ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.4 by pcg, Wed Apr 2 21:02:25 2003 UTC vs.
Revision 1.7 by pcg, Sat Apr 5 17:54:22 2003 UTC

285 hmac_gen (ctx); 285 hmac_gen (ctx);
286 286
287 return !memcmp (hmac, hmac_digest, HMACLENGTH); 287 return !memcmp (hmac, hmac_digest, HMACLENGTH);
288} 288}
289 289
290void vpn_packet::set_hdr (ptype type, unsigned int dst) 290void vpn_packet::set_hdr (ptype type_, unsigned int dst)
291{ 291{
292 this->type = type; 292 type = type_;
293 293
294 int src = THISNODE->id; 294 int src = THISNODE->id;
295 295
296 src1 = src; 296 src1 = src;
297 srcdst = ((src >> 8) << 4) | (dst >> 8); 297 srcdst = ((src >> 8) << 4) | (dst >> 8);
548///////////////////////////////////////////////////////////////////////////// 548/////////////////////////////////////////////////////////////////////////////
549 549
550void 550void
551connection::reset_dstaddr () 551connection::reset_dstaddr ()
552{ 552{
553 si.set (conf);
554}
555
556void
557connection::send_ping (const sockinfo &si, u8 pong)
558{
559 ping_packet *pkt = new ping_packet;
560
561 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
562 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
563
564 delete pkt;
565}
566
567void
568connection::send_reset (const sockinfo &si)
569{
570 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
571 {
572 config_packet *pkt = new config_packet;
573
574 pkt->setup (vpn_packet::PT_RESET, conf->id);
575 send_vpn_packet (pkt, si, IPTOS_MINCOST);
576
577 delete pkt;
578 }
579}
580
581void
582connection::send_auth_request (const sockinfo &si, bool initiate)
583{
584 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
585
586 protocol = best_protocol (THISNODE->protocols & conf->protocols); 553 protocol = best_protocol (THISNODE->protocols & conf->protocols);
587 554
588 // mask out protocols we cannot establish 555 // mask out protocols we cannot establish
589 if (!conf->udp_port) protocol &= ~PROT_UDPv4; 556 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
590 if (!conf->tcp_port) protocol &= ~PROT_TCPv4; 557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
591 558
592 if (protocol) 559 si.set (conf, protocol);
593 { 560}
594 rsachallenge chg;
595 561
596 rsa_cache.gen (pkt->id, chg); 562void
563connection::send_ping (const sockinfo &si, u8 pong)
564{
565 ping_packet *pkt = new ping_packet;
597 566
598 if (0 > RSA_public_encrypt (sizeof chg, 567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
599 (unsigned char *)&chg, (unsigned char *)&pkt->encr, 568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
600 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
601 fatal ("RSA_public_encrypt error");
602 569
603 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 570 delete pkt;
571}
604 572
605 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 573void
574connection::send_reset (const sockinfo &si)
575{
576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577 {
578 config_packet *pkt = new config_packet;
579
580 pkt->setup (vpn_packet::PT_RESET, conf->id);
581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
606 582
607 delete pkt; 583 delete pkt;
608 } 584 }
609 else 585}
610 ; // silently fail 586
587void
588connection::send_auth_request (const sockinfo &si, bool initiate)
589{
590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
591
592 rsachallenge chg;
593
594 rsa_cache.gen (pkt->id, chg);
595
596 if (0 > RSA_public_encrypt (sizeof chg,
597 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599 fatal ("RSA_public_encrypt error");
600
601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602
603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
604
605 delete pkt;
611} 606}
612 607
613void 608void
614connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 609connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
615{ 610{
621 616
622 pkt->hmac_set (octx); 617 pkt->hmac_set (octx);
623 618
624 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
625 620
626 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
627 622
628 delete pkt; 623 delete pkt;
629} 624}
630 625
631void 626void
635 conf->id, rid, (const char *)rsi); 630 conf->id, rid, (const char *)rsi);
636 631
637 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
638 633
639 r->hmac_set (octx); 634 r->hmac_set (octx);
640 send_vpn_packet (r, si); 635 vpn->send_vpn_packet (r, si);
641 636
642 delete r; 637 delete r;
643} 638}
644 639
645void 640void
659 w.at = NOW + retry_int; 654 w.at = NOW + retry_int;
660 655
661 if (conf->hostname) 656 if (conf->hostname)
662 { 657 {
663 reset_dstaddr (); 658 reset_dstaddr ();
659
664 if (si.host && auth_rate_limiter.can (si)) 660 if (si.valid () && auth_rate_limiter.can (si))
665 { 661 {
666 if (retry_cnt < 4) 662 if (retry_cnt < 4)
667 send_auth_request (si, true); 663 send_auth_request (si, true);
668 else 664 else
669 send_ping (si, 0); 665 send_ping (si, 0);
727 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
728 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
729 tos = (*pkt)[15] & IPTOS_TOS_MASK; 725 tos = (*pkt)[15] & IPTOS_TOS_MASK;
730 726
731 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
732 send_vpn_packet (p, si, tos); 728 vpn->send_vpn_packet (p, si, tos);
733 729
734 delete p; 730 delete p;
735 731
736 if (oseqno > MAX_SEQNO) 732 if (oseqno > MAX_SEQNO)
737 rekey (); 733 rekey ();
820 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
821 conf->nodename, (const char *)rsi); 817 conf->nodename, (const char *)rsi);
822 else 818 else
823 { 819 {
824 retry_cnt = 0; 820 retry_cnt = 0;
825 establish_connection.set (NOW + 8); //? ;) 821 establish_connection.start (NOW + 8); //? ;)
826 keepalive.reset (); 822 keepalive.reset ();
827 rekey.reset (); 823 rekey.reset ();
828 824
829 delete ictx; 825 delete ictx;
830 ictx = 0; 826 ictx = 0;
885 delete ictx; ictx = cctx; 881 delete ictx; ictx = cctx;
886 882
887 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
888 884
889 si = rsi; 885 si = rsi;
886 protocol = rsi.prot;
890 887
891 rekey.set (NOW + ::conf.rekey); 888 rekey.start (NOW + ::conf.rekey);
892 keepalive.set (NOW + ::conf.keepalive); 889 keepalive.start (NOW + ::conf.keepalive);
893 890
894 // send queued packets 891 // send queued packets
895 while (tap_packet *p = queue.get ()) 892 while (tap_packet *p = queue.get ())
896 { 893 {
897 send_data_packet (p); 894 send_data_packet (p);
898 delete p; 895 delete p;
899 } 896 }
900 897
901 connectmode = conf->connectmode; 898 connectmode = conf->connectmode;
902 899
903 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"), 900 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
904 conf->nodename, (const char *)rsi, 901 conf->nodename, (const char *)rsi,
905 strprotocol (protocol),
906 p->prot_major, p->prot_minor); 902 p->prot_major, p->prot_minor);
907 903
908 if (::conf.script_node_up) 904 if (::conf.script_node_up)
909 run_script (run_script_cb (this, &connection::script_node_up), false); 905 run_script (run_script_cb (this, &connection::script_node_up), false);
910 906
976 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
977 { 973 {
978 connect_req_packet *p = (connect_req_packet *) pkt; 974 connect_req_packet *p = (connect_req_packet *) pkt;
979 975
980 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
977 connection *c = vpn->conns[p->id - 1];
981 conf->protocols = p->protocols; 978 conf->protocols = p->protocols;
982 connection *c = vpn->conns[p->id - 1];
983 979
984 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
985 conf->id, p->id, c->ictx && c->octx); 981 conf->id, p->id, c->ictx && c->octx);
986 982
987 if (c->ictx && c->octx) 983 if (c->ictx && c->octx)
999 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1000 { 996 {
1001 connect_info_packet *p = (connect_info_packet *) pkt; 997 connect_info_packet *p = (connect_info_packet *) pkt;
1002 998
1003 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1004 conf->protocols = p->protocols; 1000
1005 connection *c = vpn->conns[p->id - 1]; 1001 connection *c = vpn->conns[p->id - 1];
1002
1003 c->conf->protocols = p->protocols;
1004 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1005 p->si.upgrade_protocol (protocol, c->conf);
1006 1006
1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1007 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1008 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1009 //slog (L_ERR, "%d PROTOCL(C%x,T%x,0S%x,S%x,P%x,SP%x)",
1010 // p->id, c->conf->protocols, THISNODE->protocols, p->si.supported_protocols(0), p->si.supported_protocols (c->conf),
1011 // protocol, p->si.prot);
1009 1012
1010 c->send_auth_request (p->si, true); 1013 c->send_auth_request (p->si, true);
1011 } 1014 }
1012 1015
1013 break; 1016 break;
1041{ 1044{
1042 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1045 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1043 1046
1044 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1047 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1045 p->hmac_set (octx); 1048 p->hmac_set (octx);
1046 send_vpn_packet (p, si); 1049 vpn->send_vpn_packet (p, si);
1047 1050
1048 delete p; 1051 delete p;
1049} 1052}
1050 1053
1051void connection::script_node () 1054void connection::script_node ()
1075 putenv ("STATE=down"); 1078 putenv ("STATE=down");
1076 1079
1077 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1080 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1078} 1081}
1079 1082
1080// send a vpn packet out to other hosts
1081void
1082connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1083{
1084 switch (protocol)
1085 {
1086 case PROT_IPv4:
1087 vpn->send_ipv4_packet (pkt, si, tos);
1088 break;
1089
1090 case PROT_UDPv4:
1091 vpn->send_udpv4_packet (pkt, si, tos);
1092 break;
1093
1094 case PROT_TCPv4:
1095 vpn->send_tcpv4_packet (pkt, si, tos);
1096 break;
1097 }
1098}
1099
1100connection::connection(struct vpn *vpn_) 1083connection::connection(struct vpn *vpn_)
1101: vpn(vpn_) 1084: vpn(vpn_)
1102, rekey (this, &connection::rekey_cb) 1085, rekey (this, &connection::rekey_cb)
1103, keepalive (this, &connection::keepalive_cb) 1086, keepalive (this, &connection::keepalive_cb)
1104, establish_connection (this, &connection::establish_connection_cb) 1087, establish_connection (this, &connection::establish_connection_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines