ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.1 by pcg, Wed Apr 2 03:06:22 2003 UTC vs.
Revision 1.26 by pcg, Sat Jan 17 14:08:57 2004 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
20 21
21extern "C" { 22extern "C" {
22# include "lzf/lzf.h" 23# include "lzf/lzf.h"
23} 24}
24 25
26#include <cassert>
27
25#include <list> 28#include <list>
29
30#include <openssl/rand.h>
31#include <openssl/evp.h>
32#include <openssl/rsa.h>
33#include <openssl/err.h>
26 34
27#include "gettext.h" 35#include "gettext.h"
28 36
29#include "conf.h" 37#include "conf.h"
30#include "slog.h" 38#include "slog.h"
31#include "device.h" 39#include "device.h"
32#include "protocol.h" 40#include "vpn.h"
33#include "connection.h" 41#include "connection.h"
42
43#include "netcompat.h"
34 44
35#if !HAVE_RAND_PSEUDO_BYTES 45#if !HAVE_RAND_PSEUDO_BYTES
36# define RAND_pseudo_bytes RAND_bytes 46# define RAND_pseudo_bytes RAND_bytes
37#endif 47#endif
38 48
80 rsachallenge chg; 90 rsachallenge chg;
81}; 91};
82 92
83struct rsa_cache : list<rsa_entry> 93struct rsa_cache : list<rsa_entry>
84{ 94{
85 void cleaner_cb (tstamp &ts); time_watcher cleaner; 95 void cleaner_cb (time_watcher &w); time_watcher cleaner;
86 96
87 bool find (const rsaid &id, rsachallenge &chg) 97 bool find (const rsaid &id, rsachallenge &chg)
88 { 98 {
89 for (iterator i = begin (); i != end (); ++i) 99 for (iterator i = begin (); i != end (); ++i)
90 { 100 {
124 : cleaner (this, &rsa_cache::cleaner_cb) 134 : cleaner (this, &rsa_cache::cleaner_cb)
125 { } 135 { }
126 136
127} rsa_cache; 137} rsa_cache;
128 138
129void rsa_cache::cleaner_cb (tstamp &ts) 139void rsa_cache::cleaner_cb (time_watcher &w)
130{ 140{
131 if (empty ()) 141 if (!empty ())
132 ts = TSTAMP_CANCEL;
133 else
134 { 142 {
135 ts = NOW + RSA_TTL; 143 w.start (NOW + RSA_TTL);
136 144
137 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
138 if (i->expire <= NOW) 146 if (i->expire <= NOW)
139 i = erase (i); 147 i = erase (i);
140 else 148 else
142 } 150 }
143} 151}
144 152
145////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
146 154
147void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
148{ 156{
149 if (queue[i]) 157 if (queue[i])
150 { 158 {
151 delete queue[i]; 159 delete queue[i];
152 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
155 queue[i] = p; 163 queue[i] = p;
156 164
157 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
158} 166}
159 167
160tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
161{ 169{
162 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
163 171
164 if (p) 172 if (p)
165 { 173 {
166 queue[j] = 0; 174 queue[j] = 0;
167 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
192// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
193// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
194// but low on resources. 202// but low on resources.
195struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
196{ 204{
197 static const double ALPHA = 1. - 1. / 90.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
198 static const double CUTOFF = 20.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
199 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
200 209
201 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
202 bool can (u32 host); 211 bool can (u32 host);
203}; 212};
204 213
205net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
206 215
220 { 229 {
221 net_rateinfo ri; 230 net_rateinfo ri;
222 231
223 ri.host = host; 232 ri.host = host;
224 ri.pcnt = 1.; 233 ri.pcnt = 1.;
225 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = MAXDIF;
226 ri.last = NOW; 235 ri.last = NOW;
227 236
228 push_front (ri); 237 push_front (ri);
229 238
230 return true; 239 return true;
237 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * ALPHA;
238 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
239 248
240 ri.last = NOW; 249 ri.last = NOW;
241 250
251 double dif = ri.diff / ri.pcnt;
252
242 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > CUTOFF;
243 254
255 if (dif > MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = MAXDIF;
259 }
244 if (send) 260 else if (send)
245 ri.pcnt++; 261 ri.pcnt++;
246 262
247 push_front (ri); 263 push_front (ri);
248 264
249 return send; 265 return send;
280 hmac_gen (ctx); 296 hmac_gen (ctx);
281 297
282 return !memcmp (hmac, hmac_digest, HMACLENGTH); 298 return !memcmp (hmac, hmac_digest, HMACLENGTH);
283} 299}
284 300
285void vpn_packet::set_hdr (ptype type, unsigned int dst) 301void vpn_packet::set_hdr (ptype type_, unsigned int dst)
286{ 302{
287 this->type = type; 303 type = type_;
288 304
289 int src = THISNODE->id; 305 int src = THISNODE->id;
290 306
291 src1 = src; 307 src1 = src;
292 srcdst = ((src >> 8) << 4) | (dst >> 8); 308 srcdst = ((src >> 8) << 4) | (dst >> 8);
462 set_hdr (type, dst); 478 set_hdr (type, dst);
463} 479}
464 480
465bool config_packet::chk_config () const 481bool config_packet::chk_config () const
466{ 482{
467 return prot_major == PROTOCOL_MAJOR 483 if (prot_major != PROTOCOL_MAJOR)
468 && randsize == RAND_SIZE 484 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
469 && hmaclen == HMACLENGTH 485 else if (randsize != RAND_SIZE)
470 && flags == curflags () 486 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
471 && challengelen == sizeof (rsachallenge) 491 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
472 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
473 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
496 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
474 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 497 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
498 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
499 else
500 return true;
501
502 return false;
475} 503}
476 504
477struct auth_req_packet : config_packet 505struct auth_req_packet : config_packet
478{ 506{
479 char magic[8]; 507 char magic[8];
541}; 569};
542 570
543///////////////////////////////////////////////////////////////////////////// 571/////////////////////////////////////////////////////////////////////////////
544 572
545void 573void
574connection::connection_established ()
575{
576 if (ictx && octx)
577 {
578 connectmode = conf->connectmode;
579
580 rekey.start (NOW + ::conf.rekey);
581 keepalive.start (NOW + ::conf.keepalive);
582
583 // send queued packets
584 if (ictx && octx)
585 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 {
588 send_data_packet (p);
589 delete p;
590 }
591
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p;
596 }
597 }
598 }
599 else
600 {
601 retry_cnt = 0;
602 establish_connection.start (NOW + 5);
603 keepalive.stop ();
604 rekey.stop ();
605 }
606}
607
608void
546connection::reset_dstaddr () 609connection::reset_si ()
547{ 610{
611 protocol = best_protocol (THISNODE->protocols & conf->protocols);
612
613 // mask out protocols we cannot establish
614 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
615 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
616
548 si.set (conf); 617 si.set (conf, protocol);
618}
619
620// ensure sockinfo is valid, forward if necessary
621const sockinfo &
622connection::forward_si (const sockinfo &si) const
623{
624 if (!si.valid ())
625 {
626 connection *r = vpn->find_router ();
627
628 if (r)
629 {
630 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
631 conf->nodename, r->conf->nodename);
632 return r->si;
633 }
634 else
635 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
636 conf->nodename);
637 }
638
639 return si;
640}
641
642void
643connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
644{
645 if (!vpn->send_vpn_packet (pkt, si, tos))
646 reset_connection ();
549} 647}
550 648
551void 649void
552connection::send_ping (const sockinfo &si, u8 pong) 650connection::send_ping (const sockinfo &si, u8 pong)
553{ 651{
576void 674void
577connection::send_auth_request (const sockinfo &si, bool initiate) 675connection::send_auth_request (const sockinfo &si, bool initiate)
578{ 676{
579 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
580 678
581 protocol = best_protocol (THISNODE->protocols & conf->protocols);
582
583 rsachallenge chg; 679 rsachallenge chg;
584
585 rsa_cache.gen (pkt->id, chg); 680 rsa_cache.gen (pkt->id, chg);
586 681 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
587 if (0 > RSA_public_encrypt (sizeof chg,
588 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
589 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
590 fatal ("RSA_public_encrypt error");
591 682
592 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 683 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
593 684
594 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 685 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
595 686
596 delete pkt; 687 delete pkt;
597} 688}
598 689
599void 690void
627 718
628 delete r; 719 delete r;
629} 720}
630 721
631void 722void
632connection::establish_connection_cb (tstamp &ts) 723connection::establish_connection_cb (time_watcher &w)
633{ 724{
634 if (ictx || conf == THISNODE 725 if (!ictx
726 && conf != THISNODE
635 || connectmode == conf_node::C_NEVER 727 && connectmode != conf_node::C_NEVER
636 || connectmode == conf_node::C_DISABLED) 728 && connectmode != conf_node::C_DISABLED
637 ts = TSTAMP_CANCEL; 729 && NOW > w.at)
638 else if (ts <= NOW)
639 { 730 {
640 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
641 732
642 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
643 retry_cnt++; 734 retry_cnt++;
644 735
645 ts = NOW + retry_int; 736 w.start (NOW + retry_int);
646 737
647 if (conf->hostname) 738 reset_si ();
739
740 if (si.prot && !si.host)
741 vpn->send_connect_request (conf->id);
742 else
648 { 743 {
649 reset_dstaddr (); 744 const sockinfo &dsi = forward_si (si);
745
650 if (si.host && auth_rate_limiter.can (si)) 746 if (dsi.valid () && auth_rate_limiter.can (dsi))
651 { 747 {
652 if (retry_cnt < 4) 748 if (retry_cnt < 4)
653 send_auth_request (si, true); 749 send_auth_request (dsi, true);
654 else 750 else
655 send_ping (si, 0); 751 send_ping (dsi, 0);
656 } 752 }
657 } 753 }
658 else
659 vpn->connect_request (conf->id);
660 } 754 }
661} 755}
662 756
663void 757void
664connection::reset_connection () 758connection::reset_connection ()
678 si.host= 0; 772 si.host= 0;
679 773
680 last_activity = 0; 774 last_activity = 0;
681 retry_cnt = 0; 775 retry_cnt = 0;
682 776
683 rekey.reset (); 777 rekey.stop ();
684 keepalive.reset (); 778 keepalive.stop ();
685 establish_connection.reset (); 779 establish_connection.stop ();
686} 780}
687 781
688void 782void
689connection::shutdown () 783connection::shutdown ()
690{ 784{
693 787
694 reset_connection (); 788 reset_connection ();
695} 789}
696 790
697void 791void
698connection::rekey_cb (tstamp &ts) 792connection::rekey_cb (time_watcher &w)
699{ 793{
700 ts = TSTAMP_CANCEL;
701
702 reset_connection (); 794 reset_connection ();
703 establish_connection (); 795 establish_connection ();
704} 796}
705 797
706void 798void
707connection::send_data_packet (tap_packet *pkt, bool broadcast) 799connection::send_data_packet (tap_packet *pkt)
708{ 800{
709 vpndata_packet *p = new vpndata_packet; 801 vpndata_packet *p = new vpndata_packet;
710 int tos = 0; 802 int tos = 0;
711 803
712 if (conf->inherit_tos 804 // I am not hilarious about peeking into packets, but so be it.
713 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 805 if (conf->inherit_tos && pkt->is_ipv4 ())
714 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
715 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
716 807
717 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
718 send_vpn_packet (p, si, tos); 809 send_vpn_packet (p, si, tos);
719 810
720 delete p; 811 delete p;
721 812
722 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
723 rekey (); 814 rekey ();
724} 815}
725 816
726void 817void
727connection::inject_data_packet (tap_packet *pkt, bool broadcast) 818connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
728{ 819{
729 if (ictx && octx) 820 if (ictx && octx)
730 send_data_packet (pkt, broadcast); 821 send_data_packet (pkt);
731 else 822 else
732 { 823 {
733 if (!broadcast)//DDDD 824 if (!broadcast)//DDDD
734 queue.put (new tap_packet (*pkt)); 825 data_queue.put (new tap_packet (*pkt));
826
827 establish_connection ();
828 }
829}
830
831void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
832{
833 if (ictx && octx)
834 send_vpn_packet (pkt, si, tos);
835 else
836 {
837 vpn_queue.put (new vpn_packet (*pkt));
735 838
736 establish_connection (); 839 establish_connection ();
737 } 840 }
738} 841}
739 842
745 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 848 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
746 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 849 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
747 850
748 switch (pkt->typ ()) 851 switch (pkt->typ ())
749 { 852 {
750 case vpn_packet::PT_PING: 853 case vpn_packet::PT_PING:
751 // we send pings instead of auth packets after some retries, 854 // we send pings instead of auth packets after some retries,
752 // so reset the retry counter and establish a connection 855 // so reset the retry counter and establish a connection
753 // when we receive a ping. 856 // when we receive a ping.
754 if (!ictx) 857 if (!ictx)
858 {
859 if (auth_rate_limiter.can (rsi))
860 send_auth_request (rsi, true);
861 }
862 else
863 send_ping (rsi, 1); // pong
864
865 break;
866
867 case vpn_packet::PT_PONG:
868 break;
869
870 case vpn_packet::PT_RESET:
755 { 871 {
756 if (auth_rate_limiter.can (rsi)) 872 reset_connection ();
757 send_auth_request (rsi, true); 873
874 config_packet *p = (config_packet *) pkt;
875
876 if (!p->chk_config ())
877 {
878 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
879 conf->nodename, (const char *)rsi);
880 connectmode = conf_node::C_DISABLED;
881 }
882 else if (connectmode == conf_node::C_ALWAYS)
883 establish_connection ();
758 } 884 }
759 else
760 send_ping (rsi, 1); // pong
761
762 break; 885 break;
763 886
764 case vpn_packet::PT_PONG:
765 break;
766
767 case vpn_packet::PT_RESET: 887 case vpn_packet::PT_AUTH_REQ:
768 { 888 if (auth_rate_limiter.can (rsi))
769 reset_connection ();
770
771 config_packet *p = (config_packet *) pkt;
772
773 if (!p->chk_config ())
774 { 889 {
890 auth_req_packet *p = (auth_req_packet *) pkt;
891
892 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
893
894 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
895 {
896 if (p->prot_minor != PROTOCOL_MINOR)
897 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
898 conf->nodename, (const char *)rsi,
899 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
900
901 if (p->initiate)
902 send_auth_request (rsi, false);
903
904 rsachallenge k;
905
906 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
907 {
908 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
909 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
910 break;
911 }
912 else
913 {
914 delete octx;
915
916 octx = new crypto_ctx (k, 1);
917 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
918
919 conf->protocols = p->protocols;
920
921 send_auth_response (rsi, p->id, k);
922
923 connection_established ();
924
925 break;
926 }
927 }
928 else
775 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 929 slog (L_WARN, _("%s(%s): protocol mismatch"),
776 conf->nodename, (const char *)rsi); 930 conf->nodename, (const char *)rsi);
777 connectmode = conf_node::C_DISABLED; 931
932 send_reset (rsi);
778 } 933 }
779 else if (connectmode == conf_node::C_ALWAYS) 934
780 establish_connection ();
781 }
782 break; 935 break;
783 936
784 case vpn_packet::PT_AUTH_REQ: 937 case vpn_packet::PT_AUTH_RES:
785 if (auth_rate_limiter.can (rsi))
786 { 938 {
787 auth_req_packet *p = (auth_req_packet *) pkt; 939 auth_res_packet *p = (auth_res_packet *) pkt;
788 940
789 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 941 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
790 942
791 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 943 if (p->chk_config ())
792 { 944 {
793 if (p->prot_minor != PROTOCOL_MINOR) 945 if (p->prot_minor != PROTOCOL_MINOR)
794 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 946 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
795 conf->nodename, (const char *)rsi, 947 conf->nodename, (const char *)rsi,
796 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 948 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
797 949
798 if (p->initiate)
799 send_auth_request (rsi, false);
800
801 rsachallenge k; 950 rsachallenge chg;
802 951
803 if (0 > RSA_private_decrypt (sizeof (p->encr), 952 if (!rsa_cache.find (p->id, chg))
804 (unsigned char *)&p->encr, (unsigned char *)&k, 953 {
805 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 954 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
806 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
807 conf->nodename, (const char *)rsi); 955 conf->nodename, (const char *)rsi);
956 break;
957 }
808 else 958 else
809 { 959 {
810 retry_cnt = 0; 960 crypto_ctx *cctx = new crypto_ctx (chg, 0);
811 establish_connection.set (NOW + 8); //? ;) 961
812 keepalive.reset (); 962 if (!p->hmac_chk (cctx))
963 {
964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
965 "could be an attack, or just corruption or an synchronization error"),
966 conf->nodename, (const char *)rsi);
967 break;
968 }
813 rekey.reset (); 969 else
970 {
971 rsaresponse h;
814 972
973 rsa_hash (p->id, chg, h);
974
975 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
976 {
977 prot_minor = p->prot_minor;
978
979 delete ictx; ictx = cctx;
980
981 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
982
983 si = rsi;
984 protocol = rsi.prot;
985
986 connection_established ();
987
988 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
989 conf->nodename, (const char *)rsi,
990 p->prot_major, p->prot_minor);
991
992 if (::conf.script_node_up)
993 run_script (run_script_cb (this, &connection::script_node_up), false);
994
995 break;
996 }
997 else
998 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
999 conf->nodename, (const char *)rsi);
1000 }
1001
815 delete ictx; 1002 delete cctx;
816 ictx = 0;
817
818 delete octx;
819
820 octx = new crypto_ctx (k, 1);
821 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
822
823 conf->protocols = p->protocols;
824 send_auth_response (rsi, p->id, k);
825
826 break;
827 } 1003 }
828 } 1004 }
829
830 send_reset (rsi);
831 } 1005 }
832 1006
1007 send_reset (rsi);
833 break; 1008 break;
834 1009
835 case vpn_packet::PT_AUTH_RES: 1010 case vpn_packet::PT_DATA_COMPRESSED:
836 { 1011#if !ENABLE_COMPRESSION
837 auth_res_packet *p = (auth_res_packet *) pkt; 1012 send_reset (rsi);
1013 break;
1014#endif
838 1015
839 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1016 case vpn_packet::PT_DATA_UNCOMPRESSED:
840 1017
841 if (p->chk_config ()) 1018 if (ictx && octx)
842 { 1019 {
843 if (p->prot_minor != PROTOCOL_MINOR) 1020 vpndata_packet *p = (vpndata_packet *)pkt;
844 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
845 conf->nodename, (const char *)rsi,
846 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
847 1021
848 rsachallenge chg; 1022 if (!p->hmac_chk (ictx))
849 1023 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
850 if (!rsa_cache.find (p->id, chg)) 1024 "could be an attack, or just corruption or an synchronization error"),
851 slog (L_ERR, _("%s(%s): unrequested auth response"),
852 conf->nodename, (const char *)rsi); 1025 conf->nodename, (const char *)rsi);
853 else 1026 else
854 { 1027 {
855 crypto_ctx *cctx = new crypto_ctx (chg, 0);
856
857 if (!p->hmac_chk (cctx))
858 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
859 "could be an attack, or just corruption or an synchronization error"),
860 conf->nodename, (const char *)rsi);
861 else 1028 u32 seqno;
1029 tap_packet *d = p->unpack (this, seqno);
1030
1031 if (iseqno.recv_ok (seqno))
862 { 1032 {
863 rsaresponse h; 1033 vpn->tap->send (d);
864 1034
865 rsa_hash (p->id, chg, h); 1035 if (si != rsi)
866
867 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
868 { 1036 {
869 prot_minor = p->prot_minor; 1037 // fast re-sync on connection changes, useful especially for tcp/ip
870
871 delete ictx; ictx = cctx;
872
873 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
874
875 si = rsi; 1038 si = rsi;
876 1039
877 rekey.set (NOW + ::conf.rekey); 1040 slog (L_INFO, _("%s(%s): socket address changed to %s"),
878 keepalive.set (NOW + ::conf.keepalive);
879
880 // send queued packets
881 while (tap_packet *p = queue.get ())
882 {
883 send_data_packet (p);
884 delete p;
885 }
886
887 connectmode = conf->connectmode;
888
889 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
890 conf->nodename, (const char *)rsi, 1041 conf->nodename, (const char *)si, (const char *)rsi);
891 strprotocol (protocol),
892 p->prot_major, p->prot_minor);
893
894 if (::conf.script_node_up)
895 run_script (run_script_cb (this, &connection::script_node_up), false);
896
897 break;
898 } 1042 }
1043
899 else 1044 delete d;
900 slog (L_ERR, _("%s(%s): sent and received challenge do not match"), 1045
901 conf->nodename, (const char *)rsi); 1046 break;
902 } 1047 }
903
904 delete cctx;
905 } 1048 }
906 } 1049 }
907 }
908 1050
909 send_reset (rsi); 1051 send_reset (rsi);
910 break; 1052 break;
911 1053
912 case vpn_packet::PT_DATA_COMPRESSED:
913#if !ENABLE_COMPRESSION
914 send_reset (rsi);
915 break;
916#endif
917
918 case vpn_packet::PT_DATA_UNCOMPRESSED:
919
920 if (ictx && octx)
921 {
922 vpndata_packet *p = (vpndata_packet *)pkt;
923
924 if (rsi == si)
925 {
926 if (!p->hmac_chk (ictx))
927 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
928 "could be an attack, or just corruption or an synchronization error"),
929 conf->nodename, (const char *)rsi);
930 else
931 {
932 u32 seqno;
933 tap_packet *d = p->unpack (this, seqno);
934
935 if (iseqno.recv_ok (seqno))
936 {
937 vpn->tap->send (d);
938
939 if (p->dst () == 0) // re-broadcast
940 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
941 {
942 connection *c = *i;
943
944 if (c->conf != THISNODE && c->conf != conf)
945 c->inject_data_packet (d);
946 }
947
948 delete d;
949
950 break;
951 }
952 }
953 }
954 else
955 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
956 }
957
958 send_reset (rsi);
959 break;
960
961 case vpn_packet::PT_CONNECT_REQ: 1054 case vpn_packet::PT_CONNECT_REQ:
962 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1055 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
963 { 1056 {
964 connect_req_packet *p = (connect_req_packet *) pkt; 1057 connect_req_packet *p = (connect_req_packet *) pkt;
965 1058
966 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1059 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
967 conf->protocols = p->protocols;
968 connection *c = vpn->conns[p->id - 1]; 1060 connection *c = vpn->conns[p->id - 1];
1061 conf->protocols = p->protocols;
969 1062
970 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1063 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
971 conf->id, p->id, c->ictx && c->octx); 1064 conf->id, p->id, c->ictx && c->octx);
972 1065
973 if (c->ictx && c->octx) 1066 if (c->ictx && c->octx)
974 { 1067 {
975 // send connect_info packets to both sides, in case one is 1068 // send connect_info packets to both sides, in case one is
976 // behind a nat firewall (or both ;) 1069 // behind a nat firewall (or both ;)
977 c->send_connect_info (conf->id, si, conf->protocols); 1070 c->send_connect_info (conf->id, si, conf->protocols);
978 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1071 send_connect_info (c->conf->id, c->si, c->conf->protocols);
979 } 1072 }
1073 else
1074 c->establish_connection ();
980 } 1075 }
981 1076
982 break; 1077 break;
983 1078
984 case vpn_packet::PT_CONNECT_INFO: 1079 case vpn_packet::PT_CONNECT_INFO:
985 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1080 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
986 { 1081 {
987 connect_info_packet *p = (connect_info_packet *) pkt; 1082 connect_info_packet *p = (connect_info_packet *) pkt;
988 1083
989 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1084 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
990 conf->protocols = p->protocols; 1085
991 connection *c = vpn->conns[p->id - 1]; 1086 connection *c = vpn->conns[p->id - 1];
992 1087
1088 c->conf->protocols = p->protocols;
1089 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1090 p->si.upgrade_protocol (protocol, c->conf);
1091
993 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1092 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
994 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1093 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
995 1094
1095 const sockinfo &dsi = forward_si (p->si);
1096
1097 if (dsi.valid ())
996 c->send_auth_request (p->si, true); 1098 c->send_auth_request (dsi, true);
997 } 1099 }
998 1100
999 break; 1101 break;
1000 1102
1001 default: 1103 default:
1002 send_reset (rsi); 1104 send_reset (rsi);
1003 break; 1105 break;
1004
1005 } 1106 }
1006} 1107}
1007 1108
1008void connection::keepalive_cb (tstamp &ts) 1109void connection::keepalive_cb (time_watcher &w)
1009{ 1110{
1010 if (NOW >= last_activity + ::conf.keepalive + 30) 1111 if (NOW >= last_activity + ::conf.keepalive + 30)
1011 { 1112 {
1012 reset_connection (); 1113 reset_connection ();
1013 establish_connection (); 1114 establish_connection ();
1014 } 1115 }
1015 else if (NOW < last_activity + ::conf.keepalive) 1116 else if (NOW < last_activity + ::conf.keepalive)
1016 ts = last_activity + ::conf.keepalive; 1117 w.start (last_activity + ::conf.keepalive);
1017 else if (conf->connectmode != conf_node::C_ONDEMAND 1118 else if (conf->connectmode != conf_node::C_ONDEMAND
1018 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1119 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1019 { 1120 {
1020 send_ping (si); 1121 send_ping (si);
1021 ts = NOW + 5; 1122 w.start (NOW + 5);
1022 } 1123 }
1124 else if (NOW < last_activity + ::conf.keepalive + 10)
1125 // hold ondemand connections implicitly a few seconds longer
1126 // should delete octx, though, or something like that ;)
1127 w.start (last_activity + ::conf.keepalive + 10);
1023 else 1128 else
1024 reset_connection (); 1129 reset_connection ();
1025} 1130}
1026 1131
1027void connection::connect_request (int id) 1132void connection::send_connect_request (int id)
1028{ 1133{
1029 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1030 1135
1031 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1032 p->hmac_set (octx); 1137 p->hmac_set (octx);
1035 delete p; 1140 delete p;
1036} 1141}
1037 1142
1038void connection::script_node () 1143void connection::script_node ()
1039{ 1144{
1040 vpn->script_if_up (0); 1145 vpn->script_if_up ();
1041 1146
1042 char *env; 1147 char *env;
1043 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1148 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1044 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1149 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1045 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1150 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1046 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1151 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1047} 1152}
1048 1153
1049const char *connection::script_node_up (int) 1154const char *connection::script_node_up ()
1050{ 1155{
1051 script_node (); 1156 script_node ();
1052 1157
1053 putenv ("STATE=up"); 1158 putenv ("STATE=up");
1054 1159
1055 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1160 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1056} 1161}
1057 1162
1058const char *connection::script_node_down (int) 1163const char *connection::script_node_down ()
1059{ 1164{
1060 script_node (); 1165 script_node ();
1061 1166
1062 putenv ("STATE=down"); 1167 putenv ("STATE=down");
1063 1168
1064 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1169 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1065}
1066
1067// send a vpn packet out to other hosts
1068void
1069connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1070{
1071 if (protocol & PROT_IPv4)
1072 vpn->send_ipv4_packet (pkt, si, tos);
1073 else
1074 vpn->send_udpv4_packet (pkt, si, tos);
1075} 1170}
1076 1171
1077connection::connection(struct vpn *vpn_) 1172connection::connection(struct vpn *vpn_)
1078: vpn(vpn_) 1173: vpn(vpn_)
1079, rekey (this, &connection::rekey_cb) 1174, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines