmac_set (octx); 718 pkt->hmac_set (octx);
618 719
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 720 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620 721
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 722 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622 723
623 delete pkt; 724 delete pkt;
624} 725}
625 726
626void 727void
630 conf->id, rid, (const char *)rsi); 731 conf->id, rid, (const char *)rsi);
631 732
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 733 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633 734
634 r->hmac_set (octx); 735 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si); 736 send_vpn_packet (r, si);
636 737
637 delete r; 738 delete r;
638} 739}
639 740
640void 741void
651 if (retry_int < 3600 * 8) 752 if (retry_int < 3600 * 8)
652 retry_cnt++; 753 retry_cnt++;
653 754
654 w.at = NOW + retry_int; 755 w.at = NOW + retry_int;
655 756
656 if (conf->hostname) 757 reset_si ();
758
759 if (si.prot && !si.host)
760 vpn->send_connect_request (conf->id);
761 else
657 { 762 {
658 reset_dstaddr (); 763 const sockinfo &dsi = forward_si (si);
659 764
660 if (si.valid () && auth_rate_limiter.can (si)) 765 if (dsi.valid () && auth_rate_limiter.can (dsi))
661 { 766 {
662 if (retry_cnt < 4) 767 if (retry_cnt < 4)
663 send_auth_request (si, true); 768 send_auth_request (dsi, true);
664 else 769 else
665 send_ping (si, 0); 770 send_ping (dsi, 0);
666 } 771 }
667 } 772 }
668 else
669 vpn->connect_request (conf->id);
670 } 773 }
671} 774}
672 775
673void 776void
674connection::reset_connection () 777connection::reset_connection ()
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 820connection::send_data_packet (tap_packet *pkt, bool broadcast)
718{ 821{
719 vpndata_packet *p = new vpndata_packet; 822 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 823 int tos = 0;
721 824
825 // I am not hilarious about peeking into packets, but so be it.
722 if (conf->inherit_tos 826 if (conf->inherit_tos
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 827 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 828 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 829 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 830
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 831 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 832 send_vpn_packet (p, si, tos);
729 833
730 delete p; 834 delete p;
731 835
732 if (oseqno > MAX_SEQNO) 836 if (oseqno > MAX_SEQNO)
733 rekey (); 837 rekey ();
739 if (ictx && octx) 843 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 844 send_data_packet (pkt, broadcast);
741 else 845 else
742 { 846 {
743 if (!broadcast)//DDDD 847 if (!broadcast)//DDDD
744 queue.put (new tap_packet (*pkt)); 848 data_queue.put (new tap_packet (*pkt));
849
850 establish_connection ();
851 }
852}
853
854void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
855{
856 if (ictx && octx)
857 send_vpn_packet (pkt, si, tos);
858 else
859 {
860 vpn_queue.put (new vpn_packet (*pkt));
745 861
746 establish_connection (); 862 establish_connection ();
747 } 863 }
748} 864}
749 865
811 rsachallenge k; 927 rsachallenge k;
812 928
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 929 if (0 > RSA_private_decrypt (sizeof (p->encr),
814 (unsigned char *)&p->encr, (unsigned char *)&k, 930 (unsigned char *)&p->encr, (unsigned char *)&k,
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 931 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 932 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 933 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
818 else 934 else
819 { 935 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 936 delete octx;
829 937
830 octx = new crypto_ctx (k, 1); 938 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 939 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 940
833 conf->protocols = p->protocols; 941 conf->protocols = p->protocols;
942
834 send_auth_response (rsi, p->id, k); 943 send_auth_response (rsi, p->id, k);
944
945 connection_established ();
835 946
836 break; 947 break;
837 } 948 }
838 } 949 }
950 else
951 slog (L_WARN, _("%s(%s): protocol mismatch"),
952 conf->nodename, (const char *)rsi);
839 953
840 send_reset (rsi); 954 send_reset (rsi);
841 } 955 }
842 956
843 break; 957 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 970 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 971
858 rsachallenge chg; 972 rsachallenge chg;
859 973
860 if (!rsa_cache.find (p->id, chg)) 974 if (!rsa_cache.find (p->id, chg))
975 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 976 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 977 conf->nodename, (const char *)rsi);
978 break;
979 }
863 else 980 else
864 { 981 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 982 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 983
867 if (!p->hmac_chk (cctx)) 984 if (!p->hmac_chk (cctx))
985 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 986 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 987 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi); 988 conf->nodename, (const char *)rsi);
989 break;
990 }
871 else 991 else
872 { 992 {
873 rsaresponse h; 993 rsaresponse h;
874 994
875 rsa_hash (p->id, chg, h); 995 rsa_hash (p->id, chg, h);
881 delete ictx; ictx = cctx; 1001 delete ictx; ictx = cctx;
882 1002
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1003 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 1004
885 si = rsi; 1005 si = rsi;
1006 protocol = rsi.prot;
886 1007
887 rekey.start (NOW + ::conf.rekey); 1008 connection_established ();
888 keepalive.start (NOW + ::conf.keepalive);
889 1009
890 // send queued packets
891 while (tap_packet *p = queue.get ())
892 {
893 send_data_packet (p);
894 delete p;
895 }
896
897 connectmode = conf->connectmode;
898
899 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 1010 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
900 conf->nodename, (const char *)rsi, 1011 conf->nodename, (const char *)rsi,
901 strprotocol (protocol),
902 p->prot_major, p->prot_minor); 1012 p->prot_major, p->prot_minor);
903 1013
904 if (::conf.script_node_up) 1014 if (::conf.script_node_up)
905 run_script (run_script_cb (this, &connection::script_node_up), false); 1015 run_script (run_script_cb (this, &connection::script_node_up), false);
906 1016
929 1039
930 if (ictx && octx) 1040 if (ictx && octx)
931 { 1041 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1042 vpndata_packet *p = (vpndata_packet *)pkt;
933 1043
934 if (rsi == si) 1044 if (!p->hmac_chk (ictx))
1045 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1046 "could be an attack, or just corruption or an synchronization error"),
1047 conf->nodename, (const char *)rsi);
1048 else
935 { 1049 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1050 u32 seqno;
1051 tap_packet *d = p->unpack (this, seqno);
1052
1053 if (iseqno.recv_ok (seqno))
941 { 1054 {
942 u32 seqno; 1055 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1056
945 if (iseqno.recv_ok (seqno)) 1057 if (p->dst () == 0) // re-broadcast
1058 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1059 {
1060 connection *c = *i;
1061
1062 if (c->conf != THISNODE && c->conf != conf)
1063 c->inject_data_packet (d);
1064 }
1065
1066 if (si != rsi)
946 { 1067 {
947 vpn->tap->send (d); 1068 // fast re-sync on connection changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1069 si = rsi;
1070
1071 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1072 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1073 }
1074
1075 delete d;
1076
1077 break;
962 } 1078 }
963 } 1079 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1080 }
967 1081
968 send_reset (rsi); 1082 send_reset (rsi);
969 break; 1083 break;
970 1084
972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1086 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973 { 1087 {
974 connect_req_packet *p = (connect_req_packet *) pkt; 1088 connect_req_packet *p = (connect_req_packet *) pkt;
975 1089
976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1090 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1091 connection *c = vpn->conns[p->id - 1];
977 conf->protocols = p->protocols; 1092 conf->protocols = p->protocols;
978 connection *c = vpn->conns[p->id - 1];
979 1093
980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1094 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981 conf->id, p->id, c->ictx && c->octx); 1095 conf->id, p->id, c->ictx && c->octx);
982 1096
983 if (c->ictx && c->octx) 1097 if (c->ictx && c->octx)
985 // send connect_info packets to both sides, in case one is 1099 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1100 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1101 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1102 send_connect_info (c->conf->id, c->si, c->conf->protocols);
989 } 1103 }
1104 else
1105 c->establish_connection ();
990 } 1106 }
991 1107
992 break; 1108 break;
993 1109
994 case vpn_packet::PT_CONNECT_INFO: 1110 case vpn_packet::PT_CONNECT_INFO:
995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1111 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
996 { 1112 {
997 connect_info_packet *p = (connect_info_packet *) pkt; 1113 connect_info_packet *p = (connect_info_packet *) pkt;
998 1114
999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1115 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1000 conf->protocols = p->protocols; 1116
1001 connection *c = vpn->conns[p->id - 1]; 1117 connection *c = vpn->conns[p->id - 1];
1118
1119 c->conf->protocols = p->protocols;
1120 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1121 p->si.upgrade_protocol (protocol, c->conf);
1002 1122
1003 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1123 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1004 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1124 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1005 1125
1126 const sockinfo &dsi = forward_si (p->si);
1127
1128 if (dsi.valid ())
1006 c->send_auth_request (p->si, true); 1129 c->send_auth_request (dsi, true);
1007 } 1130 }
1008 1131
1009 break; 1132 break;
1010 1133
1011 default: 1134 default:
1027 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1150 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1028 { 1151 {
1029 send_ping (si); 1152 send_ping (si);
1030 w.at = NOW + 5; 1153 w.at = NOW + 5;
1031 } 1154 }
1155 else if (NOW < last_activity + ::conf.keepalive + 10)
1156 // hold ondemand connections implicitly a few seconds longer
1157 // should delete octx, though, or something like that ;)
1158 w.at = last_activity + ::conf.keepalive + 10;
1032 else 1159 else
1033 reset_connection (); 1160 reset_connection ();
1034} 1161}
1035 1162
1036void connection::connect_request (int id) 1163void connection::send_connect_request (int id)
1037{ 1164{
1038 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1165 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1039 1166
1040 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1167 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1041 p->hmac_set (octx); 1168 p->hmac_set (octx);
1042 vpn->send_vpn_packet (p, si); 1169 send_vpn_packet (p, si);
1043 1170
1044 delete p; 1171 delete p;
1045} 1172}
1046 1173
1047void connection::script_node () 1174void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines