ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.3 by pcg, Wed Apr 2 05:15:00 2003 UTC vs.
Revision 1.22 by pcg, Thu Oct 16 02:41:21 2003 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
35#include "slog.h" 36#include "slog.h"
36#include "device.h" 37#include "device.h"
37#include "vpn.h" 38#include "vpn.h"
38#include "connection.h" 39#include "connection.h"
39 40
41#include "netcompat.h"
42
40#if !HAVE_RAND_PSEUDO_BYTES 43#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 44# define RAND_pseudo_bytes RAND_bytes
42#endif 45#endif
43 46
44#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic 47#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
85 rsachallenge chg; 88 rsachallenge chg;
86}; 89};
87 90
88struct rsa_cache : list<rsa_entry> 91struct rsa_cache : list<rsa_entry>
89{ 92{
90 void cleaner_cb (tstamp &ts); time_watcher cleaner; 93 void cleaner_cb (time_watcher &w); time_watcher cleaner;
91 94
92 bool find (const rsaid &id, rsachallenge &chg) 95 bool find (const rsaid &id, rsachallenge &chg)
93 { 96 {
94 for (iterator i = begin (); i != end (); ++i) 97 for (iterator i = begin (); i != end (); ++i)
95 { 98 {
129 : cleaner (this, &rsa_cache::cleaner_cb) 132 : cleaner (this, &rsa_cache::cleaner_cb)
130 { } 133 { }
131 134
132} rsa_cache; 135} rsa_cache;
133 136
134void rsa_cache::cleaner_cb (tstamp &ts) 137void rsa_cache::cleaner_cb (time_watcher &w)
135{ 138{
136 if (empty ()) 139 if (empty ())
137 ts = TSTAMP_CANCEL; 140 w.at = TSTAMP_CANCEL;
138 else 141 else
139 { 142 {
140 ts = NOW + RSA_TTL; 143 w.at = NOW + RSA_TTL;
141 144
142 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 146 if (i->expire <= NOW)
144 i = erase (i); 147 i = erase (i);
145 else 148 else
147 } 150 }
148} 151}
149 152
150////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
151 154
152void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
153{ 156{
154 if (queue[i]) 157 if (queue[i])
155 { 158 {
156 delete queue[i]; 159 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 163 queue[i] = p;
161 164
162 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
163} 166}
164 167
165tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
166{ 169{
167 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
168 171
169 if (p) 172 if (p)
170 { 173 {
171 queue[j] = 0; 174 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 209
206 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 211 bool can (u32 host);
208}; 212};
209 213
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 215
225 { 229 {
226 net_rateinfo ri; 230 net_rateinfo ri;
227 231
228 ri.host = host; 232 ri.host = host;
229 ri.pcnt = 1.; 233 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = MAXDIF;
231 ri.last = NOW; 235 ri.last = NOW;
232 236
233 push_front (ri); 237 push_front (ri);
234 238
235 return true; 239 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 248
245 ri.last = NOW; 249 ri.last = NOW;
246 250
251 double dif = ri.diff / ri.pcnt;
252
247 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > CUTOFF;
248 254
255 if (dif > MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = MAXDIF;
259 }
249 if (send) 260 else if (send)
250 ri.pcnt++; 261 ri.pcnt++;
251 262
252 push_front (ri); 263 push_front (ri);
253 264
254 return send; 265 return send;
285 hmac_gen (ctx); 296 hmac_gen (ctx);
286 297
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 298 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 299}
289 300
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 301void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 302{
292 this->type = type; 303 type = type_;
293 304
294 int src = THISNODE->id; 305 int src = THISNODE->id;
295 306
296 src1 = src; 307 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 308 srcdst = ((src >> 8) << 4) | (dst >> 8);
467 set_hdr (type, dst); 478 set_hdr (type, dst);
468} 479}
469 480
470bool config_packet::chk_config () const 481bool config_packet::chk_config () const
471{ 482{
472 return prot_major == PROTOCOL_MAJOR 483 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 484 slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 485 else if (randsize != RAND_SIZE)
475 && flags == curflags () 486 slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 491 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
496 slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 497 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
498 slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
499 else
500 return true;
501
502 return false;
480} 503}
481 504
482struct auth_req_packet : config_packet 505struct auth_req_packet : config_packet
483{ 506{
484 char magic[8]; 507 char magic[8];
546}; 569};
547 570
548///////////////////////////////////////////////////////////////////////////// 571/////////////////////////////////////////////////////////////////////////////
549 572
550void 573void
574connection::connection_established ()
575{
576 if (ictx && octx)
577 {
578 connectmode = conf->connectmode;
579
580 rekey.start (NOW + ::conf.rekey);
581 keepalive.start (NOW + ::conf.keepalive);
582
583 // send queued packets
584 if (ictx && octx)
585 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 {
588 send_data_packet (p);
589 delete p;
590 }
591
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p;
596 }
597 }
598 }
599 else
600 {
601 retry_cnt = 0;
602 establish_connection.start (NOW + 5);
603 keepalive.reset ();
604 rekey.reset ();
605 }
606}
607
608void
551connection::reset_dstaddr () 609connection::reset_si ()
552{ 610{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 611 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 612
588 // mask out protocols we cannot establish 613 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 614 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 615 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 616
592 if (protocol) 617 si.set (conf, protocol);
618}
619
620// ensure sockinfo is valid, forward if necessary
621const sockinfo &
622connection::forward_si (const sockinfo &si) const
623{
624 if (!si.valid ())
625 {
626 connection *r = vpn->find_router ();
627
628 if (r)
629 {
630 slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
631 conf->nodename, r->conf->nodename);
632 return r->si;
633 }
634 else
635 slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
636 conf->nodename);
593 { 637 }
594 rsachallenge chg;
595 638
596 rsa_cache.gen (pkt->id, chg); 639 return si;
640}
597 641
598 if (0 > RSA_public_encrypt (sizeof chg, 642void
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 643connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 644{
601 fatal ("RSA_public_encrypt error"); 645 if (!vpn->send_vpn_packet (pkt, si, tos))
646 reset_connection ();
647}
602 648
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 649void
650connection::send_ping (const sockinfo &si, u8 pong)
651{
652 ping_packet *pkt = new ping_packet;
604 653
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 654 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
655 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
656
657 delete pkt;
658}
659
660void
661connection::send_reset (const sockinfo &si)
662{
663 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
664 {
665 config_packet *pkt = new config_packet;
666
667 pkt->setup (vpn_packet::PT_RESET, conf->id);
668 send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 669
607 delete pkt; 670 delete pkt;
608 } 671 }
609 else 672}
610 ; // silently fail 673
674void
675connection::send_auth_request (const sockinfo &si, bool initiate)
676{
677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
678
679 rsachallenge chg;
680
681 rsa_cache.gen (pkt->id, chg);
682
683 if (0 > RSA_public_encrypt (sizeof chg,
684 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
685 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
686 fatal ("RSA_public_encrypt error");
687
688 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
689
690 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
691
692 delete pkt;
611} 693}
612 694
613void 695void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 696connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 697{
641 723
642 delete r; 724 delete r;
643} 725}
644 726
645void 727void
646connection::establish_connection_cb (tstamp &ts) 728connection::establish_connection_cb (time_watcher &w)
647{ 729{
648 if (ictx || conf == THISNODE 730 if (ictx || conf == THISNODE
649 || connectmode == conf_node::C_NEVER 731 || connectmode == conf_node::C_NEVER
650 || connectmode == conf_node::C_DISABLED) 732 || connectmode == conf_node::C_DISABLED)
651 ts = TSTAMP_CANCEL; 733 w.at = TSTAMP_CANCEL;
652 else if (ts <= NOW) 734 else if (w.at <= NOW)
653 { 735 {
654 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 736 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
655 737
656 if (retry_int < 3600 * 8) 738 if (retry_int < 3600 * 8)
657 retry_cnt++; 739 retry_cnt++;
658 740
659 ts = NOW + retry_int; 741 w.at = NOW + retry_int;
660 742
661 if (conf->hostname) 743 reset_si ();
744
745 if (si.prot && !si.host)
746 vpn->send_connect_request (conf->id);
747 else
662 { 748 {
663 reset_dstaddr (); 749 const sockinfo &dsi = forward_si (si);
750
664 if (si.host && auth_rate_limiter.can (si)) 751 if (dsi.valid () && auth_rate_limiter.can (dsi))
665 { 752 {
666 if (retry_cnt < 4) 753 if (retry_cnt < 4)
667 send_auth_request (si, true); 754 send_auth_request (dsi, true);
668 else 755 else
669 send_ping (si, 0); 756 send_ping (dsi, 0);
670 } 757 }
671 } 758 }
672 else
673 vpn->connect_request (conf->id);
674 } 759 }
675} 760}
676 761
677void 762void
678connection::reset_connection () 763connection::reset_connection ()
707 792
708 reset_connection (); 793 reset_connection ();
709} 794}
710 795
711void 796void
712connection::rekey_cb (tstamp &ts) 797connection::rekey_cb (time_watcher &w)
713{ 798{
714 ts = TSTAMP_CANCEL; 799 w.at = TSTAMP_CANCEL;
715 800
716 reset_connection (); 801 reset_connection ();
717 establish_connection (); 802 establish_connection ();
718} 803}
719 804
720void 805void
721connection::send_data_packet (tap_packet *pkt, bool broadcast) 806connection::send_data_packet (tap_packet *pkt)
722{ 807{
723 vpndata_packet *p = new vpndata_packet; 808 vpndata_packet *p = new vpndata_packet;
724 int tos = 0; 809 int tos = 0;
725 810
726 if (conf->inherit_tos 811 // I am not hilarious about peeking into packets, but so be it.
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 812 if (conf->inherit_tos && pkt->is_ipv4 ())
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 813 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 814
731 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 815 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732 send_vpn_packet (p, si, tos); 816 send_vpn_packet (p, si, tos);
733 817
734 delete p; 818 delete p;
735 819
736 if (oseqno > MAX_SEQNO) 820 if (oseqno > MAX_SEQNO)
737 rekey (); 821 rekey ();
738} 822}
739 823
740void 824void
741connection::inject_data_packet (tap_packet *pkt, bool broadcast) 825connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
742{ 826{
743 if (ictx && octx) 827 if (ictx && octx)
744 send_data_packet (pkt, broadcast); 828 send_data_packet (pkt);
745 else 829 else
746 { 830 {
747 if (!broadcast)//DDDD 831 if (!broadcast)//DDDD
748 queue.put (new tap_packet (*pkt)); 832 data_queue.put (new tap_packet (*pkt));
833
834 establish_connection ();
835 }
836}
837
838void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
839{
840 if (ictx && octx)
841 send_vpn_packet (pkt, si, tos);
842 else
843 {
844 vpn_queue.put (new vpn_packet (*pkt));
749 845
750 establish_connection (); 846 establish_connection ();
751 } 847 }
752} 848}
753 849
815 rsachallenge k; 911 rsachallenge k;
816 912
817 if (0 > RSA_private_decrypt (sizeof (p->encr), 913 if (0 > RSA_private_decrypt (sizeof (p->encr),
818 (unsigned char *)&p->encr, (unsigned char *)&k, 914 (unsigned char *)&p->encr, (unsigned char *)&k,
819 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) 915 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 916 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
821 conf->nodename, (const char *)rsi); 917 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
822 else 918 else
823 { 919 {
824 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;)
826 keepalive.reset ();
827 rekey.reset ();
828
829 delete ictx;
830 ictx = 0;
831
832 delete octx; 920 delete octx;
833 921
834 octx = new crypto_ctx (k, 1); 922 octx = new crypto_ctx (k, 1);
835 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 923 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
836 924
837 conf->protocols = p->protocols; 925 conf->protocols = p->protocols;
926
838 send_auth_response (rsi, p->id, k); 927 send_auth_response (rsi, p->id, k);
928
929 connection_established ();
839 930
840 break; 931 break;
841 } 932 }
842 } 933 }
934 else
935 slog (L_WARN, _("%s(%s): protocol mismatch"),
936 conf->nodename, (const char *)rsi);
843 937
844 send_reset (rsi); 938 send_reset (rsi);
845 } 939 }
846 940
847 break; 941 break;
860 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 954 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
861 955
862 rsachallenge chg; 956 rsachallenge chg;
863 957
864 if (!rsa_cache.find (p->id, chg)) 958 if (!rsa_cache.find (p->id, chg))
959 {
865 slog (L_ERR, _("%s(%s): unrequested auth response"), 960 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
866 conf->nodename, (const char *)rsi); 961 conf->nodename, (const char *)rsi);
962 break;
963 }
867 else 964 else
868 { 965 {
869 crypto_ctx *cctx = new crypto_ctx (chg, 0); 966 crypto_ctx *cctx = new crypto_ctx (chg, 0);
870 967
871 if (!p->hmac_chk (cctx)) 968 if (!p->hmac_chk (cctx))
969 {
872 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 970 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
873 "could be an attack, or just corruption or an synchronization error"), 971 "could be an attack, or just corruption or an synchronization error"),
874 conf->nodename, (const char *)rsi); 972 conf->nodename, (const char *)rsi);
973 break;
974 }
875 else 975 else
876 { 976 {
877 rsaresponse h; 977 rsaresponse h;
878 978
879 rsa_hash (p->id, chg, h); 979 rsa_hash (p->id, chg, h);
885 delete ictx; ictx = cctx; 985 delete ictx; ictx = cctx;
886 986
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 987 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 988
889 si = rsi; 989 si = rsi;
990 protocol = rsi.prot;
890 991
891 rekey.set (NOW + ::conf.rekey); 992 connection_established ();
892 keepalive.set (NOW + ::conf.keepalive);
893 993
894 // send queued packets
895 while (tap_packet *p = queue.get ())
896 {
897 send_data_packet (p);
898 delete p;
899 }
900
901 connectmode = conf->connectmode;
902
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 994 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 995 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 996 p->prot_major, p->prot_minor);
907 997
908 if (::conf.script_node_up) 998 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 999 run_script (run_script_cb (this, &connection::script_node_up), false);
910 1000
933 1023
934 if (ictx && octx) 1024 if (ictx && octx)
935 { 1025 {
936 vpndata_packet *p = (vpndata_packet *)pkt; 1026 vpndata_packet *p = (vpndata_packet *)pkt;
937 1027
938 if (rsi == si) 1028 if (!p->hmac_chk (ictx))
1029 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1030 "could be an attack, or just corruption or an synchronization error"),
1031 conf->nodename, (const char *)rsi);
1032 else
939 { 1033 {
940 if (!p->hmac_chk (ictx))
941 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
942 "could be an attack, or just corruption or an synchronization error"),
943 conf->nodename, (const char *)rsi);
944 else 1034 u32 seqno;
1035 tap_packet *d = p->unpack (this, seqno);
1036
1037 if (iseqno.recv_ok (seqno))
945 { 1038 {
946 u32 seqno; 1039 vpn->tap->send (d);
947 tap_packet *d = p->unpack (this, seqno);
948 1040
949 if (iseqno.recv_ok (seqno)) 1041 if (si != rsi)
950 { 1042 {
951 vpn->tap->send (d); 1043 // fast re-sync on connection changes, useful especially for tcp/ip
952
953 if (p->dst () == 0) // re-broadcast
954 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
955 {
956 connection *c = *i;
957
958 if (c->conf != THISNODE && c->conf != conf)
959 c->inject_data_packet (d);
960 }
961
962 delete d;
963
964 break; 1044 si = rsi;
1045
1046 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1047 conf->nodename, (const char *)si, (const char *)rsi);
965 } 1048 }
1049
1050 delete d;
1051
1052 break;
966 } 1053 }
967 } 1054 }
968 else
969 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
970 } 1055 }
971 1056
972 send_reset (rsi); 1057 send_reset (rsi);
973 break; 1058 break;
974 1059
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1061 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 1062 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 1063 connect_req_packet *p = (connect_req_packet *) pkt;
979 1064
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1065 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1066 connection *c = vpn->conns[p->id - 1];
981 conf->protocols = p->protocols; 1067 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983 1068
