[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.23 by pcg, Wed Oct 22 00:42:53 2003 UTC

…		…
1	/*	1	/*
2	connection.C -- manage a single connection	2	connection.C -- manage a single connection
		3	Copyright (C) 2003 Marc Lehmann <pcg@goof.com>
3		4
4	This program is free software; you can redistribute it and/or modify	5	This program is free software; you can redistribute it and/or modify
5	it under the terms of the GNU General Public License as published by	6	it under the terms of the GNU General Public License as published by
6	the Free Software Foundation; either version 2 of the License, or	7	the Free Software Foundation; either version 2 of the License, or
7	(at your option) any later version.	8	(at your option) any later version.
35	#include "slog.h"	36	#include "slog.h"
36	#include "device.h"	37	#include "device.h"
37	#include "vpn.h"	38	#include "vpn.h"
38	#include "connection.h"	39	#include "connection.h"
39		40
		41	#include "netcompat.h"
		42
40	#if !HAVE_RAND_PSEUDO_BYTES	43	#if !HAVE_RAND_PSEUDO_BYTES
41	# define RAND_pseudo_bytes RAND_bytes	44	# define RAND_pseudo_bytes RAND_bytes
42	#endif	45	#endif
43		46
44	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	47	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
…		…
147	}	150	}
148	}	151	}
149		152
150	//////////////////////////////////////////////////////////////////////////////	153	//////////////////////////////////////////////////////////////////////////////
151		154
152	void pkt_queue::put (tap_packet *p)	155	void pkt_queue::put (net_packet *p)
153	{	156	{
154	if (queue[i])	157	if (queue[i])
155	{	158	{
156	delete queue[i];	159	delete queue[i];
157	j = (j + 1) % QUEUEDEPTH;	160	j = (j + 1) % QUEUEDEPTH;
…		…
160	queue[i] = p;	163	queue[i] = p;
161		164
162	i = (i + 1) % QUEUEDEPTH;	165	i = (i + 1) % QUEUEDEPTH;
163	}	166	}
164		167
165	tap_packet *pkt_queue::get ()	168	net_packet *pkt_queue::get ()
166	{	169	{
167	tap_packet *p = queue[j];	170	net_packet *p = queue[j];
168		171
169	if (p)	172	if (p)
170	{	173	{
171	queue[j] = 0;	174	queue[j] = 0;
172	j = (j + 1) % QUEUEDEPTH;	175	j = (j + 1) % QUEUEDEPTH;
…		…
197	// only do action once every x seconds per host whole allowing bursts.	200	// only do action once every x seconds per host whole allowing bursts.
198	// this implementation ("splay list" ;) is inefficient,	201	// this implementation ("splay list" ;) is inefficient,
199	// but low on resources.	202	// but low on resources.
200	struct net_rate_limiter : list<net_rateinfo>	203	struct net_rate_limiter : list<net_rateinfo>
201	{	204	{
202	static const double ALPHA = 1. - 1. / 90.; // allow bursts	205	static const double ALPHA = 1. - 1. / 600.; // allow bursts
203	static const double CUTOFF = 20.; // one event every CUTOFF seconds	206	static const double CUTOFF = 10.; // one event every CUTOFF seconds
204	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	207	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
		208	static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205		209
206	bool can (const sockinfo &si) { return can((u32)si.host); }	210	bool can (const sockinfo &si) { return can((u32)si.host); }
207	bool can (u32 host);	211	bool can (u32 host);
208	};	212	};
209		213
210	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	214	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211		215
…		…
225	{	229	{
226	net_rateinfo ri;	230	net_rateinfo ri;
227		231
228	ri.host = host;	232	ri.host = host;
229	ri.pcnt = 1.;	233	ri.pcnt = 1.;
230	ri.diff = CUTOFF * (1. / (1. - ALPHA));	234	ri.diff = MAXDIF;
231	ri.last = NOW;	235	ri.last = NOW;
232		236
233	push_front (ri);	237	push_front (ri);
234		238
235	return true;	239	return true;
…		…
242	ri.pcnt = ri.pcnt * ALPHA;	246	ri.pcnt = ri.pcnt * ALPHA;
243	ri.diff = ri.diff * ALPHA + (NOW - ri.last);	247	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244		248
245	ri.last = NOW;	249	ri.last = NOW;
246		250
		251	double dif = ri.diff / ri.pcnt;
		252
247	bool send = ri.diff / ri.pcnt > CUTOFF;	253	bool send = dif > CUTOFF;
248		254
		255	if (dif > MAXDIF)
		256	{
		257	ri.pcnt = 1.;
		258	ri.diff = MAXDIF;
		259	}
249	if (send)	260	else if (send)
250	ri.pcnt++;	261	ri.pcnt++;
251		262
252	push_front (ri);	263	push_front (ri);
253		264
254	return send;	265	return send;
…		…
467	set_hdr (type, dst);	478	set_hdr (type, dst);
468	}	479	}
469		480
470	bool config_packet::chk_config () const	481	bool config_packet::chk_config () const
471	{	482	{
472	return prot_major == PROTOCOL_MAJOR	483	if (prot_major != PROTOCOL_MAJOR)
473	&& randsize == RAND_SIZE	484	slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474	&& hmaclen == HMACLENGTH	485	else if (randsize != RAND_SIZE)
475	&& flags == curflags ()	486	slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
		487	else if (hmaclen != HMACLENGTH)
		488	slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
		489	else if (flags != curflags ())
		490	slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
476	&& challengelen == sizeof (rsachallenge)	491	else if (challengelen != sizeof (rsachallenge))
		492	slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	493	else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
		494	slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))	495	else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
		496	slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479	&& hmac_nid == htonl (EVP_MD_type (DIGEST));	497	else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
		498	slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
		499	else
		500	return true;
		501
		502	return false;
480	}	503	}
481		504
482	struct auth_req_packet : config_packet	505	struct auth_req_packet : config_packet
483	{	506	{
484	char magic[8];	507	char magic[8];
…		…
546	};	569	};
547		570
548	/////////////////////////////////////////////////////////////////////////////	571	/////////////////////////////////////////////////////////////////////////////
549		572
550	void	573	void
		574	connection::connection_established ()
		575	{
		576	if (ictx && octx)
		577	{
		578	connectmode = conf->connectmode;
		579
		580	rekey.start (NOW + ::conf.rekey);
		581	keepalive.start (NOW + ::conf.keepalive);
		582
		583	// send queued packets
		584	if (ictx && octx)
		585	{
		586	while (tap_packet p = (tap_packet )data_queue.get ())
		587	{
		588	send_data_packet (p);
		589	delete p;
		590	}
		591
		592	while (vpn_packet p = (vpn_packet )vpn_queue.get ())
		593	{
		594	send_vpn_packet (p, si, IPTOS_RELIABILITY);
		595	delete p;
		596	}
		597	}
		598	}
		599	else
		600	{
		601	retry_cnt = 0;
		602	establish_connection.start (NOW + 5);
		603	keepalive.reset ();
		604	rekey.reset ();
		605	}
		606	}
		607
		608	void
551	connection::reset_dstaddr ()	609	connection::reset_si ()
552	{	610	{
553	protocol = best_protocol (THISNODE->protocols & conf->protocols);	611	protocol = best_protocol (THISNODE->protocols & conf->protocols);
554		612
555	// mask out protocols we cannot establish	613	// mask out protocols we cannot establish
556	if (!conf->udp_port) protocol &= ~PROT_UDPv4;	614	if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;	615	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558		616
559	si.set (conf, protocol);	617	si.set (conf, protocol);
560	}	618	}
561		619
		620	// ensure sockinfo is valid, forward if necessary
		621	const sockinfo &
		622	connection::forward_si (const sockinfo &si) const
		623	{
		624	if (!si.valid ())
		625	{
		626	connection *r = vpn->find_router ();
		627
		628	if (r)
		629	{
		630	slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
		631	conf->nodename, r->conf->nodename);
		632	return r->si;
		633	}
		634	else
		635	slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
		636	conf->nodename);
		637	}
		638
		639	return si;
		640	}
		641
		642	void
		643	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		644	{
		645	if (!vpn->send_vpn_packet (pkt, si, tos))
		646	reset_connection ();
		647	}
		648
562	void	649	void
563	connection::send_ping (const sockinfo &si, u8 pong)	650	connection::send_ping (const sockinfo &si, u8 pong)
564	{	651	{
565	ping_packet *pkt = new ping_packet;	652	ping_packet *pkt = new ping_packet;
566		653
567	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);	654	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568	vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);	655	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569		656
570	delete pkt;	657	delete pkt;
571	}	658	}
572		659
573	void	660	void
…		…
576	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)	663	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577	{	664	{
578	config_packet *pkt = new config_packet;	665	config_packet *pkt = new config_packet;
579		666
580	pkt->setup (vpn_packet::PT_RESET, conf->id);	667	pkt->setup (vpn_packet::PT_RESET, conf->id);
581	vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);	668	send_vpn_packet (pkt, si, IPTOS_MINCOST);
582		669
583	delete pkt;	670	delete pkt;
584	}	671	}
585	}	672	}
586		673
…		…
598	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))	685	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599	fatal ("RSA_public_encrypt error");	686	fatal ("RSA_public_encrypt error");
600		687
601	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);	688	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602		689
603	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	690	send_vpn_packet (pkt, si, IPTOS_RELIABILITY \| IPTOS_LOWDELAY); // rsa is very very costly
604		691
605	delete pkt;	692	delete pkt;
606	}	693	}
607		694
608	void	695	void
…		…
616		703
617	pkt->hmac_set (octx);	704	pkt->hmac_set (octx);
618		705
619	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);	706	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620		707
621	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	708	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622		709
623	delete pkt;	710	delete pkt;
624	}	711	}
625		712
626	void	713	void
…		…
630	conf->id, rid, (const char *)rsi);	717	conf->id, rid, (const char *)rsi);
631		718
632	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);	719	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633		720
634	r->hmac_set (octx);	721	r->hmac_set (octx);
635	vpn->send_vpn_packet (r, si);	722	send_vpn_packet (r, si);
636		723
637	delete r;	724	delete r;
638	}	725	}
639		726
640	void	727	void
…		…
651	if (retry_int < 3600 * 8)	738	if (retry_int < 3600 * 8)
652	retry_cnt++;	739	retry_cnt++;
653		740
654	w.at = NOW + retry_int;	741	w.at = NOW + retry_int;
655		742
656	if (conf->hostname)	743	reset_si ();
		744
		745	if (si.prot && !si.host)
		746	vpn->send_connect_request (conf->id);
		747	else
657	{	748	{
658	reset_dstaddr ();	749	const sockinfo &dsi = forward_si (si);
659		750
660	if (si.valid () && auth_rate_limiter.can (si))	751	if (dsi.valid () && auth_rate_limiter.can (dsi))
661	{	752	{
662	if (retry_cnt < 4)	753	if (retry_cnt < 4)
663	send_auth_request (si, true);	754	send_auth_request (dsi, true);
664	else	755	else
665	send_ping (si, 0);	756	send_ping (dsi, 0);
666	}	757	}
667	}	758	}
668	else
669	vpn->connect_request (conf->id);
670	}	759	}
671	}	760	}
672		761
673	void	762	void
674	connection::reset_connection ()	763	connection::reset_connection ()
…		…
712	reset_connection ();	801	reset_connection ();
713	establish_connection ();	802	establish_connection ();
714	}	803	}
715		804
716	void	805	void
717	connection::send_data_packet (tap_packet *pkt, bool broadcast)	806	connection::send_data_packet (tap_packet *pkt)
718	{	807	{
719	vpndata_packet *p = new vpndata_packet;	808	vpndata_packet *p = new vpndata_packet;
720	int tos = 0;	809	int tos = 0;
721		810
722	if (conf->inherit_tos	811	// I am not hilarious about peeking into packets, but so be it.
723	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP	812	if (conf->inherit_tos && pkt->is_ipv4 ())
724	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725	tos = (*pkt)[15] & IPTOS_TOS_MASK;	813	tos = (*pkt)[15] & IPTOS_TOS_MASK;
726		814
727	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	815	p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728	vpn->send_vpn_packet (p, si, tos);	816	send_vpn_packet (p, si, tos);
729		817
730	delete p;	818	delete p;
731		819
732	if (oseqno > MAX_SEQNO)	820	if (oseqno > MAX_SEQNO)
733	rekey ();	821	rekey ();
734	}	822	}
735		823
736	void	824	void
737	connection::inject_data_packet (tap_packet *pkt, bool broadcast)	825	connection::inject_data_packet (tap_packet pkt, bool broadcast/TODO DDD*/)
738	{	826	{
739	if (ictx && octx)	827	if (ictx && octx)
740	send_data_packet (pkt, broadcast);	828	send_data_packet (pkt);
741	else	829	else
742	{	830	{
743	if (!broadcast)//DDDD	831	if (!broadcast)//DDDD
744	queue.put (new tap_packet (*pkt));	832	data_queue.put (new tap_packet (*pkt));
		833
		834	establish_connection ();
		835	}
		836	}
		837
		838	void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
		839	{
		840	if (ictx && octx)
		841	send_vpn_packet (pkt, si, tos);
		842	else
		843	{
		844	vpn_queue.put (new vpn_packet (*pkt));
745		845
746	establish_connection ();	846	establish_connection ();
747	}	847	}
748	}	848	}
749		849
…		…
811	rsachallenge k;	911	rsachallenge k;
812		912
813	if (0 > RSA_private_decrypt (sizeof (p->encr),	913	if (0 > RSA_private_decrypt (sizeof (p->encr),
814	(unsigned char )&p->encr, (unsigned char )&k,	914	(unsigned char )&p->encr, (unsigned char )&k,
815	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))	915	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
		916	{
816	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),	917	slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817	conf->nodename, (const char *)rsi);	918	conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
		919	break;
		920	}
818	else	921	else
819	{	922	{
820	retry_cnt = 0;
821	establish_connection.start (NOW + 8); //? ;)
822	keepalive.reset ();
823	rekey.reset ();
824
825	delete ictx;
826	ictx = 0;
827
828	delete octx;	923	delete octx;
829		924
830	octx = new crypto_ctx (k, 1);	925	octx = new crypto_ctx (k, 1);
831	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;	926	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
832		927
833	conf->protocols = p->protocols;	928	conf->protocols = p->protocols;
		929
834	send_auth_response (rsi, p->id, k);	930	send_auth_response (rsi, p->id, k);
		931
		932	connection_established ();
835		933
836	break;	934	break;
837	}	935	}
838	}	936	}
		937	else
		938	slog (L_WARN, _("%s(%s): protocol mismatch"),
		939	conf->nodename, (const char *)rsi);
839		940
840	send_reset (rsi);	941	send_reset (rsi);
841	}	942	}
842		943
843	break;	944	break;
…		…
856	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	957	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857		958
858	rsachallenge chg;	959	rsachallenge chg;
859		960
860	if (!rsa_cache.find (p->id, chg))	961	if (!rsa_cache.find (p->id, chg))
		962	{
861	slog (L_ERR, _("%s(%s): unrequested auth response"),	963	slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862	conf->nodename, (const char *)rsi);	964	conf->nodename, (const char *)rsi);
		965	break;
		966	}
863	else	967	else
864	{	968	{
865	crypto_ctx *cctx = new crypto_ctx (chg, 0);	969	crypto_ctx *cctx = new crypto_ctx (chg, 0);
866		970
867	if (!p->hmac_chk (cctx))	971	if (!p->hmac_chk (cctx))
		972	{
868	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"	973	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869	"could be an attack, or just corruption or an synchronization error"),	974	"could be an attack, or just corruption or an synchronization error"),
870	conf->nodename, (const char *)rsi);	975	conf->nodename, (const char *)rsi);
		976	break;
		977	}
871	else	978	else
872	{	979	{
873	rsaresponse h;	980	rsaresponse h;
874		981
875	rsa_hash (p->id, chg, h);	982	rsa_hash (p->id, chg, h);
…		…
881	delete ictx; ictx = cctx;	988	delete ictx; ictx = cctx;
882		989
883	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid	990	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884		991
885	si = rsi;	992	si = rsi;
		993	protocol = rsi.prot;
886		994
887	rekey.start (NOW + ::conf.rekey);	995	connection_established ();
888	keepalive.start (NOW + ::conf.keepalive);
889		996
890	// send queued packets
891	while (tap_packet *p = queue.get ())
892	{
893	send_data_packet (p);
894	delete p;
895	}
896
897	connectmode = conf->connectmode;
898
899	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),	997	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
900	conf->nodename, (const char *)rsi,	998	conf->nodename, (const char *)rsi,
901	strprotocol (protocol),
902	p->prot_major, p->prot_minor);	999	p->prot_major, p->prot_minor);
903		1000
904	if (::conf.script_node_up)	1001	if (::conf.script_node_up)
905	run_script (run_script_cb (this, &connection::script_node_up), false);	1002	run_script (run_script_cb (this, &connection::script_node_up), false);
906		1003
…		…
929		1026
930	if (ictx && octx)	1027	if (ictx && octx)
931	{	1028	{
932	vpndata_packet p = (vpndata_packet )pkt;	1029	vpndata_packet p = (vpndata_packet )pkt;
933		1030
934	if (rsi == si)	1031	if (!p->hmac_chk (ictx))
		1032	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
		1033	"could be an attack, or just corruption or an synchronization error"),
		1034	conf->nodename, (const char *)rsi);
		1035	else
935	{	1036	{
936	if (!p->hmac_chk (ictx))
937	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938	"could be an attack, or just corruption or an synchronization error"),
939	conf->nodename, (const char *)rsi);
940	else	1037	u32 seqno;
		1038	tap_packet *d = p->unpack (this, seqno);
		1039
		1040	if (iseqno.recv_ok (seqno))
941	{	1041	{
942	u32 seqno;	1042	vpn->tap->send (d);
943	tap_packet *d = p->unpack (this, seqno);
944		1043
945	if (iseqno.recv_ok (seqno))	1044	if (si != rsi)
946	{	1045	{
947	vpn->tap->send (d);	1046	// fast re-sync on connection changes, useful especially for tcp/ip
948
949	if (p->dst () == 0) // re-broadcast
950	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951	{
952	connection c = i;
953
954	if (c->conf != THISNODE && c->conf != conf)
955	c->inject_data_packet (d);
956	}
957
958	delete d;
959
960	break;	1047	si = rsi;
		1048
		1049	slog (L_INFO, _("%s(%s): socket address changed to %s"),
		1050	conf->nodename, (const char )si, (const char )rsi);
961	}	1051	}
		1052
		1053	delete d;
		1054
		1055	break;
962	}	1056	}
963	}	1057	}
964	else
965	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966	}	1058	}
967		1059
968	send_reset (rsi);	1060	send_reset (rsi);
969	break;	1061	break;
970		1062
…		…
972	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1064	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973	{	1065	{
974	connect_req_packet p = (connect_req_packet ) pkt;	1066	connect_req_packet p = (connect_req_packet ) pkt;
975		1067
976	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1068	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
		1069	connection *c = vpn->conns[p->id - 1];
977	conf->protocols = p->protocols;	1070	conf->protocols = p->protocols;
978	connection *c = vpn->conns[p->id - 1];
979		1071
980	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1072	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981	conf->id, p->id, c->ictx && c->octx);	1073	conf->id, p->id, c->ictx && c->octx);
982		1074
983	if (c->ictx && c->octx)	1075	if (c->ictx && c->octx)
…		…
985	// send connect_info packets to both sides, in case one is	1077	// send connect_info packets to both sides, in case one is
986	// behind a nat firewall (or both ;)	1078	// behind a nat firewall (or both ;)
987	c->send_connect_info (conf->id, si, conf->protocols);	1079	c->send_connect_info (conf->id, si, conf->protocols);
988	send_connect_info (c->conf->id, c->si, c->conf->protocols);	1080	send_connect_info (c->conf->id, c->si, c->conf->protocols);
989	}	1081	}
		1082	else
		1083	c->establish_connection ();
990	}	1084	}
991		1085
992	break;	1086	break;
993		1087
994	case vpn_packet::PT_CONNECT_INFO:	1088	case vpn_packet::PT_CONNECT_INFO:
995	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1089	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
996	{	1090	{
997	connect_info_packet p = (connect_info_packet ) pkt;	1091	connect_info_packet p = (connect_info_packet ) pkt;
998		1092
999	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1093	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1000	conf->protocols = p->protocols;	1094
1001	connection *c = vpn->conns[p->id - 1];	1095	connection *c = vpn->conns[p->id - 1];
		1096
		1097	c->conf->protocols = p->protocols;
		1098	protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
		1099	p->si.upgrade_protocol (protocol, c->conf);
1002		1100
1003	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1101	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1004	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1102	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1005		1103
		1104	const sockinfo &dsi = forward_si (p->si);
		1105
		1106	if (dsi.valid ())
1006	c->send_auth_request (p->si, true);	1107	c->send_auth_request (dsi, true);
1007	}	1108	}
1008		1109
1009	break;	1110	break;
1010		1111
1011	default:	1112	default:
…		…
1027	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1128	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1028	{	1129	{
1029	send_ping (si);	1130	send_ping (si);
1030	w.at = NOW + 5;	1131	w.at = NOW + 5;
1031	}	1132	}
		1133	else if (NOW < last_activity + ::conf.keepalive + 10)
		1134	// hold ondemand connections implicitly a few seconds longer
		1135	// should delete octx, though, or something like that ;)
		1136	w.at = last_activity + ::conf.keepalive + 10;
1032	else	1137	else
1033	reset_connection ();	1138	reset_connection ();
1034	}	1139	}
1035		1140
1036	void connection::connect_request (int id)	1141	void connection::send_connect_request (int id)
1037	{	1142	{
1038	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);	1143	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1039		1144
1040	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);	1145	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1041	p->hmac_set (octx);	1146	p->hmac_set (octx);
1042	vpn->send_vpn_packet (p, si);	1147	send_vpn_packet (p, si);
1043		1148
1044	delete p;	1149	delete p;
1045	}	1150	}
1046		1151
1047	void connection::script_node ()	1152	void connection::script_node ()

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs. Revision 1.23 by pcg, Wed Oct 22 00:42:53 2003 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.23 by pcg, Wed Oct 22 00:42:53 2003 UTC