[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.22 by pcg, Thu Oct 16 02:41:21 2003 UTC

…		…
1	/*	1	/*
2	connection.C -- manage a single connection	2	connection.C -- manage a single connection
		3	Copyright (C) 2003 Marc Lehmann <pcg@goof.com>
3		4
4	This program is free software; you can redistribute it and/or modify	5	This program is free software; you can redistribute it and/or modify
5	it under the terms of the GNU General Public License as published by	6	it under the terms of the GNU General Public License as published by
6	the Free Software Foundation; either version 2 of the License, or	7	the Free Software Foundation; either version 2 of the License, or
7	(at your option) any later version.	8	(at your option) any later version.
35	#include "slog.h"	36	#include "slog.h"
36	#include "device.h"	37	#include "device.h"
37	#include "vpn.h"	38	#include "vpn.h"
38	#include "connection.h"	39	#include "connection.h"
39		40
		41	#include "netcompat.h"
		42
40	#if !HAVE_RAND_PSEUDO_BYTES	43	#if !HAVE_RAND_PSEUDO_BYTES
41	# define RAND_pseudo_bytes RAND_bytes	44	# define RAND_pseudo_bytes RAND_bytes
42	#endif	45	#endif
43		46
44	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic	47	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
…		…
147	}	150	}
148	}	151	}
149		152
150	//////////////////////////////////////////////////////////////////////////////	153	//////////////////////////////////////////////////////////////////////////////
151		154
152	void pkt_queue::put (tap_packet *p)	155	void pkt_queue::put (net_packet *p)
153	{	156	{
154	if (queue[i])	157	if (queue[i])
155	{	158	{
156	delete queue[i];	159	delete queue[i];
157	j = (j + 1) % QUEUEDEPTH;	160	j = (j + 1) % QUEUEDEPTH;
…		…
160	queue[i] = p;	163	queue[i] = p;
161		164
162	i = (i + 1) % QUEUEDEPTH;	165	i = (i + 1) % QUEUEDEPTH;
163	}	166	}
164		167
165	tap_packet *pkt_queue::get ()	168	net_packet *pkt_queue::get ()
166	{	169	{
167	tap_packet *p = queue[j];	170	net_packet *p = queue[j];
168		171
169	if (p)	172	if (p)
170	{	173	{
171	queue[j] = 0;	174	queue[j] = 0;
172	j = (j + 1) % QUEUEDEPTH;	175	j = (j + 1) % QUEUEDEPTH;
…		…
197	// only do action once every x seconds per host whole allowing bursts.	200	// only do action once every x seconds per host whole allowing bursts.
198	// this implementation ("splay list" ;) is inefficient,	201	// this implementation ("splay list" ;) is inefficient,
199	// but low on resources.	202	// but low on resources.
200	struct net_rate_limiter : list<net_rateinfo>	203	struct net_rate_limiter : list<net_rateinfo>
201	{	204	{
202	static const double ALPHA = 1. - 1. / 90.; // allow bursts	205	static const double ALPHA = 1. - 1. / 600.; // allow bursts
203	static const double CUTOFF = 20.; // one event every CUTOFF seconds	206	static const double CUTOFF = 10.; // one event every CUTOFF seconds
204	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time	207	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
		208	static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205		209
206	bool can (const sockinfo &si) { return can((u32)si.host); }	210	bool can (const sockinfo &si) { return can((u32)si.host); }
207	bool can (u32 host);	211	bool can (u32 host);
208	};	212	};
209		213
210	net_rate_limiter auth_rate_limiter, reset_rate_limiter;	214	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211		215
…		…
225	{	229	{
226	net_rateinfo ri;	230	net_rateinfo ri;
227		231
228	ri.host = host;	232	ri.host = host;
229	ri.pcnt = 1.;	233	ri.pcnt = 1.;
230	ri.diff = CUTOFF * (1. / (1. - ALPHA));	234	ri.diff = MAXDIF;
231	ri.last = NOW;	235	ri.last = NOW;
232		236
233	push_front (ri);	237	push_front (ri);
234		238
235	return true;	239	return true;
…		…
242	ri.pcnt = ri.pcnt * ALPHA;	246	ri.pcnt = ri.pcnt * ALPHA;
243	ri.diff = ri.diff * ALPHA + (NOW - ri.last);	247	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244		248
245	ri.last = NOW;	249	ri.last = NOW;
246		250
		251	double dif = ri.diff / ri.pcnt;
		252
247	bool send = ri.diff / ri.pcnt > CUTOFF;	253	bool send = dif > CUTOFF;
248		254
		255	if (dif > MAXDIF)
		256	{
		257	ri.pcnt = 1.;
		258	ri.diff = MAXDIF;
		259	}
249	if (send)	260	else if (send)
250	ri.pcnt++;	261	ri.pcnt++;
251		262
252	push_front (ri);	263	push_front (ri);
253		264
254	return send;	265	return send;
…		…
467	set_hdr (type, dst);	478	set_hdr (type, dst);
468	}	479	}
469		480
470	bool config_packet::chk_config () const	481	bool config_packet::chk_config () const
471	{	482	{
472	return prot_major == PROTOCOL_MAJOR	483	if (prot_major != PROTOCOL_MAJOR)
473	&& randsize == RAND_SIZE	484	slog (L_WARN, _("major version mismatch (%d <=> %d)"), prot_major, PROTOCOL_MAJOR);
474	&& hmaclen == HMACLENGTH	485	else if (randsize != RAND_SIZE)
475	&& flags == curflags ()	486	slog (L_WARN, _("rand size mismatch (%d <=> %d)"), randsize, RAND_SIZE);
		487	else if (hmaclen != HMACLENGTH)
		488	slog (L_WARN, _("hmac length mismatch (%d <=> %d)"), hmaclen, HMACLENGTH);
		489	else if (flags != curflags ())
		490	slog (L_WARN, _("flag mismatch (%x <=> %x)"), flags, curflags ());
476	&& challengelen == sizeof (rsachallenge)	491	else if (challengelen != sizeof (rsachallenge))
		492	slog (L_WARN, _("challenge length mismatch (%d <=> %d)"), challengelen, sizeof (rsachallenge));
477	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))	493	else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
		494	slog (L_WARN, _("cipher mismatch (%x <=> %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))	495	else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
		496	slog (L_WARN, _("digest mismatch (%x <=> %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479	&& hmac_nid == htonl (EVP_MD_type (DIGEST));	497	else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
		498	slog (L_WARN, _("hmac mismatch (%x <=> %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
		499	else
		500	return true;
		501
		502	return false;
480	}	503	}
481		504
482	struct auth_req_packet : config_packet	505	struct auth_req_packet : config_packet
483	{	506	{
484	char magic[8];	507	char magic[8];
…		…
546	};	569	};
547		570
548	/////////////////////////////////////////////////////////////////////////////	571	/////////////////////////////////////////////////////////////////////////////
549		572
550	void	573	void
		574	connection::connection_established ()
		575	{
		576	if (ictx && octx)
		577	{
		578	connectmode = conf->connectmode;
		579
		580	rekey.start (NOW + ::conf.rekey);
		581	keepalive.start (NOW + ::conf.keepalive);
		582
		583	// send queued packets
		584	if (ictx && octx)
		585	{
		586	while (tap_packet p = (tap_packet )data_queue.get ())
		587	{
		588	send_data_packet (p);
		589	delete p;
		590	}
		591
		592	while (vpn_packet p = (vpn_packet )vpn_queue.get ())
		593	{
		594	send_vpn_packet (p, si, IPTOS_RELIABILITY);
		595	delete p;
		596	}
		597	}
		598	}
		599	else
		600	{
		601	retry_cnt = 0;
		602	establish_connection.start (NOW + 5);
		603	keepalive.reset ();
		604	rekey.reset ();
		605	}
		606	}
		607
		608	void
551	connection::reset_dstaddr ()	609	connection::reset_si ()
552	{	610	{
553	protocol = best_protocol (THISNODE->protocols & conf->protocols);	611	protocol = best_protocol (THISNODE->protocols & conf->protocols);
554		612
555	// mask out protocols we cannot establish	613	// mask out protocols we cannot establish
556	if (!conf->udp_port) protocol &= ~PROT_UDPv4;	614	if (!conf->udp_port) protocol &= ~PROT_UDPv4;
557	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;	615	if (!conf->tcp_port) protocol &= ~PROT_TCPv4;
558		616
559	si.set (conf, protocol);	617	si.set (conf, protocol);
560	}	618	}
561		619
		620	// ensure sockinfo is valid, forward if necessary
		621	const sockinfo &
		622	connection::forward_si (const sockinfo &si) const
		623	{
		624	if (!si.valid ())
		625	{
		626	connection *r = vpn->find_router ();
		627
		628	if (r)
		629	{
		630	slog (L_DEBUG, _("%s: no common protocol, trying indirectly through %s"),
		631	conf->nodename, r->conf->nodename);
		632	return r->si;
		633	}
		634	else
		635	slog (L_DEBUG, _("%s: node unreachable, no common protocol"),
		636	conf->nodename);
		637	}
		638
		639	return si;
		640	}
		641
		642	void
		643	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
		644	{
		645	if (!vpn->send_vpn_packet (pkt, si, tos))
		646	reset_connection ();
		647	}
		648
562	void	649	void
563	connection::send_ping (const sockinfo &si, u8 pong)	650	connection::send_ping (const sockinfo &si, u8 pong)
564	{	651	{
565	ping_packet *pkt = new ping_packet;	652	ping_packet *pkt = new ping_packet;
566		653
567	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);	654	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
568	vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY);	655	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
569		656
570	delete pkt;	657	delete pkt;
571	}	658	}
572		659
573	void	660	void
…		…
576	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)	663	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
577	{	664	{
578	config_packet *pkt = new config_packet;	665	config_packet *pkt = new config_packet;
579		666
580	pkt->setup (vpn_packet::PT_RESET, conf->id);	667	pkt->setup (vpn_packet::PT_RESET, conf->id);
581	vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST);	668	send_vpn_packet (pkt, si, IPTOS_MINCOST);
582		669
583	delete pkt;	670	delete pkt;
584	}	671	}
585	}	672	}
586		673
…		…
598	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))	685	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
599	fatal ("RSA_public_encrypt error");	686	fatal ("RSA_public_encrypt error");
600		687
601	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);	688	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
602		689
603	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	690	send_vpn_packet (pkt, si, IPTOS_RELIABILITY \| IPTOS_LOWDELAY); // rsa is very very costly
604		691
605	delete pkt;	692	delete pkt;
606	}	693	}
607		694
608	void	695	void
…		…
616		703
617	pkt->hmac_set (octx);	704	pkt->hmac_set (octx);
618		705
619	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);	706	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
620		707
621	vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly	708	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
622		709
623	delete pkt;	710	delete pkt;
624	}	711	}
625		712
626	void	713	void
…		…
630	conf->id, rid, (const char *)rsi);	717	conf->id, rid, (const char *)rsi);
631		718
632	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);	719	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
633		720
634	r->hmac_set (octx);	721	r->hmac_set (octx);
635	vpn->send_vpn_packet (r, si);	722	send_vpn_packet (r, si);
636		723
637	delete r;	724	delete r;
638	}	725	}
639		726
640	void	727	void
…		…
651	if (retry_int < 3600 * 8)	738	if (retry_int < 3600 * 8)
652	retry_cnt++;	739	retry_cnt++;
653		740
654	w.at = NOW + retry_int;	741	w.at = NOW + retry_int;
655		742
656	if (conf->hostname)	743	reset_si ();
		744
		745	if (si.prot && !si.host)
		746	vpn->send_connect_request (conf->id);
		747	else
657	{	748	{
658	reset_dstaddr ();	749	const sockinfo &dsi = forward_si (si);
659		750
660	if (si.valid () && auth_rate_limiter.can (si))	751	if (dsi.valid () && auth_rate_limiter.can (dsi))
661	{	752	{
662	if (retry_cnt < 4)	753	if (retry_cnt < 4)
663	send_auth_request (si, true);	754	send_auth_request (dsi, true);
664	else	755	else
665	send_ping (si, 0);	756	send_ping (dsi, 0);
666	}	757	}
667	}	758	}
668	else
669	vpn->connect_request (conf->id);
670	}	759	}
671	}	760	}
672		761
673	void	762	void
674	connection::reset_connection ()	763	connection::reset_connection ()
…		…
712	reset_connection ();	801	reset_connection ();
713	establish_connection ();	802	establish_connection ();
714	}	803	}
715		804
716	void	805	void
717	connection::send_data_packet (tap_packet *pkt, bool broadcast)	806	connection::send_data_packet (tap_packet *pkt)
718	{	807	{
719	vpndata_packet *p = new vpndata_packet;	808	vpndata_packet *p = new vpndata_packet;
720	int tos = 0;	809	int tos = 0;
721		810
722	if (conf->inherit_tos	811	// I am not hilarious about peeking into packets, but so be it.
723	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP	812	if (conf->inherit_tos && pkt->is_ipv4 ())
724	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
725	tos = (*pkt)[15] & IPTOS_TOS_MASK;	813	tos = (*pkt)[15] & IPTOS_TOS_MASK;
726		814
727	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs	815	p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
728	vpn->send_vpn_packet (p, si, tos);	816	send_vpn_packet (p, si, tos);
729		817
730	delete p;	818	delete p;
731		819
732	if (oseqno > MAX_SEQNO)	820	if (oseqno > MAX_SEQNO)
733	rekey ();	821	rekey ();
734	}	822	}
735		823
736	void	824	void
737	connection::inject_data_packet (tap_packet *pkt, bool broadcast)	825	connection::inject_data_packet (tap_packet pkt, bool broadcast/TODO DDD*/)
738	{	826	{
739	if (ictx && octx)	827	if (ictx && octx)
740	send_data_packet (pkt, broadcast);	828	send_data_packet (pkt);
741	else	829	else
742	{	830	{
743	if (!broadcast)//DDDD	831	if (!broadcast)//DDDD
744	queue.put (new tap_packet (*pkt));	832	data_queue.put (new tap_packet (*pkt));
		833
		834	establish_connection ();
		835	}
		836	}
		837
		838	void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
		839	{
		840	if (ictx && octx)
		841	send_vpn_packet (pkt, si, tos);
		842	else
		843	{
		844	vpn_queue.put (new vpn_packet (*pkt));
745		845
746	establish_connection ();	846	establish_connection ();
747	}	847	}
748	}	848	}
749		849
…		…
811	rsachallenge k;	911	rsachallenge k;
812		912
813	if (0 > RSA_private_decrypt (sizeof (p->encr),	913	if (0 > RSA_private_decrypt (sizeof (p->encr),
814	(unsigned char )&p->encr, (unsigned char )&k,	914	(unsigned char )&p->encr, (unsigned char )&k,
815	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))	915	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
816	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),	916	slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
817	conf->nodename, (const char *)rsi);	917	conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
818	else	918	else
819	{	919	{
820	retry_cnt = 0;
821	establish_connection.start (NOW + 8); //? ;)
822	keepalive.reset ();
823	rekey.reset ();
824
825	delete ictx;
826	ictx = 0;
827
828	delete octx;	920	delete octx;
829		921
830	octx = new crypto_ctx (k, 1);	922	octx = new crypto_ctx (k, 1);
831	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;	923	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
832		924
833	conf->protocols = p->protocols;	925	conf->protocols = p->protocols;
		926
834	send_auth_response (rsi, p->id, k);	927	send_auth_response (rsi, p->id, k);
		928
		929	connection_established ();
835		930
836	break;	931	break;
837	}	932	}
838	}	933	}
		934	else
		935	slog (L_WARN, _("%s(%s): protocol mismatch"),
		936	conf->nodename, (const char *)rsi);
839		937
840	send_reset (rsi);	938	send_reset (rsi);
841	}	939	}
842		940
843	break;	941	break;
…		…
856	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	954	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
857		955
858	rsachallenge chg;	956	rsachallenge chg;
859		957
860	if (!rsa_cache.find (p->id, chg))	958	if (!rsa_cache.find (p->id, chg))
		959	{
861	slog (L_ERR, _("%s(%s): unrequested auth response"),	960	slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
862	conf->nodename, (const char *)rsi);	961	conf->nodename, (const char *)rsi);
		962	break;
		963	}
863	else	964	else
864	{	965	{
865	crypto_ctx *cctx = new crypto_ctx (chg, 0);	966	crypto_ctx *cctx = new crypto_ctx (chg, 0);
866		967
867	if (!p->hmac_chk (cctx))	968	if (!p->hmac_chk (cctx))
		969	{
868	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"	970	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
869	"could be an attack, or just corruption or an synchronization error"),	971	"could be an attack, or just corruption or an synchronization error"),
870	conf->nodename, (const char *)rsi);	972	conf->nodename, (const char *)rsi);
		973	break;
		974	}
871	else	975	else
872	{	976	{
873	rsaresponse h;	977	rsaresponse h;
874		978
875	rsa_hash (p->id, chg, h);	979	rsa_hash (p->id, chg, h);
…		…
881	delete ictx; ictx = cctx;	985	delete ictx; ictx = cctx;
882		986
883	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid	987	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
884		988
885	si = rsi;	989	si = rsi;
		990	protocol = rsi.prot;
886		991
887	rekey.start (NOW + ::conf.rekey);	992	connection_established ();
888	keepalive.start (NOW + ::conf.keepalive);
889		993
890	// send queued packets
891	while (tap_packet *p = queue.get ())
892	{
893	send_data_packet (p);
894	delete p;
895	}
896
897	connectmode = conf->connectmode;
898
899	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),	994	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
900	conf->nodename, (const char *)rsi,	995	conf->nodename, (const char *)rsi,
901	strprotocol (protocol),
902	p->prot_major, p->prot_minor);	996	p->prot_major, p->prot_minor);
903		997
904	if (::conf.script_node_up)	998	if (::conf.script_node_up)
905	run_script (run_script_cb (this, &connection::script_node_up), false);	999	run_script (run_script_cb (this, &connection::script_node_up), false);
906		1000
…		…
929		1023
930	if (ictx && octx)	1024	if (ictx && octx)
931	{	1025	{
932	vpndata_packet p = (vpndata_packet )pkt;	1026	vpndata_packet p = (vpndata_packet )pkt;
933		1027
934	if (rsi == si)	1028	if (!p->hmac_chk (ictx))
		1029	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
		1030	"could be an attack, or just corruption or an synchronization error"),
		1031	conf->nodename, (const char *)rsi);
		1032	else
935	{	1033	{
936	if (!p->hmac_chk (ictx))
937	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
938	"could be an attack, or just corruption or an synchronization error"),
939	conf->nodename, (const char *)rsi);
940	else	1034	u32 seqno;
		1035	tap_packet *d = p->unpack (this, seqno);
		1036
		1037	if (iseqno.recv_ok (seqno))
941	{	1038	{
942	u32 seqno;	1039	vpn->tap->send (d);
943	tap_packet *d = p->unpack (this, seqno);
944		1040
945	if (iseqno.recv_ok (seqno))	1041	if (si != rsi)
946	{	1042	{
947	vpn->tap->send (d);	1043	// fast re-sync on connection changes, useful especially for tcp/ip
948
949	if (p->dst () == 0) // re-broadcast
950	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
951	{
952	connection c = i;
953
954	if (c->conf != THISNODE && c->conf != conf)
955	c->inject_data_packet (d);
956	}
957
958	delete d;
959
960	break;	1044	si = rsi;
		1045
		1046	slog (L_INFO, _("%s(%s): socket address changed to %s"),
		1047	conf->nodename, (const char )si, (const char )rsi);
961	}	1048	}
		1049
		1050	delete d;
		1051
		1052	break;
962	}	1053	}
963	}	1054	}
964	else
965	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
966	}	1055	}
967		1056
968	send_reset (rsi);	1057	send_reset (rsi);
969	break;	1058	break;
970		1059
…		…
972	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1061	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
973	{	1062	{
974	connect_req_packet p = (connect_req_packet ) pkt;	1063	connect_req_packet p = (connect_req_packet ) pkt;
975		1064
976	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1065	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
		1066	connection *c = vpn->conns[p->id - 1];
977	conf->protocols = p->protocols;	1067	conf->protocols = p->protocols;
978	connection *c = vpn->conns[p->id - 1];
979		1068
980	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",	1069	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
981	conf->id, p->id, c->ictx && c->octx);	1070	conf->id, p->id, c->ictx && c->octx);
982		1071
983	if (c->ictx && c->octx)	1072	if (c->ictx && c->octx)
…		…
985	// send connect_info packets to both sides, in case one is	1074	// send connect_info packets to both sides, in case one is
986	// behind a nat firewall (or both ;)	1075	// behind a nat firewall (or both ;)
987	c->send_connect_info (conf->id, si, conf->protocols);	1076	c->send_connect_info (conf->id, si, conf->protocols);
988	send_connect_info (c->conf->id, c->si, c->conf->protocols);	1077	send_connect_info (c->conf->id, c->si, c->conf->protocols);
989	}	1078	}
		1079	else
		1080	c->establish_connection ();
990	}	1081	}
991		1082
992	break;	1083	break;
993		1084
994	case vpn_packet::PT_CONNECT_INFO:	1085	case vpn_packet::PT_CONNECT_INFO:
995	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))	1086	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
996	{	1087	{
997	connect_info_packet p = (connect_info_packet ) pkt;	1088	connect_info_packet p = (connect_info_packet ) pkt;
998		1089
999	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything	1090	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1000	conf->protocols = p->protocols;	1091
1001	connection *c = vpn->conns[p->id - 1];	1092	connection *c = vpn->conns[p->id - 1];
		1093
		1094	c->conf->protocols = p->protocols;
		1095	protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
		1096	p->si.upgrade_protocol (protocol, c->conf);
1002		1097
1003	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",	1098	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1004	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);	1099	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1005		1100
		1101	const sockinfo &dsi = forward_si (p->si);
		1102
		1103	if (dsi.valid ())
1006	c->send_auth_request (p->si, true);	1104	c->send_auth_request (dsi, true);
1007	}	1105	}
1008		1106
1009	break;	1107	break;
1010		1108
1011	default:	1109	default:
…		…
1027	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1125	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1028	{	1126	{
1029	send_ping (si);	1127	send_ping (si);
1030	w.at = NOW + 5;	1128	w.at = NOW + 5;
1031	}	1129	}
		1130	else if (NOW < last_activity + ::conf.keepalive + 10)
		1131	// hold ondemand connections implicitly a few seconds longer
		1132	// should delete octx, though, or something like that ;)
		1133	w.at = last_activity + ::conf.keepalive + 10;
1032	else	1134	else
1033	reset_connection ();	1135	reset_connection ();
1034	}	1136	}
1035		1137
1036	void connection::connect_request (int id)	1138	void connection::send_connect_request (int id)
1037	{	1139	{
1038	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);	1140	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1039		1141
1040	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);	1142	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1041	p->hmac_set (octx);	1143	p->hmac_set (octx);
1042	vpn->send_vpn_packet (p, si);	1144	send_vpn_packet (p, si);
1043		1145
1044	delete p;	1146	delete p;
1045	}	1147	}
1046		1148
1047	void connection::script_node ()	1149	void connection::script_node ()

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs. Revision 1.22 by pcg, Thu Oct 16 02:41:21 2003 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.6 by pcg, Sat Apr 5 02:32:40 2003 UTC vs.
Revision 1.22 by pcg, Thu Oct 16 02:41:21 2003 UTC