ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.1 by pcg, Wed Apr 2 03:06:22 2003 UTC vs.
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC

22# include "lzf/lzf.h" 22# include "lzf/lzf.h"
23} 23}
24 24
25#include <list> 25#include <list>
26 26
27#include <openssl/rand.h>
28#include <openssl/evp.h>
29#include <openssl/rsa.h>
30#include <openssl/err.h>
31
27#include "gettext.h" 32#include "gettext.h"
28 33
29#include "conf.h" 34#include "conf.h"
30#include "slog.h" 35#include "slog.h"
31#include "device.h" 36#include "device.h"
32#include "protocol.h" 37#include "vpn.h"
33#include "connection.h" 38#include "connection.h"
34 39
35#if !HAVE_RAND_PSEUDO_BYTES 40#if !HAVE_RAND_PSEUDO_BYTES
36# define RAND_pseudo_bytes RAND_bytes 41# define RAND_pseudo_bytes RAND_bytes
37#endif 42#endif
80 rsachallenge chg; 85 rsachallenge chg;
81}; 86};
82 87
83struct rsa_cache : list<rsa_entry> 88struct rsa_cache : list<rsa_entry>
84{ 89{
85 void cleaner_cb (tstamp &ts); time_watcher cleaner; 90 void cleaner_cb (time_watcher &w); time_watcher cleaner;
86 91
87 bool find (const rsaid &id, rsachallenge &chg) 92 bool find (const rsaid &id, rsachallenge &chg)
88 { 93 {
89 for (iterator i = begin (); i != end (); ++i) 94 for (iterator i = begin (); i != end (); ++i)
90 { 95 {
124 : cleaner (this, &rsa_cache::cleaner_cb) 129 : cleaner (this, &rsa_cache::cleaner_cb)
125 { } 130 { }
126 131
127} rsa_cache; 132} rsa_cache;
128 133
129void rsa_cache::cleaner_cb (tstamp &ts) 134void rsa_cache::cleaner_cb (time_watcher &w)
130{ 135{
131 if (empty ()) 136 if (empty ())
132 ts = TSTAMP_CANCEL; 137 w.at = TSTAMP_CANCEL;
133 else 138 else
134 { 139 {
135 ts = NOW + RSA_TTL; 140 w.at = NOW + RSA_TTL;
136 141
137 for (iterator i = begin (); i != end (); ) 142 for (iterator i = begin (); i != end (); )
138 if (i->expire <= NOW) 143 if (i->expire <= NOW)
139 i = erase (i); 144 i = erase (i);
140 else 145 else
280 hmac_gen (ctx); 285 hmac_gen (ctx);
281 286
282 return !memcmp (hmac, hmac_digest, HMACLENGTH); 287 return !memcmp (hmac, hmac_digest, HMACLENGTH);
283} 288}
284 289
285void vpn_packet::set_hdr (ptype type, unsigned int dst) 290void vpn_packet::set_hdr (ptype type_, unsigned int dst)
286{ 291{
287 this->type = type; 292 type = type_;
288 293
289 int src = THISNODE->id; 294 int src = THISNODE->id;
290 295
291 src1 = src; 296 src1 = src;
292 srcdst = ((src >> 8) << 4) | (dst >> 8); 297 srcdst = ((src >> 8) << 4) | (dst >> 8);
543///////////////////////////////////////////////////////////////////////////// 548/////////////////////////////////////////////////////////////////////////////
544 549
545void 550void
546connection::reset_dstaddr () 551connection::reset_dstaddr ()
547{ 552{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols);
554
555 // mask out protocols we cannot establish
556 if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557 if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558
548 si.set (conf); 559 si.set (conf, protocol);
549} 560}
550 561
551void 562void
552connection::send_ping (const sockinfo &si, u8 pong) 563connection::send_ping (const sockinfo &si, u8 pong)
553{ 564{
554 ping_packet *pkt = new ping_packet; 565 ping_packet *pkt = new ping_packet;
555 566
556 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 567 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
557 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 568 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
558 569
559 delete pkt; 570 delete pkt;
560} 571}
561 572
562void 573void
565 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 576 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
566 { 577 {
567 config_packet *pkt = new config_packet; 578 config_packet *pkt = new config_packet;
568 579
569 pkt->setup (vpn_packet::PT_RESET, conf->id); 580 pkt->setup (vpn_packet::PT_RESET, conf->id);
570 send_vpn_packet (pkt, si, IPTOS_MINCOST); 581 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);
571 582
572 delete pkt; 583 delete pkt;
573 } 584 }
574} 585}
575 586
576void 587void
577connection::send_auth_request (const sockinfo &si, bool initiate) 588connection::send_auth_request (const sockinfo &si, bool initiate)
578{ 589{
579 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 590 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
580
581 protocol = best_protocol (THISNODE->protocols & conf->protocols);
582 591
583 rsachallenge chg; 592 rsachallenge chg;
584 593
585 rsa_cache.gen (pkt->id, chg); 594 rsa_cache.gen (pkt->id, chg);
586 595
589 conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) 598 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
590 fatal ("RSA_public_encrypt error"); 599 fatal ("RSA_public_encrypt error");
591 600
592 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 601 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
593 602
594 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 603 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
595 604
596 delete pkt; 605 delete pkt;
597} 606}
598 607
599void 608void
607 616
608 pkt->hmac_set (octx); 617 pkt->hmac_set (octx);
609 618
610 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 619 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
611 620
612 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 621 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
613 622
614 delete pkt; 623 delete pkt;
615} 624}
616 625
617void 626void
621 conf->id, rid, (const char *)rsi); 630 conf->id, rid, (const char *)rsi);
622 631
623 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 632 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
624 633
625 r->hmac_set (octx); 634 r->hmac_set (octx);
626 send_vpn_packet (r, si); 635 vpn->send_vpn_packet (r, si);
627 636
628 delete r; 637 delete r;
629} 638}
630 639
631void 640void
632connection::establish_connection_cb (tstamp &ts) 641connection::establish_connection_cb (time_watcher &w)
633{ 642{
634 if (ictx || conf == THISNODE 643 if (ictx || conf == THISNODE
635 || connectmode == conf_node::C_NEVER 644 || connectmode == conf_node::C_NEVER
636 || connectmode == conf_node::C_DISABLED) 645 || connectmode == conf_node::C_DISABLED)
637 ts = TSTAMP_CANCEL; 646 w.at = TSTAMP_CANCEL;
638 else if (ts <= NOW) 647 else if (w.at <= NOW)
639 { 648 {
640 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 649 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
641 650
642 if (retry_int < 3600 * 8) 651 if (retry_int < 3600 * 8)
643 retry_cnt++; 652 retry_cnt++;
644 653
645 ts = NOW + retry_int; 654 w.at = NOW + retry_int;
646 655
647 if (conf->hostname) 656 if (conf->hostname)
648 { 657 {
649 reset_dstaddr (); 658 reset_dstaddr ();
659
650 if (si.host && auth_rate_limiter.can (si)) 660 if (si.valid () && auth_rate_limiter.can (si))
651 { 661 {
652 if (retry_cnt < 4) 662 if (retry_cnt < 4)
653 send_auth_request (si, true); 663 send_auth_request (si, true);
654 else 664 else
655 send_ping (si, 0); 665 send_ping (si, 0);
693 703
694 reset_connection (); 704 reset_connection ();
695} 705}
696 706
697void 707void
698connection::rekey_cb (tstamp &ts) 708connection::rekey_cb (time_watcher &w)
699{ 709{
700 ts = TSTAMP_CANCEL; 710 w.at = TSTAMP_CANCEL;
701 711
702 reset_connection (); 712 reset_connection ();
703 establish_connection (); 713 establish_connection ();
704} 714}
705 715
713 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 723 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
714 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 724 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
715 tos = (*pkt)[15] & IPTOS_TOS_MASK; 725 tos = (*pkt)[15] & IPTOS_TOS_MASK;
716 726
717 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 727 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
718 send_vpn_packet (p, si, tos); 728 vpn->send_vpn_packet (p, si, tos);
719 729
720 delete p; 730 delete p;
721 731
722 if (oseqno > MAX_SEQNO) 732 if (oseqno > MAX_SEQNO)
723 rekey (); 733 rekey ();
745 slog (L_NOISE, "<<%d received packet type %d from %d to %d", 755 slog (L_NOISE, "<<%d received packet type %d from %d to %d",
746 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 756 conf->id, pkt->typ (), pkt->src (), pkt->dst ());
747 757
748 switch (pkt->typ ()) 758 switch (pkt->typ ())
749 { 759 {
750 case vpn_packet::PT_PING: 760 case vpn_packet::PT_PING:
751 // we send pings instead of auth packets after some retries, 761 // we send pings instead of auth packets after some retries,
752 // so reset the retry counter and establish a connection 762 // so reset the retry counter and establish a connection
753 // when we receive a ping. 763 // when we receive a ping.
754 if (!ictx) 764 if (!ictx)
765 {
766 if (auth_rate_limiter.can (rsi))
767 send_auth_request (rsi, true);
768 }
769 else
770 send_ping (rsi, 1); // pong
771
772 break;
773
774 case vpn_packet::PT_PONG:
775 break;
776
777 case vpn_packet::PT_RESET:
755 { 778 {
756 if (auth_rate_limiter.can (rsi)) 779 reset_connection ();
757 send_auth_request (rsi, true); 780
781 config_packet *p = (config_packet *) pkt;
782
783 if (!p->chk_config ())
784 {
785 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
786 conf->nodename, (const char *)rsi);
787 connectmode = conf_node::C_DISABLED;
788 }
789 else if (connectmode == conf_node::C_ALWAYS)
790 establish_connection ();
758 } 791 }
759 else
760 send_ping (rsi, 1); // pong
761
762 break; 792 break;
763 793
764 case vpn_packet::PT_PONG:
765 break;
766
767 case vpn_packet::PT_RESET: 794 case vpn_packet::PT_AUTH_REQ:
768 { 795 if (auth_rate_limiter.can (rsi))
769 reset_connection ();
770
771 config_packet *p = (config_packet *) pkt;
772
773 if (!p->chk_config ())
774 { 796 {
775 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"), 797 auth_req_packet *p = (auth_req_packet *) pkt;
798
799 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
800
801 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
802 {
803 if (p->prot_minor != PROTOCOL_MINOR)
804 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
805 conf->nodename, (const char *)rsi,
806 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
807
808 if (p->initiate)
809 send_auth_request (rsi, false);
810
811 rsachallenge k;
812
813 if (0 > RSA_private_decrypt (sizeof (p->encr),
814 (unsigned char *)&p->encr, (unsigned char *)&k,
815 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
776 conf->nodename, (const char *)rsi); 817 conf->nodename, (const char *)rsi);
777 connectmode = conf_node::C_DISABLED; 818 else
819 {
820 retry_cnt = 0;
821 establish_connection.start (NOW + 8); //? ;)
822 keepalive.reset ();
823 rekey.reset ();
824
825 delete ictx;
826 ictx = 0;
827
828 delete octx;
829
830 octx = new crypto_ctx (k, 1);
831 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
832
833 conf->protocols = p->protocols;
834 send_auth_response (rsi, p->id, k);
835
836 break;
837 }
838 }
839
840 send_reset (rsi);
778 } 841 }
779 else if (connectmode == conf_node::C_ALWAYS) 842
780 establish_connection ();
781 }
782 break; 843 break;
783 844
784 case vpn_packet::PT_AUTH_REQ: 845 case vpn_packet::PT_AUTH_RES:
785 if (auth_rate_limiter.can (rsi))
786 { 846 {
787 auth_req_packet *p = (auth_req_packet *) pkt; 847 auth_res_packet *p = (auth_res_packet *) pkt;
788 848
789 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 849 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
790 850
791 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 851 if (p->chk_config ())
792 { 852 {
793 if (p->prot_minor != PROTOCOL_MINOR) 853 if (p->prot_minor != PROTOCOL_MINOR)
794 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 854 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
795 conf->nodename, (const char *)rsi, 855 conf->nodename, (const char *)rsi,
796 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 856 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
797 857
798 if (p->initiate)
799 send_auth_request (rsi, false);
800
801 rsachallenge k; 858 rsachallenge chg;
802 859
803 if (0 > RSA_private_decrypt (sizeof (p->encr), 860 if (!rsa_cache.find (p->id, chg))
804 (unsigned char *)&p->encr, (unsigned char *)&k, 861 slog (L_ERR, _("%s(%s): unrequested auth response"),
805 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
806 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
807 conf->nodename, (const char *)rsi); 862 conf->nodename, (const char *)rsi);
808 else 863 else
809 { 864 {
810 retry_cnt = 0; 865 crypto_ctx *cctx = new crypto_ctx (chg, 0);
811 establish_connection.set (NOW + 8); //? ;) 866
812 keepalive.reset (); 867 if (!p->hmac_chk (cctx))
868 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869 "could be an attack, or just corruption or an synchronization error"),
870 conf->nodename, (const char *)rsi);
813 rekey.reset (); 871 else
872 {
873 rsaresponse h;
814 874
875 rsa_hash (p->id, chg, h);
876
877 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
878 {
879 prot_minor = p->prot_minor;
880
881 delete ictx; ictx = cctx;
882
883 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884
885 si = rsi;
886
887 rekey.start (NOW + ::conf.rekey);
888 keepalive.start (NOW + ::conf.keepalive);
889
890 // send queued packets
891 while (tap_packet *p = queue.get ())
892 {
893 send_data_packet (p);
894 delete p;
895 }
896
897 connectmode = conf->connectmode;
898
899 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
900 conf->nodename, (const char *)rsi,
901 strprotocol (protocol),
902 p->prot_major, p->prot_minor);
903
904 if (::conf.script_node_up)
905 run_script (run_script_cb (this, &connection::script_node_up), false);
906
907 break;
908 }
909 else
910 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
911 conf->nodename, (const char *)rsi);
912 }
913
815 delete ictx; 914 delete cctx;
816 ictx = 0;
817
818 delete octx;
819
820 octx = new crypto_ctx (k, 1);
821 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
822
823 conf->protocols = p->protocols;
824 send_auth_response (rsi, p->id, k);
825
826 break;
827 } 915 }
828 } 916 }
829
830 send_reset (rsi);
831 } 917 }
832 918
919 send_reset (rsi);
833 break; 920 break;
834 921
835 case vpn_packet::PT_AUTH_RES: 922 case vpn_packet::PT_DATA_COMPRESSED:
836 { 923#if !ENABLE_COMPRESSION
837 auth_res_packet *p = (auth_res_packet *) pkt; 924 send_reset (rsi);
925 break;
926#endif
838 927
839 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 928 case vpn_packet::PT_DATA_UNCOMPRESSED:
840 929
841 if (p->chk_config ()) 930 if (ictx && octx)
842 { 931 {
843 if (p->prot_minor != PROTOCOL_MINOR) 932 vpndata_packet *p = (vpndata_packet *)pkt;
844 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
845 conf->nodename, (const char *)rsi,
846 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
847 933
848 rsachallenge chg; 934 if (rsi == si)
849
850 if (!rsa_cache.find (p->id, chg))
851 slog (L_ERR, _("%s(%s): unrequested auth response"),
852 conf->nodename, (const char *)rsi);
853 else
854 { 935 {
855 crypto_ctx *cctx = new crypto_ctx (chg, 0);
856
857 if (!p->hmac_chk (cctx)) 936 if (!p->hmac_chk (ictx))
858 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 937 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
859 "could be an attack, or just corruption or an synchronization error"), 938 "could be an attack, or just corruption or an synchronization error"),
860 conf->nodename, (const char *)rsi); 939 conf->nodename, (const char *)rsi);
861 else 940 else
862 { 941 {
863 rsaresponse h; 942 u32 seqno;
943 tap_packet *d = p->unpack (this, seqno);
864 944
865 rsa_hash (p->id, chg, h); 945 if (iseqno.recv_ok (seqno))
866
867 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
868 { 946 {
869 prot_minor = p->prot_minor; 947 vpn->tap->send (d);
870 948
871 delete ictx; ictx = cctx; 949 if (p->dst () == 0) // re-broadcast
872 950 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
873 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
874
875 si = rsi;
876
877 rekey.set (NOW + ::conf.rekey);
878 keepalive.set (NOW + ::conf.keepalive);
879
880 // send queued packets
881 while (tap_packet *p = queue.get ())
882 { 951 {
952 connection *c = *i;
953
954 if (c->conf != THISNODE && c->conf != conf)
883 send_data_packet (p); 955 c->inject_data_packet (d);
884 delete p;
885 } 956 }
886 957
887 connectmode = conf->connectmode; 958 delete d;
888
889 slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
890 conf->nodename, (const char *)rsi,
891 strprotocol (protocol),
892 p->prot_major, p->prot_minor);
893
894 if (::conf.script_node_up)
895 run_script (run_script_cb (this, &connection::script_node_up), false);
896 959
897 break; 960 break;
898 } 961 }
899 else
900 slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
901 conf->nodename, (const char *)rsi);
902 } 962 }
963 }
964 else
965 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966 }
903 967
904 delete cctx; 968 send_reset (rsi);
969 break;
970
971 case vpn_packet::PT_CONNECT_REQ:
972 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973 {
974 connect_req_packet *p = (connect_req_packet *) pkt;
975
976 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
977 conf->protocols = p->protocols;
978 connection *c = vpn->conns[p->id - 1];
979
980 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981 conf->id, p->id, c->ictx && c->octx);
982
983 if (c->ictx && c->octx)
984 {
985 // send connect_info packets to both sides, in case one is
986 // behind a nat firewall (or both ;)
987 c->send_connect_info (conf->id, si, conf->protocols);
988 send_connect_info (c->conf->id, c->si, c->conf->protocols);
905 } 989 }
906 } 990 }
907 }
908 991
909 send_reset (rsi);
910 break; 992 break;
911 993
912 case vpn_packet::PT_DATA_COMPRESSED:
913#if !ENABLE_COMPRESSION
914 send_reset (rsi);
915 break;
916#endif
917
918 case vpn_packet::PT_DATA_UNCOMPRESSED:
919
920 if (ictx && octx)
921 {
922 vpndata_packet *p = (vpndata_packet *)pkt;
923
924 if (rsi == si)
925 {
926 if (!p->hmac_chk (ictx))
927 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
928 "could be an attack, or just corruption or an synchronization error"),
929 conf->nodename, (const char *)rsi);
930 else
931 {
932 u32 seqno;
933 tap_packet *d = p->unpack (this, seqno);
934
935 if (iseqno.recv_ok (seqno))
936 {
937 vpn->tap->send (d);
938
939 if (p->dst () == 0) // re-broadcast
940 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
941 {
942 connection *c = *i;
943
944 if (c->conf != THISNODE && c->conf != conf)
945 c->inject_data_packet (d);
946 }
947
948 delete d;
949
950 break;
951 }
952 }
953 }
954 else
955 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
956 }
957
958 send_reset (rsi);
959 break;
960
961 case vpn_packet::PT_CONNECT_REQ: 994 case vpn_packet::PT_CONNECT_INFO:
962 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx)) 995 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
963 { 996 {
964 connect_req_packet *p = (connect_req_packet *) pkt; 997 connect_info_packet *p = (connect_info_packet *) pkt;
965 998
966 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything 999 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
967 conf->protocols = p->protocols; 1000 conf->protocols = p->protocols;
968 connection *c = vpn->conns[p->id - 1]; 1001 connection *c = vpn->conns[p->id - 1];
969 1002
970 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
971 conf->id, p->id, c->ictx && c->octx);
972
973 if (c->ictx && c->octx)
974 {
975 // send connect_info packets to both sides, in case one is
976 // behind a nat firewall (or both ;)
977 c->send_connect_info (conf->id, si, conf->protocols);
978 send_connect_info (c->conf->id, c->si, c->conf->protocols);
979 }
980 }
981
982 break;
983
984 case vpn_packet::PT_CONNECT_INFO:
985 if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
986 {
987 connect_info_packet *p = (connect_info_packet *) pkt;
988
989 assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
990 conf->protocols = p->protocols;
991 connection *c = vpn->conns[p->id - 1];
992
993 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1003 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
994 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1004 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
995 1005
996 c->send_auth_request (p->si, true); 1006 c->send_auth_request (p->si, true);
997 } 1007 }
998 1008
999 break; 1009 break;
1000 1010
1001 default: 1011 default:
1002 send_reset (rsi); 1012 send_reset (rsi);
1003 break; 1013 break;
1004
1005 } 1014 }
1006} 1015}
1007 1016
1008void connection::keepalive_cb (tstamp &ts) 1017void connection::keepalive_cb (time_watcher &w)
1009{ 1018{
1010 if (NOW >= last_activity + ::conf.keepalive + 30) 1019 if (NOW >= last_activity + ::conf.keepalive + 30)
1011 { 1020 {
1012 reset_connection (); 1021 reset_connection ();
1013 establish_connection (); 1022 establish_connection ();
1014 } 1023 }
1015 else if (NOW < last_activity + ::conf.keepalive) 1024 else if (NOW < last_activity + ::conf.keepalive)
1016 ts = last_activity + ::conf.keepalive; 1025 w.at = last_activity + ::conf.keepalive;
1017 else if (conf->connectmode != conf_node::C_ONDEMAND 1026 else if (conf->connectmode != conf_node::C_ONDEMAND
1018 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1027 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1019 { 1028 {
1020 send_ping (si); 1029 send_ping (si);
1021 ts = NOW + 5; 1030 w.at = NOW + 5;
1022 } 1031 }
1023 else 1032 else
1024 reset_connection (); 1033 reset_connection ();
1025} 1034}
1026 1035
1028{ 1037{
1029 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1038 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1030 1039
1031 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1040 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1032 p->hmac_set (octx); 1041 p->hmac_set (octx);
1033 send_vpn_packet (p, si); 1042 vpn->send_vpn_packet (p, si);
1034 1043
1035 delete p; 1044 delete p;
1036} 1045}
1037 1046
1038void connection::script_node () 1047void connection::script_node ()
1039{ 1048{
1040 vpn->script_if_up (0); 1049 vpn->script_if_up ();
1041 1050
1042 char *env; 1051 char *env;
1043 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1052 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1044 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env); 1053 asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1045 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env); 1054 asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1046 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env); 1055 asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1047} 1056}
1048 1057
1049const char *connection::script_node_up (int) 1058const char *connection::script_node_up ()
1050{ 1059{
1051 script_node (); 1060 script_node ();
1052 1061
1053 putenv ("STATE=up"); 1062 putenv ("STATE=up");
1054 1063
1055 return ::conf.script_node_up ? ::conf.script_node_up : "node-up"; 1064 return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1056} 1065}
1057 1066
1058const char *connection::script_node_down (int) 1067const char *connection::script_node_down ()
1059{ 1068{
1060 script_node (); 1069 script_node ();
1061 1070
1062 putenv ("STATE=down"); 1071 putenv ("STATE=down");
1063 1072
1064 return ::conf.script_node_up ? ::conf.script_node_down : "node-down"; 1073 return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1065}
1066
1067// send a vpn packet out to other hosts
1068void
1069connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1070{
1071 if (protocol & PROT_IPv4)
1072 vpn->send_ipv4_packet (pkt, si, tos);
1073 else
1074 vpn->send_udpv4_packet (pkt, si, tos);
1075} 1074}
1076 1075
1077connection::connection(struct vpn *vpn_) 1076connection::connection(struct vpn *vpn_)
1078: vpn(vpn_) 1077: vpn(vpn_)
1079, rekey (this, &connection::rekey_cb) 1078, rekey (this, &connection::rekey_cb)

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines