ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.74 by pcg, Sun Aug 10 02:49:21 2008 UTC vs.
Revision 1.82 by pcg, Fri Aug 15 18:35:24 2008 UTC

672///////////////////////////////////////////////////////////////////////////// 672/////////////////////////////////////////////////////////////////////////////
673 673
674void 674void
675connection::connection_established () 675connection::connection_established ()
676{ 676{
677 slog (L_TRACE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx); 677 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx);
678 678
679 if (ictx && octx) 679 if (ictx && octx)
680 { 680 {
681 // make sure rekeying timeouts are slightly asymmetric 681 // make sure rekeying timeouts are slightly asymmetric
682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 682 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
760{ 760{
761 ping_packet *pkt = new ping_packet; 761 ping_packet *pkt = new ping_packet;
762 762
763 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 763 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
764 764
765 slog (L_TRACE, ">>%d %s [%s]", conf->id, pong ? "PT_PONG" : "PT_PING", (const char *)si); 765 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
766 766
767 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 767 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
768 768
769 delete pkt; 769 delete pkt;
770} 770}
790 790
791 rsachallenge chg; 791 rsachallenge chg;
792 rsa_cache.gen (pkt->id, chg); 792 rsa_cache.gen (pkt->id, chg);
793 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 793 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
794 794
795 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 795 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
796 796
797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 797 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
798 798
799 delete pkt; 799 delete pkt;
800} 800}
808 808
809 rsa_hash (id, chg, pkt->response); 809 rsa_hash (id, chg, pkt->response);
810 810
811 pkt->hmac_set (octx); 811 pkt->hmac_set (octx);
812 812
813 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 813 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
814 814
815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 815 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
816 816
817 delete pkt; 817 delete pkt;
818} 818}
819 819
820void 820void
821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 821connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
822{ 822{
823 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)", 823 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename,
824 conf->id, rid, (const char *)rsi); 824 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi);
825 825
826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 826 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
827 827
828 r->hmac_set (octx); 828 r->hmac_set (octx);
829 send_vpn_packet (r, si); 829 send_vpn_packet (r, si);
999void 999void
1000connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1000connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1001{ 1001{
1002 last_activity = ev_now (); 1002 last_activity = ev_now ();
1003 1003
1004 slog (L_NOISE, "<<%d received packet type %d from %d to %d.", 1004 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1005 conf->id, pkt->typ (), pkt->src (), pkt->dst ()); 1005 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1006 1006
1007 if (connectmode == conf_node::C_DISABLED) 1007 if (connectmode == conf_node::C_DISABLED)
1008 return; 1008 return;
1009 1009
1010 switch (pkt->typ ()) 1010 switch (pkt->typ ())
1011 { 1011 {
1012 case vpn_packet::PT_PING: 1012 case vpn_packet::PT_PING:
1013 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1014
1013 // we send pings instead of auth packets after some retries, 1015 // we send pings instead of auth packets after some retries,
1014 // so reset the retry counter and establish a connection 1016 // so reset the retry counter and establish a connection
1015 // when we receive a ping. 1017 // when we receive a ping.
1016 if (!ictx) 1018 if (!ictx)
1017 { 1019 {
1024 send_ping (rsi, 1); // pong 1026 send_ping (rsi, 1); // pong
1025 1027
1026 break; 1028 break;
1027 1029
1028 case vpn_packet::PT_PONG: 1030 case vpn_packet::PT_PONG:
1031 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1029 break; 1032 break;
1030 1033
1031 case vpn_packet::PT_RESET: 1034 case vpn_packet::PT_RESET:
1032 { 1035 {
1033 reset_connection (); 1036 reset_connection ();
1048 case vpn_packet::PT_AUTH_REQ: 1051 case vpn_packet::PT_AUTH_REQ:
1049 if (auth_rate_limiter.can (rsi)) 1052 if (auth_rate_limiter.can (rsi))
1050 { 1053 {
1051 auth_req_packet *p = (auth_req_packet *) pkt; 1054 auth_req_packet *p = (auth_req_packet *) pkt;
1052 1055
1053 slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate); 1056 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply");
1054 1057
1055 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8)) 1058 if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
1056 { 1059 {
1057 if (p->prot_minor != PROTOCOL_MINOR) 1060 if (p->prot_minor != PROTOCOL_MINOR)
1058 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1061 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1096 1099
1097 break; 1100 break;
1098 1101
1099 case vpn_packet::PT_AUTH_RES: 1102 case vpn_packet::PT_AUTH_RES:
1100 { 1103 {
1101 auth_res_packet *p = (auth_res_packet *) pkt; 1104 auth_res_packet *p = (auth_res_packet *)pkt;
1102 1105
1103 slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id); 1106 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1104 1107
1105 if (p->chk_config ()) 1108 if (p->chk_config ())
1106 { 1109 {
1107 if (p->prot_minor != PROTOCOL_MINOR) 1110 if (p->prot_minor != PROTOCOL_MINOR)
1108 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1111 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1143 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 1146 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1144 1147
1145 si = rsi; 1148 si = rsi;
1146 protocol = rsi.prot; 1149 protocol = rsi.prot;
1147 1150
1148 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d."), 1151 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1149 conf->nodename, (const char *)rsi, 1152 conf->nodename, (const char *)rsi,
1153 is_direct ? "direct" : "forwarded",
1150 p->prot_major, p->prot_minor); 1154 p->prot_major, p->prot_minor);
1151 1155
1152 connection_established (); 1156 connection_established ();
1153 1157
1154 if (::conf.script_node_up) 1158 if (::conf.script_node_up)
1202 if (si != rsi) 1206 if (si != rsi)
1203 { 1207 {
1204 // fast re-sync on source address changes, useful especially for tcp/ip 1208 // fast re-sync on source address changes, useful especially for tcp/ip
1205 //if (last_si_change < ev_now () + 5.) 1209 //if (last_si_change < ev_now () + 5.)
1206 // { 1210 // {
1211 slog (L_INFO, _("%s(%s): changing socket address to %s."),
1212 conf->nodename, (const char *)si, (const char *)rsi);
1213
1207 si = rsi; 1214 si = rsi;
1208
1209 slog (L_INFO, _("%s(%s): socket address changed to %s."),
1210 conf->nodename, (const char *)si, (const char *)rsi);
1211 // } 1215 // }
1212 //else 1216 //else
1213 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."), 1217 // slog (L_INFO, _("%s(%s): accepted packet from %s, not (yet) redirecting traffic."),
1214 // conf->nodename, (const char *)si, (const char *)rsi); 1218 // conf->nodename, (const char *)si, (const char *)rsi);
1215 } 1219 }
1216 } 1220 }
1217 else if (seqclass == 1) // silently ignore 1221 else if (seqclass == 1) // far history
1222 slog (L_ERR, _("received very old packet (received %08lx, expected %08lx). "
1223 "possible replay attack, or just packet duplication/delay, ignoring."), seqno, iseqno.seq + 1);
1224 else if (seqclass == 2) // in-window duplicate, happens often on wireless
1218 slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" 1225 slog (L_DEBUG, _("received recent duplicated packet (received %08lx, expected %08lx). "
1219 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1); 1226 "possible replay attack, or just packet duplication, ignoring."), seqno, iseqno.seq + 1);
1220 else if (seqclass == 2) // reset 1227 else if (seqclass == 3) // reset
1221 { 1228 {
1222 slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" 1229 slog (L_ERR, _("received out-of-sync (far future) packet (received %08lx, expected %08lx). "
1223 "possible replay attack, or just massive packet loss, resetting connection."), seqno, iseqno.seq + 1); 1230 "probably just massive packet loss, sending reset."), seqno, iseqno.seq + 1);
1224 send_reset (rsi); 1231 send_reset (rsi);
1225 } 1232 }
1226 1233
1227 delete d; 1234 delete d;
1228 break; 1235 break;
1240 if (p->id > 0 && p->id <= vpn->conns.size ()) 1247 if (p->id > 0 && p->id <= vpn->conns.size ())
1241 { 1248 {
1242 connection *c = vpn->conns[p->id - 1]; 1249 connection *c = vpn->conns[p->id - 1];
1243 conf->protocols = p->protocols; 1250 conf->protocols = p->protocols;
1244 1251
1245 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]", 1252 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]",
1246 conf->id, p->id, c->ictx && c->octx); 1253 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx);
1247 1254
1248 if (c->ictx && c->octx) 1255 if (c->ictx && c->octx)
1249 { 1256 {
1250 // send connect_info packets to both sides, in case one is 1257 // send connect_info packets to both sides, in case one is
1251 // behind a nat firewall (or both ;) 1258 // behind a nat firewall (or both ;)
1274 1281
1275 c->conf->protocols = p->protocols; 1282 c->conf->protocols = p->protocols;
1276 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1283 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1277 p->si.upgrade_protocol (protocol, c->conf); 1284 p->si.upgrade_protocol (protocol, c->conf);
1278 1285
1279 slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)", 1286 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]",
1287 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1280 conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx); 1288 (const char *)p->si, !c->ictx && !c->octx);
1281 1289
1282 const sockinfo &dsi = forward_si (p->si); 1290 const sockinfo &dsi = forward_si (p->si);
1283 1291
1284 if (dsi.valid ()) 1292 if (dsi.valid ())
1285 c->send_auth_request (dsi, true); 1293 c->send_auth_request (dsi, true);
1324 1332
1325void connection::send_connect_request (int id) 1333void connection::send_connect_request (int id)
1326{ 1334{
1327 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1335 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1328 1336
1329 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1337 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)",
1338 conf->nodename, vpn->conns[id - 1]->conf->nodename);
1330 p->hmac_set (octx); 1339 p->hmac_set (octx);
1331 send_vpn_packet (p, si); 1340 send_vpn_packet (p, si);
1332 1341
1333 delete p; 1342 delete p;
1334} 1343}

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines