ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC vs.
Revision 1.25 by pcg, Sat Jan 17 01:18:36 2004 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
20 21
21extern "C" { 22extern "C" {
22# include "lzf/lzf.h" 23# include "lzf/lzf.h"
23} 24}
24 25
26#include <cassert>
27
25#include <list> 28#include <list>
26 29
27#include <openssl/rand.h> 30#include <openssl/rand.h>
28#include <openssl/evp.h> 31#include <openssl/evp.h>
29#include <openssl/rsa.h> 32#include <openssl/rsa.h>
34#include "conf.h" 37#include "conf.h"
35#include "slog.h" 38#include "slog.h"
36#include "device.h" 39#include "device.h"
37#include "vpn.h" 40#include "vpn.h"
38#include "connection.h" 41#include "connection.h"
42
43#include "netcompat.h"
39 44
40#if !HAVE_RAND_PSEUDO_BYTES 45#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 46# define RAND_pseudo_bytes RAND_bytes
42#endif 47#endif
43 48
131 136
132} rsa_cache; 137} rsa_cache;
133 138
134void rsa_cache::cleaner_cb (time_watcher &w) 139void rsa_cache::cleaner_cb (time_watcher &w)
135{ 140{
136 if (empty ()) 141 if (!empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 142 {
140 w.at = NOW + RSA_TTL; 143 w.start (NOW + RSA_TTL);
141 144
142 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 146 if (i->expire <= NOW)
144 i = erase (i); 147 i = erase (i);
145 else 148 else
147 } 150 }
148} 151}
149 152
150////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
151 154
152void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
153{ 156{
154 if (queue[i]) 157 if (queue[i])
155 { 158 {
156 delete queue[i]; 159 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 163 queue[i] = p;
161 164
162 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
163} 166}
164 167
165tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
166{ 169{
167 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
168 171
169 if (p) 172 if (p)
170 { 173 {
171 queue[j] = 0; 174 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 209
206 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 211 bool can (u32 host);
208}; 212};
209 213
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 215
225 { 229 {
226 net_rateinfo ri; 230 net_rateinfo ri;
227 231
228 ri.host = host; 232 ri.host = host;
229 ri.pcnt = 1.; 233 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = MAXDIF;
231 ri.last = NOW; 235 ri.last = NOW;
232 236
233 push_front (ri); 237 push_front (ri);
234 238
235 return true; 239 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 248
245 ri.last = NOW; 249 ri.last = NOW;
246 250
251 double dif = ri.diff / ri.pcnt;
252
247 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > CUTOFF;
248 254
255 if (dif > MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = MAXDIF;
259 }
249 if (send) 260 else if (send)
250 ri.pcnt++; 261 ri.pcnt++;
251 262
252 push_front (ri); 263 push_front (ri);
253 264
254 return send; 265 return send;
467 set_hdr (type, dst); 478 set_hdr (type, dst);
468} 479}
469 480
470bool config_packet::chk_config () const 481bool config_packet::chk_config () const
471{ 482{
472 return prot_major == PROTOCOL_MAJOR 483 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 484 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 485 else if (randsize != RAND_SIZE)
475 && flags == curflags () 486 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 491 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
496 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 497 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
498 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
499 else
500 return true;
501
502 return false;
480} 503}
481 504
482struct auth_req_packet : config_packet 505struct auth_req_packet : config_packet
483{ 506{
484 char magic[8]; 507 char magic[8];
546}; 569};
547 570
548///////////////////////////////////////////////////////////////////////////// 571/////////////////////////////////////////////////////////////////////////////
549 572
550void 573void
574connection::connection_established ()
575{
576 if (ictx && octx)
577 {
578 connectmode = conf->connectmode;
579
580 rekey.start (NOW + ::conf.rekey);
581 keepalive.start (NOW + ::conf.keepalive);
582
583 // send queued packets
584 if (ictx && octx)
585 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 {
588 send_data_packet (p);
589 delete p;
590 }
591
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p;
596 }
597 }
598 }
599 else
600 {
601 retry_cnt = 0;
602 establish_connection.start (NOW + 5);
603 keepalive.stop ();
604 rekey.stop ();
605 }
606}
607
608void
551connection::reset_dstaddr () 609connection::reset_si ()
552{ 610{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 611 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554 612
555 // mask out protocols we cannot establish 613 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 614 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 615 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558 616
559 si.set (conf, protocol); 617 si.set (conf, protocol);
560} 618}
561 619
620// ensure sockinfo is valid, forward if necessary
621const sockinfo &
622connection::forward_si (const sockinfo &si) const
623{
624 if (!si.valid ())
625 {
626 connection *r = vpn->find_router ();
627
628 if (r)
629 {
630 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
631 conf->nodename, r->conf->nodename);
632 return r->si;
633 }
634 else
635 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
636 conf->nodename);
637 }
638
639 return si;
640}
641
642void
643connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
644{
645 if (!vpn->send_vpn_packet (pkt, si, tos))
646 reset_connection ();
647}
648
562void 649void
563connection::send_ping (const sockinfo &si, u8 pong) 650connection::send_ping (const sockinfo &si, u8 pong)
564{ 651{
565 ping_packet *pkt = new ping_packet; 652 ping_packet *pkt = new ping_packet;
566 653
567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 654 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 655 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569 656
570 delete pkt; 657 delete pkt;
571} 658}
572 659
573void 660void
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 663 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 { 664 {
578 config_packet *pkt = new config_packet; 665 config_packet *pkt = new config_packet;
579 666
580 pkt->setup (vpn_packet::PT_RESET, conf->id); 667 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 668 send_vpn_packet (pkt, si, IPTOS_MINCOST);
582 669
583 delete pkt; 670 delete pkt;
584 } 671 }
585} 672}
586 673
588connection::send_auth_request (const sockinfo &si, bool initiate) 675connection::send_auth_request (const sockinfo &si, bool initiate)
589{ 676{
590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
591 678
592 rsachallenge chg; 679 rsachallenge chg;
593
594 rsa_cache.gen (pkt->id, chg); 680 rsa_cache.gen (pkt->id, chg);
595 681 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
596 if (0 > RSA_public_encrypt (sizeof chg,
597 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error");
600 682
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 683 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602 684
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 685 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
604 686
605 delete pkt; 687 delete pkt;
606} 688}
607 689
608void 690void
616 698
617 pkt->hmac_set (octx); 699 pkt->hmac_set (octx);
618 700
619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 701 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620 702
621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 703 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622 704
623 delete pkt; 705 delete pkt;
624} 706}
625 707
626void 708void
630 conf->id, rid, (const char *)rsi); 712 conf->id, rid, (const char *)rsi);
631 713
632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 714 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633 715
634 r->hmac_set (octx); 716 r->hmac_set (octx);
635 vpn->send_vpn_packet (r, si); 717 send_vpn_packet (r, si);
636 718
637 delete r; 719 delete r;
638} 720}
639 721
640void 722void
641connection::establish_connection_cb (time_watcher &w) 723connection::establish_connection_cb (time_watcher &w)
642{ 724{
643 if (ictx || conf == THISNODE 725 if (!ictx
726 && conf != THISNODE
644 || connectmode == conf_node::C_NEVER 727 && connectmode != conf_node::C_NEVER
645 || connectmode == conf_node::C_DISABLED) 728 && connectmode != conf_node::C_DISABLED
646 w.at = TSTAMP_CANCEL; 729 && w.at <= NOW)
647 else if (w.at <= NOW)
648 { 730 {
649 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
650 732
651 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
652 retry_cnt++; 734 retry_cnt++;
653 735
654 w.at = NOW + retry_int; 736 w.start (NOW + retry_int);
655 737
656 if (conf->hostname) 738 reset_si ();
739
740 if (si.prot && !si.host)
741 vpn->send_connect_request (conf->id);
742 else
657 { 743 {
658 reset_dstaddr (); 744 const sockinfo &dsi = forward_si (si);
659 745
660 if (si.valid () && auth_rate_limiter.can (si)) 746 if (dsi.valid () && auth_rate_limiter.can (dsi))
661 { 747 {
662 if (retry_cnt < 4) 748 if (retry_cnt < 4)
663 send_auth_request (si, true); 749 send_auth_request (dsi, true);
664 else 750 else
665 send_ping (si, 0); 751 send_ping (dsi, 0);
666 } 752 }
667 } 753 }
668 else
669 vpn->connect_request (conf->id);
670 } 754 }
671} 755}
672 756
673void 757void
674connection::reset_connection () 758connection::reset_connection ()
688 si.host= 0; 772 si.host= 0;
689 773
690 last_activity = 0; 774 last_activity = 0;
691 retry_cnt = 0; 775 retry_cnt = 0;
692 776
693 rekey.reset (); 777 rekey.stop ();
694 keepalive.reset (); 778 keepalive.stop ();
695 establish_connection.reset (); 779 establish_connection.stop ();
696} 780}
697 781
698void 782void
699connection::shutdown () 783connection::shutdown ()
700{ 784{
705} 789}
706 790
707void 791void
708connection::rekey_cb (time_watcher &w) 792connection::rekey_cb (time_watcher &w)
709{ 793{
710 w.at = TSTAMP_CANCEL;
711
712 reset_connection (); 794 reset_connection ();
713 establish_connection (); 795 establish_connection ();
714} 796}
715 797
716void 798void
717connection::send_data_packet (tap_packet *pkt, bool broadcast) 799connection::send_data_packet (tap_packet *pkt)
718{ 800{
719 vpndata_packet *p = new vpndata_packet; 801 vpndata_packet *p = new vpndata_packet;
720 int tos = 0; 802 int tos = 0;
721 803
722 if (conf->inherit_tos 804 // I am not hilarious about peeking into packets, but so be it.
723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 805 if (conf->inherit_tos && pkt->is_ipv4 ())
724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
726 807
727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728 vpn->send_vpn_packet (p, si, tos); 809 send_vpn_packet (p, si, tos);
729 810
730 delete p; 811 delete p;
731 812
732 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
733 rekey (); 814 rekey ();
734} 815}
735 816
736void 817void
737connection::inject_data_packet (tap_packet *pkt, bool broadcast) 818connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
738{ 819{
739 if (ictx && octx) 820 if (ictx && octx)
740 send_data_packet (pkt, broadcast); 821 send_data_packet (pkt);
741 else 822 else
742 { 823 {
743 if (!broadcast)//DDDD 824 if (!broadcast)//DDDD
744 queue.put (new tap_packet (*pkt)); 825 data_queue.put (new tap_packet (*pkt));
826
827 establish_connection ();
828 }
829}
830
831void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
832{
833 if (ictx && octx)
834 send_vpn_packet (pkt, si, tos);
835 else
836 {
837 vpn_queue.put (new vpn_packet (*pkt));
745 838
746 establish_connection (); 839 establish_connection ();
747 } 840 }
748} 841}
749 842
808 if (p->initiate) 901 if (p->initiate)
809 send_auth_request (rsi, false); 902 send_auth_request (rsi, false);
810 903
811 rsachallenge k; 904 rsachallenge k;
812 905
813 if (0 > RSA_private_decrypt (sizeof (p->encr), 906 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
814 (unsigned char *)&p->encr, (unsigned char *)&k, 907 {
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 908 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817 conf->nodename, (const char *)rsi); 909 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
910 break;
911 }
818 else 912 else
819 { 913 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx; 914 delete octx;
829 915
830 octx = new crypto_ctx (k, 1); 916 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 917 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832 918
833 conf->protocols = p->protocols; 919 conf->protocols = p->protocols;
920
834 send_auth_response (rsi, p->id, k); 921 send_auth_response (rsi, p->id, k);
922
923 connection_established ();
835 924
836 break; 925 break;
837 } 926 }
838 } 927 }
928 else
929 slog (L_WARN, _("%s(%s): protocol mismatch"),
930 conf->nodename, (const char *)rsi);
839 931
840 send_reset (rsi); 932 send_reset (rsi);
841 } 933 }
842 934
843 break; 935 break;
856 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 948 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857 949
858 rsachallenge chg; 950 rsachallenge chg;
859 951
860 if (!rsa_cache.find (p->id, chg)) 952 if (!rsa_cache.find (p->id, chg))
953 {
861 slog (L_ERR, _("%s(%s): unrequested auth response"), 954 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862 conf->nodename, (const char *)rsi); 955 conf->nodename, (const char *)rsi);
956 break;
957 }
863 else 958 else
864 { 959 {
865 crypto_ctx *cctx = new crypto_ctx (chg, 0); 960 crypto_ctx *cctx = new crypto_ctx (chg, 0);
866 961
867 if (!p->hmac_chk (cctx)) 962 if (!p->hmac_chk (cctx))
963 {
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"), 965 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi); 966 conf->nodename, (const char *)rsi);
967 break;
968 }
871 else 969 else
872 { 970 {
873 rsaresponse h; 971 rsaresponse h;
874 972
875 rsa_hash (p->id, chg, h); 973 rsa_hash (p->id, chg, h);
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 981 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884 982
885 si = rsi; 983 si = rsi;
886 protocol = rsi.prot; 984 protocol = rsi.prot;
887 985
888 rekey.start (NOW + ::conf.rekey); 986 connection_established ();
889 keepalive.start (NOW + ::conf.keepalive);
890
891 // send queued packets
892 while (tap_packet *p = queue.get ())
893 {
894 send_data_packet (p);
895 delete p;
896 }
897
898 connectmode = conf->connectmode;
899 987
900 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 988 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
901 conf->nodename, (const char *)rsi, 989 conf->nodename, (const char *)rsi,
902 p->prot_major, p->prot_minor); 990 p->prot_major, p->prot_minor);
903 991
929 1017
930 if (ictx && octx) 1018 if (ictx && octx)
931 { 1019 {
932 vpndata_packet *p = (vpndata_packet *)pkt; 1020 vpndata_packet *p = (vpndata_packet *)pkt;
933 1021
934 if (rsi == si) 1022 if (!p->hmac_chk (ictx))
1023 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1024 "could be an attack, or just corruption or an synchronization error"),
1025 conf->nodename, (const char *)rsi);
1026 else
935 { 1027 {
936 if (!p->hmac_chk (ictx))
937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938 "could be an attack, or just corruption or an synchronization error"),
939 conf->nodename, (const char *)rsi);
940 else 1028 u32 seqno;
1029 tap_packet *d = p->unpack (this, seqno);
1030
1031 if (iseqno.recv_ok (seqno))
941 { 1032 {
942 u32 seqno; 1033 vpn->tap->send (d);
943 tap_packet *d = p->unpack (this, seqno);
944 1034
945 if (iseqno.recv_ok (seqno)) 1035 if (si != rsi)
946 { 1036 {
947 vpn->tap->send (d); 1037 // fast re-sync on connection changes, useful especially for tcp/ip
948
949 if (p->dst () == 0) // re-broadcast
950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
955 c->inject_data_packet (d);
956 }
957
958 delete d;
959
960 break; 1038 si = rsi;
1039
1040 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1041 conf->nodename, (const char *)si, (const char *)rsi);
961 } 1042 }
1043
1044 delete d;
1045
1046 break;
962 } 1047 }
963 } 1048 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 } 1049 }
967 1050
968 send_reset (rsi); 1051 send_reset (rsi);
969 break; 1052 break;
970 1053
985 // send connect_info packets to both sides, in case one is 1068 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;) 1069 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols); 1070 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1071 send_connect_info (c->conf->id, c->si, c->conf->protocols);
989 } 1072 }
1073 else
1074 c->establish_connection ();
990 } 1075 }
991 1076
992 break; 1077 break;
993 1078
994 case vpn_packet::PT_CONNECT_INFO: 1079 case vpn_packet::PT_CONNECT_INFO:
1004 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1089 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1005 p->si.upgrade_protocol (protocol, c->conf); 1090 p->si.upgrade_protocol (protocol, c->conf);
1006 1091
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1092 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1093 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
1010 // p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
1011 // protocol, p->si.prot);
1012 1094
1095 const sockinfo &dsi = forward_si (p->si);
1096
1097 if (dsi.valid ())
1013 c->send_auth_request (p->si, true); 1098 c->send_auth_request (dsi, true);
1014 } 1099 }
1015 1100
1016 break; 1101 break;
1017 1102
1018 default: 1103 default:
1027 { 1112 {
1028 reset_connection (); 1113 reset_connection ();
1029 establish_connection (); 1114 establish_connection ();
1030 } 1115 }
1031 else if (NOW < last_activity + ::conf.keepalive) 1116 else if (NOW < last_activity + ::conf.keepalive)
1032 w.at = last_activity + ::conf.keepalive; 1117 w.start (last_activity + ::conf.keepalive);
1033 else if (conf->connectmode != conf_node::C_ONDEMAND 1118 else if (conf->connectmode != conf_node::C_ONDEMAND
1034 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1119 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1035 { 1120 {
1036 send_ping (si); 1121 send_ping (si);
1037 w.at = NOW + 5; 1122 w.start (NOW + 5);
1038 } 1123 }
1124 else if (NOW < last_activity + ::conf.keepalive + 10)
1125 // hold ondemand connections implicitly a few seconds longer
1126 // should delete octx, though, or something like that ;)
1127 w.start (last_activity + ::conf.keepalive + 10);
1039 else 1128 else
1040 reset_connection (); 1129 reset_connection ();
1041} 1130}
1042 1131
1043void connection::connect_request (int id) 1132void connection::send_connect_request (int id)
1044{ 1133{
1045 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1046 1135
1047 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1048 p->hmac_set (octx); 1137 p->hmac_set (octx);
1049 vpn->send_vpn_packet (p, si); 1138 send_vpn_packet (p, si);
1050 1139
1051 delete p; 1140 delete p;
1052} 1141}
1053 1142
1054void connection::script_node () 1143void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines