[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.5 by pcg, Wed Apr 2 21:43:44 2003 UTC vs.
Revision 1.21 by pcg, Thu Oct 16 02:28:36 2003 UTC

…		…
35	#include "slog.h"	35	#include "slog.h"
36	#include "device.h"	36	#include "device.h"
37	#include "vpn.h"	37	#include "vpn.h"
38	#include "connection.h"	38	#include "connection.h"
39		39
		40	#include "netcompat.h"
		41
40	#if !HAVE_RAND_PSEUDO_BYTES	42	#if !HAVE_RAND_PSEUDO_BYTES
41	# define RAND_pseudo_bytes RAND_bytes	43	# define RAND_pseudo_bytes RAND_bytes
42	#endif	44	#endif
43		45
44	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	46	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
…		…
147	}	149	}
148	}	150	}
149		151
150	//////////////////////////////////////////////////////////////////////////////	152	//////////////////////////////////////////////////////////////////////////////
151		153
152	void pkt_queue::put (tap_packet *p)	154	void pkt_queue::put (net_packet *p)
153	{	155	{
154	if (queue[i])	156	if (queue[i])
155	{	157	{
156	delete queue[i];	158	delete queue[i];
157	j = (j + 1) % QUEUEDEPTH;	159	j = (j + 1) % QUEUEDEPTH;
…		…
160	queue[i] = p;	162	queue[i] = p;
161		163
162	i = (i + 1) % QUEUEDEPTH;	164	i = (i + 1) % QUEUEDEPTH;
163	}	165	}
164		166
165	tap_packet *pkt_queue::get ()	167	net_packet *pkt_queue::get ()
166	{	168	{
167	tap_packet *p = queue[j];	169	net_packet *p = queue[j];
168		170
169	if (p)	171	if (p)
170	{	172	{
171	queue[j] = 0;	173	queue[j] = 0;
172	j = (j + 1) % QUEUEDEPTH;	174	j = (j + 1) % QUEUEDEPTH;
…		…
197	// only do action once every x seconds per host whole allowing bursts.	199	// only do action once every x seconds per host whole allowing bursts.
198	// this implementation ("splay list" ;) is inefficient,	200	// this implementation ("splay list" ;) is inefficient,
199	// but low on resources.	201	// but low on resources.
200	struct net_rate_limiter : list<net_rateinfo>	202	struct net_rate_limiter : list<net_rateinfo>
201	{	203	{
202	static const double ALPHA = 1. - 1. / 90.; // allow bursts	204	static const double ALPHA = 1. - 1. / 600.; // allow bursts
203	static const double CUTOFF = 20.; // one event every CUTOFF seconds	205	static const double CUTOFF = 10.; // one event every CUTOFF seconds
204	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	206	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
		207	static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205		208
206	bool can (const sockinfo &si) { return can((u32)si.host); }	209	bool can (const sockinfo &si) { return can((u32)si.host); }
207	bool can (u32 host);	210	bool can (u32 host);
208	};	211	};
209		212
210	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	213	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211		214
…		…
225	{	228	{
226	net_rateinfo ri;	229	net_rateinfo ri;
227		230
228	ri.host = host;	231	ri.host = host;
229	ri.pcnt = 1.;	232	ri.pcnt = 1.;
230	ri.diff = CUTOFF * (1. / (1. - ALPHA));	233	ri.diff = MAXDIF;
231	ri.last = NOW;	234	ri.last = NOW;
232		235
233	push_front (ri);	236	push_front (ri);
234		237
235	return true;	238	return true;
…		…
242	ri.pcnt = ri.pcnt * ALPHA;	245	ri.pcnt = ri.pcnt * ALPHA;
243	ri.diff = ri.diff * ALPHA + (NOW - ri.last);	246	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244		247
245	ri.last = NOW;	248	ri.last = NOW;
246		249
		250	double dif = ri.diff / ri.pcnt;
		251
247	bool send = ri.diff / ri.pcnt > CUTOFF;	252	bool send = dif > CUTOFF;
248		253
		254	if (dif > MAXDIF)
		255	{
		256	ri.pcnt = 1.;
		257	ri.diff = MAXDIF;
		258	}
249	if (send)	259	else if (send)
250	ri.pcnt++;	260	ri.pcnt++;
251		261
252	push_front (ri);	262	push_front (ri);
253		263
254	return send;	264	return send;
…		…
285	hmac_gen (ctx);	295	hmac_gen (ctx);
286		296
287	return !memcmp (hmac, hmac_digest, HMACLENGTH);	297	return !memcmp (hmac, hmac_digest, HMACLENGTH);
288	}	298	}
289		299
290	void vpn_packet::set_hdr (ptype type, unsigned int dst)	300	void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291	{	301	{
292	this->type = type;	302	type = type_;
293		303
294	int src = THISNODE->id;	304	int src = THISNODE->id;
295		305
296	src1 = src;	306	src1 = src;
297	srcdst = ((src >> 8) << 4) \| (dst >> 8);	307	srcdst = ((src >> 8) << 4) \| (dst >> 8);
…		…
467	set_hdr (type, dst);	477	set_hdr (type, dst);
468	}	478	}
469		479
470	bool config_packet::chk_config () const	480	bool config_packet::chk_config () const
471	{	481	{
472	return prot_major == PROTOCOL_MAJOR	482	if (prot_major != PROTOCOL_MAJOR)
473	&& randsize == RAND_SIZE	483	slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474	&& hmaclen == HMACLENGTH	484	else if (randsize != RAND_SIZE)
475	&& flags == curflags ()	485	slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
		486	else if (hmaclen != HMACLENGTH)
		487	slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
		488	else if (flags != curflags ())
		489	slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476	&& challengelen == sizeof (rsachallenge)	490	else if (challengelen != sizeof (rsachallenge))
		491	slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	492	else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
		493	slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))	494	else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
		495	slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479	&& hmac_nid == htonl (EVP_MD_type (DIGEST));	496	else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
		497	slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
		498	else
		499	return true;
		500
		501	return false;
480	}	502	}
481		503
482	struct auth_req_packet : config_packet	504	struct auth_req_packet : config_packet
483	{	505	{
484	char magic[8];	506	char magic[8];
…		…
546	};	568	};
547		569
548	/////////////////////////////////////////////////////////////////////////////	570	/////////////////////////////////////////////////////////////////////////////
549		571
550	void	572	void
		573	connection::connection_established ()
		574	{
		575	if (ictx && octx)
		576	{
		577	connectmode = conf->connectmode;
		578
		579	rekey.start (NOW + ::conf.rekey);
		580	keepalive.start (NOW + ::conf.keepalive);
		581
		582	// send queued packets
		583	if (ictx && octx)
		584	{
		585	while (tap_packet p = (tap_packet )data_queue.get ())
		586	{
		587	send_data_packet (p);
		588	delete p;
		589	}
		590
		591	while (vpn_packet p = (vpn_packet )vpn_queue.get ())
		592	{
		593	send_vpn_packet (p, si, IPTOS_RELIABILITY);
		594	delete p;
		595	}
		596	}
		597	}
		598	else
		599	{
		600	retry_cnt = 0;
		601	establish_connection.start (NOW + 5);
		602	keepalive.reset ();
		603	rekey.reset ();
		604	}
		605	}
		606
		607	void
551	connection::reset_dstaddr ()	608	connection::reset_si ()
552	{	609	{
553	si.set (conf);
554	}
555
556	void
557	connection::send_ping (const sockinfo &si, u8 pong)
558	{
559	ping_packet *pkt = new ping_packet;
560
561	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564	delete pkt;
565	}
566
567	void
568	connection::send_reset (const sockinfo &si)
569	{
570	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571	{
572	config_packet *pkt = new config_packet;
573
574	pkt->setup (vpn_packet::PT_RESET, conf->id);
575	send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577	delete pkt;
578	}
579	}
580
581	void
582	connection::send_auth_request (const sockinfo &si, bool initiate)
583	{
584	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586	protocol = best_protocol (THISNODE->protocols & conf->protocols);	610	protocol = best_protocol (THISNODE->protocols & conf->protocols);
587		611
588	// mask out protocols we cannot establish	612	// mask out protocols we cannot establish
589	if (!conf->udp_port) protocol &= ~PROT_UDPv4;	613	if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;	614	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591		615
592	if (protocol)	616	si.set (conf, protocol);
		617	}
		618
		619	// ensure sockinfo is valid, forward if necessary
		620	const sockinfo &
		621	connection::forward_si (const sockinfo &si) const
		622	{
		623	if (!si.valid ())
		624	{
		625	connection *r = vpn->find_router ();
		626
		627	if (r)
		628	{
		629	slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
		630	conf->nodename, r->conf->nodename);
		631	return r->si;
		632	}
		633	else
		634	slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
		635	conf->nodename);
593	{	636	}
594	rsachallenge chg;
595		637
596	rsa_cache.gen (pkt->id, chg);	638	return si;
		639	}
597		640
598	if (0 > RSA_public_encrypt (sizeof chg,	641	void
599	(unsigned char )&chg, (unsigned char )&pkt->encr,	642	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))	643	{
601	fatal ("RSA_public_encrypt error");	644	if (!vpn->send_vpn_packet (pkt, si, tos))
		645	reset_connection ();
		646	}
602		647
603	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);	648	void
		649	connection::send_ping (const sockinfo &si, u8 pong)
		650	{
		651	ping_packet *pkt = new ping_packet;
604		652
605	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	653	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
		654	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
		655
		656	delete pkt;
		657	}
		658
		659	void
		660	connection::send_reset (const sockinfo &si)
		661	{
		662	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
		663	{
		664	config_packet *pkt = new config_packet;
		665
		666	pkt->setup (vpn_packet::PT_RESET, conf->id);
		667	send_vpn_packet (pkt, si, IPTOS_MINCOST);
606		668
607	delete pkt;	669	delete pkt;
608	}	670	}
609	else	671	}
610	; // silently fail	672
		673	void
		674	connection::send_auth_request (const sockinfo &si, bool initiate)
		675	{
		676	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
		677
		678	rsachallenge chg;
		679
		680	rsa_cache.gen (pkt->id, chg);
		681
		682	if (0 > RSA_public_encrypt (sizeof chg,
		683	(unsigned char )&chg, (unsigned char )&pkt->encr,
		684	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
		685	fatal ("RSA_public_encrypt error");
		686
		687	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
		688
		689	send_vpn_packet (pkt, si, IPTOS_RELIABILITY \| IPTOS_LOWDELAY); // rsa is very very costly
		690
		691	delete pkt;
611	}	692	}
612		693
613	void	694	void
614	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)	695	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615	{	696	{
…		…
656	if (retry_int < 3600 * 8)	737	if (retry_int < 3600 * 8)
657	retry_cnt++;	738	retry_cnt++;
658		739
659	w.at = NOW + retry_int;	740	w.at = NOW + retry_int;
660		741
661	if (conf->hostname)	742	reset_si ();
		743
		744	if (si.prot && !si.host)
		745	vpn->send_connect_request (conf->id);
		746	else
662	{	747	{
663	reset_dstaddr ();	748	const sockinfo &dsi = forward_si (si);
		749
664	if (si.host && auth_rate_limiter.can (si))	750	if (dsi.valid () && auth_rate_limiter.can (dsi))
665	{	751	{
666	if (retry_cnt < 4)	752	if (retry_cnt < 4)
667	send_auth_request (si, true);	753	send_auth_request (dsi, true);
668	else	754	else
669	send_ping (si, 0);	755	send_ping (dsi, 0);
670	}	756	}
671	}	757	}
672	else
673	vpn->connect_request (conf->id);
674	}	758	}
675	}	759	}
676		760
677	void	761	void
678	connection::reset_connection ()	762	connection::reset_connection ()
…		…
716	reset_connection ();	800	reset_connection ();
717	establish_connection ();	801	establish_connection ();
718	}	802	}
719		803
720	void	804	void
721	connection::send_data_packet (tap_packet *pkt, bool broadcast)	805	connection::send_data_packet (tap_packet *pkt)
722	{	806	{
723	vpndata_packet *p = new vpndata_packet;	807	vpndata_packet *p = new vpndata_packet;
724	int tos = 0;	808	int tos = 0;
725		809
726	if (conf->inherit_tos	810	// I am not hilarious about peeking into packets, but so be it.
727	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP	811	if (conf->inherit_tos && pkt->is_ipv4 ())
728	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729	tos = (*pkt)[15] & IPTOS_TOS_MASK;	812	tos = (*pkt)[15] & IPTOS_TOS_MASK;
730		813
731	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	814	p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732	send_vpn_packet (p, si, tos);	815	send_vpn_packet (p, si, tos);
733		816
734	delete p;	817	delete p;
735		818
736	if (oseqno > MAX_SEQNO)	819	if (oseqno > MAX_SEQNO)
737	rekey ();	820	rekey ();
738	}	821	}
739		822
740	void	823	void
741	connection::inject_data_packet (tap_packet *pkt, bool broadcast)	824	connection::inject_data_packet (tap_packet pkt, bool broadcast/TODO DDD*/)
742	{	825	{
743	if (ictx && octx)	826	if (ictx && octx)
744	send_data_packet (pkt, broadcast);	827	send_data_packet (pkt);
745	else	828	else
746	{	829	{
747	if (!broadcast)//DDDD	830	if (!broadcast)//DDDD
748	queue.put (new tap_packet (*pkt));	831	data_queue.put (new tap_packet (*pkt));
		832
		833	establish_connection ();
		834	}
		835	}
		836
		837	void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
		838	{
		839	if (ictx && octx)
		840	send_vpn_packet (pkt, si, tos);
		841	else
		842	{
		843	vpn_queue.put (new vpn_packet (*pkt));
749		844
750	establish_connection ();	845	establish_connection ();
751	}	846	}
752	}	847	}
753		848
…		…
815	rsachallenge k;	910	rsachallenge k;
816		911
817	if (0 > RSA_private_decrypt (sizeof (p->encr),	912	if (0 > RSA_private_decrypt (sizeof (p->encr),
818	(unsigned char )&p->encr, (unsigned char )&k,	913	(unsigned char )&p->encr, (unsigned char )&k,
819	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))	914	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),	915	slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821	conf->nodename, (const char *)rsi);	916	conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
822	else	917	else
823	{	918	{
824	retry_cnt = 0;
825	establish_connection.set (NOW + 8); //? ;)
826	keepalive.reset ();
827	rekey.reset ();
828
829	delete ictx;
830	ictx = 0;
831
832	delete octx;	919	delete octx;
833		920
834	octx = new crypto_ctx (k, 1);	921	octx = new crypto_ctx (k, 1);
835	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;	922	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
836		923
837	conf->protocols = p->protocols;	924	conf->protocols = p->protocols;
		925
838	send_auth_response (rsi, p->id, k);	926	send_auth_response (rsi, p->id, k);
		927
		928	connection_established ();
839		929
840	break;	930	break;
841	}	931	}
842	}	932	}
		933	else
		934	slog (L_WARN, _("%s(%s): protocol mismatch"),
		935	conf->nodename, (const char *)rsi);
843		936
844	send_reset (rsi);	937	send_reset (rsi);
845	}	938	}
846		939
847	break;	940	break;
…		…
860	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	953	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861		954
862	rsachallenge chg;	955	rsachallenge chg;
863		956
864	if (!rsa_cache.find (p->id, chg))	957	if (!rsa_cache.find (p->id, chg))
		958	{
865	slog (L_ERR, _("%s(%s): unrequested auth response"),	959	slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866	conf->nodename, (const char *)rsi);	960	conf->nodename, (const char *)rsi);
		961	break;
		962	}
867	else	963	else
868	{	964	{
869	crypto_ctx *cctx = new crypto_ctx (chg, 0);	965	crypto_ctx *cctx = new crypto_ctx (chg, 0);
870		966
871	if (!p->hmac_chk (cctx))	967	if (!p->hmac_chk (cctx))
		968	{
872	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"	969	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873	"could be an attack, or just corruption or an synchronization error"),	970	"could be an attack, or just corruption or an synchronization error"),
874	conf->nodename, (const char *)rsi);	971	conf->nodename, (const char *)rsi);
		972	break;
		973	}
875	else	974	else
876	{	975	{
877	rsaresponse h;	976	rsaresponse h;
878		977
879	rsa_hash (p->id, chg, h);	978	rsa_hash (p->id, chg, h);
…		…
885	delete ictx; ictx = cctx;	984	delete ictx; ictx = cctx;
886		985
887	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid	986	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888		987
889	si = rsi;	988	si = rsi;
		989	protocol = rsi.prot;
890		990
891	rekey.set (NOW + ::conf.rekey);	991	connection_established ();
892	keepalive.set (NOW + ::conf.keepalive);
893		992
894	// send queued packets
895	while (tap_packet *p = queue.get ())
896	{
897	send_data_packet (p);
898	delete p;
899	}
900
901	connectmode = conf->connectmode;
902
903	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),	993	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904	conf->nodename, (const char *)rsi,	994	conf->nodename, (const char *)rsi,
905	strprotocol (protocol),
906	p->prot_major, p->prot_minor);	995	p->prot_major, p->prot_minor);
907		996
908	if (::conf.script_node_up)	997	if (::conf.script_node_up)
909	run_script (run_script_cb (this, &connection::script_node_up), false);	998	run_script (run_script_cb (this, &connection::script_node_up), false);
910		999
…		…
933		1022
934	if (ictx && octx)	1023	if (ictx && octx)
935	{	1024	{
936	vpndata_packet p = (vpndata_packet )pkt;	1025	vpndata_packet p = (vpndata_packet )pkt;
937		1026
938	if (rsi == si)	1027	if (!p->hmac_chk (ictx))
		1028	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
		1029	"could be an attack, or just corruption or an synchronization error"),
		1030	conf->nodename, (const char *)rsi);
		1031	else
939	{	1032	{
940	if (!p->hmac_chk (ictx))
941	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942	"could be an attack, or just corruption or an synchronization error"),
943	conf->nodename, (const char *)rsi);
944	else	1033	u32 seqno;
		1034	tap_packet *d = p->unpack (this, seqno);
		1035
		1036	if (iseqno.recv_ok (seqno))
945	{	1037	{
946	u32 seqno;	1038	vpn->tap->send (d);
947	tap_packet *d = p->unpack (this, seqno);
948		1039
949	if (iseqno.recv_ok (seqno))	1040	if (si != rsi)
950	{	1041	{
951	vpn->tap->send (d);	1042	// fast re-sync on connection changes, useful especially for tcp/ip
952
953	if (p->dst () == 0) // re-broadcast
954	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955	{
956	connection c = i;
957
958	if (c->conf != THISNODE && c->conf != conf)
959	c->inject_data_packet (d);
960	}
961
962	delete d;
963
964	break;	1043	si = rsi;
		1044
		1045	slog (L_INFO, _("%s(%s): socket address changed to %s"),
		1046	conf->nodename, (const char )si, (const char )rsi);
965	}	1047	}
		1048
		1049	delete d;
		1050
		1051	break;
966	}	1052	}
967	}	1053	}
968	else
969	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970	}	1054	}
971		1055
972	send_reset (rsi);	1056	send_reset (rsi);
973	break;	1057	break;
974		1058
…		…
976	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1060	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977	{	1061	{
978	connect_req_packet p = (connect_req_packet ) pkt;	1062	connect_req_packet p = (connect_req_packet ) pkt;
979		1063
980	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1064	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
		1065	connection *c = vpn->conns[p->id - 1];
981	conf->protocols = p->protocols;	1066	conf->protocols = p->protocols;
982	connection *c = vpn->conns[p->id - 1];
983		1067
984	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1068	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985	conf->id, p->id, c->ictx && c->octx);	1069	conf->id, p->id, c->ictx && c->octx);
986		1070
987	if (c->ictx && c->octx)	1071	if (c->ictx && c->octx)
…		…
989	// send connect_info packets to both sides, in case one is	1073	// send connect_info packets to both sides, in case one is
990	// behind a nat firewall (or both ;)	1074	// behind a nat firewall (or both ;)
991	c->send_connect_info (conf->id, si, conf->protocols);	1075	c->send_connect_info (conf->id, si, conf->protocols);
992	send_connect_info (c->conf->id, c->si, c->conf->protocols);	1076	send_connect_info (c->conf->id, c->si, c->conf->protocols);
993	}	1077	}
		1078	else
		1079	c->establish_connection ();
994	}	1080	}
995		1081
996	break;	1082	break;
997		1083
998	case vpn_packet::PT_CONNECT_INFO:	1084	case vpn_packet::PT_CONNECT_INFO:
999	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1085	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000	{	1086	{
1001	connect_info_packet p = (connect_info_packet ) pkt;	1087	connect_info_packet p = (connect_info_packet ) pkt;
1002		1088
1003	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1089	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004	conf->protocols = p->protocols;	1090
1005	connection *c = vpn->conns[p->id - 1];	1091	connection *c = vpn->conns[p->id - 1];
		1092
		1093	c->conf->protocols = p->protocols;
		1094	protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
		1095	p->si.upgrade_protocol (protocol, c->conf);
1006		1096
1007	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1097	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1098	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009		1099
		1100	const sockinfo &dsi = forward_si (p->si);
		1101
		1102	if (dsi.valid ())
1010	c->send_auth_request (p->si, true);	1103	c->send_auth_request (dsi, true);
1011	}	1104	}
1012		1105
1013	break;	1106	break;
1014		1107
1015	default:	1108	default:
…		…
1031	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1124	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1032	{	1125	{
1033	send_ping (si);	1126	send_ping (si);
1034	w.at = NOW + 5;	1127	w.at = NOW + 5;
1035	}	1128	}
		1129	else if (NOW < last_activity + ::conf.keepalive + 10)
		1130	// hold ondemand connections implicitly a few seconds longer
		1131	// should delete octx, though, or something like that ;)
		1132	w.at = last_activity + ::conf.keepalive + 10;
1036	else	1133	else
1037	reset_connection ();	1134	reset_connection ();
1038	}	1135	}
1039		1136
1040	void connection::connect_request (int id)	1137	void connection::send_connect_request (int id)
1041	{	1138	{
1042	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);	1139	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043		1140
1044	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);	1141	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045	p->hmac_set (octx);	1142	p->hmac_set (octx);
…		…
1075	putenv ("STATE=down");	1172	putenv ("STATE=down");
1076		1173
1077	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1174	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078	}	1175	}
1079		1176
1080	// send a vpn packet out to other hosts
1081	void
1082	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083	{
1084	switch (protocol)
1085	{
1086	case PROT_IPv4:
1087	vpn->send_ipv4_packet (pkt, si, tos);
1088	break;
1089
1090	case PROT_UDPv4:
1091	vpn->send_udpv4_packet (pkt, si, tos);
1092	break;
1093
1094	#if ENABLE_TCP
1095	case PROT_TCPv4:
1096	vpn->send_tcpv4_packet (pkt, si, tos);
1097	break;
1098	#endif
1099	}
1100	}
1101
1102	connection::connection(struct vpn *vpn_)	1177	connection::connection(struct vpn *vpn_)
1103	: vpn(vpn_)	1178	: vpn(vpn_)
1104	, rekey (this, &connection::rekey_cb)	1179	, rekey (this, &connection::rekey_cb)
1105	, keepalive (this, &connection::keepalive_cb)	1180	, keepalive (this, &connection::keepalive_cb)
1106	, establish_connection (this, &connection::establish_connection_cb)	1181	, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.5 by pcg, Wed Apr 2 21:43:44 2003 UTC vs. Revision 1.21 by pcg, Thu Oct 16 02:28:36 2003 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.5 by pcg, Wed Apr 2 21:43:44 2003 UTC vs.
Revision 1.21 by pcg, Thu Oct 16 02:28:36 2003 UTC