[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.45 by pcg, Fri Mar 4 09:36:45 2005 UTC vs.
Revision 1.57 by pcg, Thu Jul 7 14:41:51 2005 UTC

     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
     You should have received a copy of the GNU General Public License
     along with gvpe; if not, write to the Free Software
-    Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+    Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */
 #include "config.h"
-#include <cassert>
 #include <list>
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/err.h>
-#include "gettext.h"
 #include "conf.h"
 #include "slog.h"
 #include "device.h"
 #include "vpn.h"
 struct rsa_cache : list<rsa_entry>
 {
   void cleaner_cb (time_watcher &w); time_watcher cleaner;
   bool find (const rsaid &id, rsachallenge &chg)
-    {
+  {
-      for (iterator i = begin (); i != end (); ++i)
+    for (iterator i = begin (); i != end (); ++i)
-        {
+      {
-          if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
+        if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
-            {
+          {
-              memcpy (&chg, &i->chg, sizeof chg);
+            memcpy (&chg, &i->chg, sizeof chg);
-              erase (i);
+            erase (i);
-              return true;
+            return true;
-            }
+          }
-        }
+      }
-      if (cleaner.at < NOW)
+    if (cleaner.at < NOW)
-        cleaner.start (NOW + RSA_TTL);
+      cleaner.start (NOW + RSA_TTL);
-      return false;
+    return false;
-    }
+  }
   void gen (rsaid &id, rsachallenge &chg)
-    {
+  {
-      rsa_entry e;
+    rsa_entry e;
-      RAND_bytes ((unsigned char *)&id,  sizeof id);
+    RAND_bytes ((unsigned char *)&id,  sizeof id);
-      RAND_bytes ((unsigned char *)&chg, sizeof chg);
+    RAND_bytes ((unsigned char *)&chg, sizeof chg);
-      e.expire = NOW + RSA_TTL;
+    e.expire = NOW + RSA_TTL;
-      e.id = id;
+    e.id = id;
-      memcpy (&e.chg, &chg, sizeof chg);
+    memcpy (&e.chg, &chg, sizeof chg);
-      push_back (e);
+    push_back (e);
-      if (cleaner.at < NOW)
+    if (cleaner.at < NOW)
-        cleaner.start (NOW + RSA_TTL);
+      cleaner.start (NOW + RSA_TTL);
-    }
+  }
   rsa_cache ()
-    : cleaner (this, &rsa_cache::cleaner_cb)
+  : cleaner (this, &rsa_cache::cleaner_cb)
-    { }
+  { }
 } rsa_cache;
 void rsa_cache::cleaner_cb (time_watcher &w)
 {
 {
   prot_major = PROTOCOL_MAJOR;
   prot_minor = PROTOCOL_MINOR;
   randsize = RAND_SIZE;
   hmaclen = HMACLENGTH;
-  flags = ENABLE_COMPRESSION ? 0x81 : 0x80;
+  flags = 0;
   challengelen = sizeof (rsachallenge);
   features = get_features ();
   cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
   digest_nid = htonl (EVP_MD_type (RSA_HASH));
     slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
   else if (randsize != RAND_SIZE)
     slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
   else if (hmaclen != HMACLENGTH)
     slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
-#if 0 // this implementation should handle all flag settings
-  else if (flags != curflags ())
-    slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
-#endif
   else if (challengelen != sizeof (rsachallenge))
     slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
   else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
     slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
   else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
     {
       connection *r = vpn->find_router ();
       if (r)
         {
-          slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
+          slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s (%s)"),
-                conf->nodename, r->conf->nodename);
+                conf->nodename, r->conf->nodename, (const char *)r->si);
           return r->si;
         }
       else
         slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
               conf->nodename);
 }
 void
 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
 {
-  bool ok;
+  if (!vpn->send_vpn_packet (pkt, si, tos))
-  switch (si.prot)
-    {
-      case PROT_IPv4:
-        ok = vpn->send_ipv4_packet (pkt, si, tos); break;
-      case PROT_UDPv4:
-        ok = vpn->send_udpv4_packet (pkt, si, tos); break;
-#if ENABLE_TCP
-      case PROT_TCPv4:
-        ok = vpn->send_tcpv4_packet (pkt, si, tos); break;
-#endif
-#if ENABLE_ICMP
-      case PROT_ICMPv4:
-        ok = vpn->send_icmpv4_packet (pkt, si, tos); break;
-#endif
-#if ENABLE_DNS
-      case PROT_DNSv4:
-        ok = send_dnsv4_packet (pkt, si, tos); break;
-#endif
-      default:
-        slog (L_CRIT, _("%s: FATAL: trying to send packet with unsupported protocol"), (const char *)si);
-        ok = false;
-    }
-  if (!ok)
     reset_connection ();
 }
 void
 connection::send_ping (const sockinfo &si, u8 pong)
       && conf != THISNODE
       && connectmode != conf_node::C_NEVER
       && connectmode != conf_node::C_DISABLED
       && NOW > w.at)
     {
-      double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
+      w.at = TSTAMP_MAX; // first disable this watcher in case of recursion
-      if (retry_int < conf->max_retry)
+      double retry_int = double (retry_cnt & 3
-        retry_cnt++;
+                                 ? (retry_cnt & 3) + 1
-      else
+                                 : 1 << (retry_cnt >> 2));
-        retry_int = conf->max_retry;
-      w.start (NOW + retry_int);
       reset_si ();
+      bool slow = si.prot & PROT_SLOW;
       if (si.prot && !si.host)
         vpn->send_connect_request (conf->id);
       else
         {
           const sockinfo &dsi = forward_si (si);
+          slow = slow || (dsi.prot & PROT_SLOW);
           if (dsi.valid () && auth_rate_limiter.can (dsi))
             {
               if (retry_cnt < 4)
                 send_auth_request (dsi, true);
               else
                 send_ping (dsi, 0);
             }
         }
+      retry_int *= slow ? 8. : 0.7;
+      if (retry_int < conf->max_retry)
+        retry_cnt++;
+      else
+        retry_int = conf->max_retry;
+      w.start (NOW + retry_int);
     }
 }
 void
 connection::reset_connection ()
     {
       slog (L_INFO, _("%s(%s): connection lost"),
             conf->nodename, (const char *)si);
       if (::conf.script_node_down)
-        run_script (run_script_cb (this, &connection::script_node_down), false);
+        if (!run_script (run_script_cb (this, &connection::script_node_down), false))
+          slog (L_WARN, _("node-down command execution failed, continuing."));
     }
   delete ictx; ictx = 0;
   delete octx; octx = 0;
 #if ENABLE_DNS
 {
   if (ictx && octx)
     send_data_packet (pkt);
   else
     {
-      if (!broadcast)//DDDD
+      if (!broadcast)
         data_queue.put (new tap_packet (*pkt));
       establish_connection ();
     }
 }
                     delete octx;
                     octx   = new crypto_ctx (k, 1);
                     oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
-                    // compatibility code, remove when no longer required
-                    if (p->flags & 1) p->features |= FEATURE_COMPRESSION;
                     conf->protocols = p->protocols;
                     features = p->features & config_packet::get_features ();
                     send_auth_response (rsi, p->id, k);
                           slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
                                 conf->nodename, (const char *)rsi,
                                 p->prot_major, p->prot_minor);
                           if (::conf.script_node_up)
-                            run_script (run_script_cb (this, &connection::script_node_up), false);
+                            if (!run_script (run_script_cb (this, &connection::script_node_up), false))
+                              slog (L_WARN, _("node-up command execution failed, continuing."));
                           break;
                         }
                       else
                         slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
                   {
                     vpn->tap->send (d);
                     if (si != rsi)
                       {
-                        // fast re-sync on connection changes, useful especially for tcp/ip
+                        // fast re-sync on source address changes, useful especially for tcp/ip
                         si = rsi;
                         slog (L_INFO, _("%s(%s): socket address changed to %s"),
                               conf->nodename, (const char *)si, (const char *)rsi);
                       }
       case vpn_packet::PT_CONNECT_REQ:
         if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
           {
             connect_req_packet *p = (connect_req_packet *) pkt;
-            assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
+            if (p->id > 0 && p->id <= vpn->conns.size ())
-            connection *c = vpn->conns[p->id - 1];
-            conf->protocols = p->protocols;
-            slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
-                           conf->id, p->id, c->ictx && c->octx);
-            if (c->ictx && c->octx)
               {
+                connection *c = vpn->conns[p->id - 1];
+                conf->protocols = p->protocols;
+                slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
+                               conf->id, p->id, c->ictx && c->octx);
+                if (c->ictx && c->octx)
+                  {
-                // send connect_info packets to both sides, in case one is
+                    // send connect_info packets to both sides, in case one is
-                // behind a nat firewall (or both ;)
+                    // behind a nat firewall (or both ;)
-                c->send_connect_info (conf->id, si, conf->protocols);
+                    c->send_connect_info (conf->id, si, conf->protocols);
-                send_connect_info (c->conf->id, c->si, c->conf->protocols);
+                    send_connect_info (c->conf->id, c->si, c->conf->protocols);
+                  }
+                else
+                  c->establish_connection ();
               }
             else
-              c->establish_connection ();
+              slog (L_WARN,
+                    _("received authenticated connection request from unknown node #%d, config file mismatch?"),
+                    p->id);
           }
         break;
       case vpn_packet::PT_CONNECT_INFO:
         if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
           {
             connect_info_packet *p = (connect_info_packet *)pkt;
-            if (p->id > 0 && p->id <= vpn->conns.size ()) // hmac-auth does not mean we accept anything
+            if (p->id > 0 && p->id <= vpn->conns.size ())
               {
                 connection *c = vpn->conns[p->id - 1];
                 c->conf->protocols = p->protocols;
                 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
                 const sockinfo &dsi = forward_si (p->si);
                 if (dsi.valid ())
                   c->send_auth_request (dsi, true);
               }
+            else
+              slog (L_WARN,
+                    _("received authenticated connection request from unknown node #%d, config file mismatch?"),
+                    p->id);
           }
         break;
       default:
   send_vpn_packet (p, si);
   delete p;
 }
+void connection::script_init_env (const char *ext)
+{
+  char *env;
+  asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
+  asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
+  asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
+            0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
+            conf->id & 0xff); putenv (env);
+}
-void connection::script_node ()
+void connection::script_init_connect_env ()
 {
-  vpn->script_if_up ();
+  vpn->script_init_env ();
   char *env;
   asprintf (&env, "DESTID=%d",   conf->id); putenv (env);
   asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
   asprintf (&env, "DESTIP=%s",   si.ntoa ()); putenv (env);
   asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
 }
 const char *connection::script_node_up ()
 {
-  script_node ();
+  script_init_connect_env ();
   putenv ("STATE=up");
+  char *filename;
+  asprintf (&filename,
+            "%s/%s",
+            confbase,
-  return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
+            ::conf.script_node_up ? ::conf.script_node_up : "node-up");
+  return filename;
 }
 const char *connection::script_node_down ()
 {
-  script_node ();
+  script_init_connect_env ();
   putenv ("STATE=down");
-  return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
+  char *filename;
+  asprintf (&filename,
+            "%s/%s",
+            confbase,
+            ::conf.script_node_down ? ::conf.script_node_down : "node-down");
+  return filename;
 }
 connection::connection (struct vpn *vpn, conf_node *conf)
 : vpn(vpn), conf(conf)
 , rekey (this, &connection::rekey_cb)

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.45 by pcg, Fri Mar 4 09:36:45 2005 UTC vs. Revision 1.57 by pcg, Thu Jul 7 14:41:51 2005 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.45 by pcg, Fri Mar 4 09:36:45 2005 UTC vs.
Revision 1.57 by pcg, Thu Jul 7 14:41:51 2005 UTC