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 1069 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 1070 conf->id, p->id, c->ictx && c->octx);
986 1071
987 if (c->ictx && c->octx) 1072 if (c->ictx && c->octx)
989 // send connect_info packets to both sides, in case one is 1074 // send connect_info packets to both sides, in case one is
990 // behind a nat firewall (or both ;) 1075 // behind a nat firewall (or both ;)
991 c->send_connect_info (conf->id, si, conf->protocols); 1076 c->send_connect_info (conf->id, si, conf->protocols);
992 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1077 send_connect_info (c->conf->id, c->si, c->conf->protocols);
993 } 1078 }
1079 else
1080 c->establish_connection ();
994 } 1081 }
995 1082
996 break; 1083 break;
997 1084
998 case vpn_packet::PT_CONNECT_INFO: 1085 case vpn_packet::PT_CONNECT_INFO:
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 1086 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 1087 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 1088 connect_info_packet *p = (connect_info_packet *) pkt;
1002 1089
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 1090 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1091
1005 connection *c = vpn->conns[p->id - 1]; 1092 connection *c = vpn->conns[p->id - 1];
1093
1094 c->conf->protocols = p->protocols;
1095 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1096 p->si.upgrade_protocol (protocol, c->conf);
1006 1097
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1098 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1099 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 1100
1101 const sockinfo &dsi = forward_si (p->si);
1102
1103 if (dsi.valid ())
1010 c->send_auth_request (p->si, true); 1104 c->send_auth_request (dsi, true);
1011 } 1105 }
1012 1106
1013 break; 1107 break;
1014 1108
1015 default: 1109 default:
1016 send_reset (rsi); 1110 send_reset (rsi);
1017 break; 1111 break;
1018 } 1112 }
1019} 1113}
1020 1114
1021void connection::keepalive_cb (tstamp &ts) 1115void connection::keepalive_cb (time_watcher &w)
1022{ 1116{
1023 if (NOW >= last_activity + ::conf.keepalive + 30) 1117 if (NOW >= last_activity + ::conf.keepalive + 30)
1024 { 1118 {
1025 reset_connection (); 1119 reset_connection ();
1026 establish_connection (); 1120 establish_connection ();
1027 } 1121 }
1028 else if (NOW < last_activity + ::conf.keepalive) 1122 else if (NOW < last_activity + ::conf.keepalive)
1029 ts = last_activity + ::conf.keepalive; 1123 w.at = last_activity + ::conf.keepalive;
1030 else if (conf->connectmode != conf_node::C_ONDEMAND 1124 else if (conf->connectmode != conf_node::C_ONDEMAND
1031 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1125 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1032 { 1126 {
1033 send_ping (si); 1127 send_ping (si);
1034 ts = NOW + 5; 1128 w.at = NOW + 5;
1035 } 1129 }
1130 else if (NOW < last_activity + ::conf.keepalive + 10)
1131 // hold ondemand connections implicitly a few seconds longer
1132 // should delete octx, though, or something like that ;)
1133 w.at = last_activity + ::conf.keepalive + 10;
1036 else 1134 else
1037 reset_connection (); 1135 reset_connection ();
1038} 1136}
1039 1137
1040void connection::connect_request (int id) 1138void connection::send_connect_request (int id)
1041{ 1139{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1140 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1141
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1142 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1143 p->hmac_set (octx);
1075 putenv ("STATE=down"); 1173 putenv ("STATE=down");
1076 1174
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1175 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078} 1176}
1079 1177
1080// send a vpn packet out to other hosts
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094 case PROT_TCPv4:
1095 vpn->send_tcpv4_packet (pkt, si, tos);
1096 break;
1097 }
1098}
1099
1100connection::connection(struct vpn *vpn_) 1178connection::connection(struct vpn *vpn_)
1101: vpn(vpn_) 1179: vpn(vpn_)
1102, rekey (this, &connection::rekey_cb) 1180, rekey (this, &connection::rekey_cb)
1103, keepalive (this, &connection::keepalive_cb) 1181, keepalive (this, &connection::keepalive_cb)
1104, establish_connection (this, &connection::establish_connection_cb) 1182, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines