ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.8 by pcg, Sun Apr 6 04:17:36 2003 UTC vs.
Revision 1.25 by pcg, Sat Jan 17 01:18:36 2004 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com>
3 4
4 This program is free software; you can redistribute it and/or modify 5 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by 6 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or 7 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version. 8 (at your option) any later version.
20 21
21extern "C" { 22extern "C" {
22# include "lzf/lzf.h" 23# include "lzf/lzf.h"
23} 24}
24 25
26#include <cassert>
27
25#include <list> 28#include <list>
26 29
27#include <openssl/rand.h> 30#include <openssl/rand.h>
28#include <openssl/evp.h> 31#include <openssl/evp.h>
29#include <openssl/rsa.h> 32#include <openssl/rsa.h>
34#include "conf.h" 37#include "conf.h"
35#include "slog.h" 38#include "slog.h"
36#include "device.h" 39#include "device.h"
37#include "vpn.h" 40#include "vpn.h"
38#include "connection.h" 41#include "connection.h"
42
43#include "netcompat.h"
39 44
40#if !HAVE_RAND_PSEUDO_BYTES 45#if !HAVE_RAND_PSEUDO_BYTES
41# define RAND_pseudo_bytes RAND_bytes 46# define RAND_pseudo_bytes RAND_bytes
42#endif 47#endif
43 48
131 136
132} rsa_cache; 137} rsa_cache;
133 138
134void rsa_cache::cleaner_cb (time_watcher &w) 139void rsa_cache::cleaner_cb (time_watcher &w)
135{ 140{
136 if (empty ()) 141 if (!empty ())
137 w.at = TSTAMP_CANCEL;
138 else
139 { 142 {
140 w.at = NOW + RSA_TTL; 143 w.start (NOW + RSA_TTL);
141 144
142 for (iterator i = begin (); i != end (); ) 145 for (iterator i = begin (); i != end (); )
143 if (i->expire <= NOW) 146 if (i->expire <= NOW)
144 i = erase (i); 147 i = erase (i);
145 else 148 else
147 } 150 }
148} 151}
149 152
150////////////////////////////////////////////////////////////////////////////// 153//////////////////////////////////////////////////////////////////////////////
151 154
152void pkt_queue::put (tap_packet *p) 155void pkt_queue::put (net_packet *p)
153{ 156{
154 if (queue[i]) 157 if (queue[i])
155 { 158 {
156 delete queue[i]; 159 delete queue[i];
157 j = (j + 1) % QUEUEDEPTH; 160 j = (j + 1) % QUEUEDEPTH;
160 queue[i] = p; 163 queue[i] = p;
161 164
162 i = (i + 1) % QUEUEDEPTH; 165 i = (i + 1) % QUEUEDEPTH;
163} 166}
164 167
165tap_packet *pkt_queue::get () 168net_packet *pkt_queue::get ()
166{ 169{
167 tap_packet *p = queue[j]; 170 net_packet *p = queue[j];
168 171
169 if (p) 172 if (p)
170 { 173 {
171 queue[j] = 0; 174 queue[j] = 0;
172 j = (j + 1) % QUEUEDEPTH; 175 j = (j + 1) % QUEUEDEPTH;
197// only do action once every x seconds per host whole allowing bursts. 200// only do action once every x seconds per host whole allowing bursts.
198// this implementation ("splay list" ;) is inefficient, 201// this implementation ("splay list" ;) is inefficient,
199// but low on resources. 202// but low on resources.
200struct net_rate_limiter : list<net_rateinfo> 203struct net_rate_limiter : list<net_rateinfo>
201{ 204{
202 static const double ALPHA = 1. - 1. / 90.; // allow bursts 205 static const double ALPHA = 1. - 1. / 600.; // allow bursts
203 static const double CUTOFF = 20.; // one event every CUTOFF seconds 206 static const double CUTOFF = 10.; // one event every CUTOFF seconds
204 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time 207 static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
208 static const double MAXDIF = CUTOFF * (1. / (1. - ALPHA)); // maximum diff /count value
205 209
206 bool can (const sockinfo &si) { return can((u32)si.host); } 210 bool can (const sockinfo &si) { return can((u32)si.host); }
207 bool can (u32 host); 211 bool can (u32 host);
208}; 212};
209 213
210net_rate_limiter auth_rate_limiter, reset_rate_limiter; 214net_rate_limiter auth_rate_limiter, reset_rate_limiter;
211 215
225 { 229 {
226 net_rateinfo ri; 230 net_rateinfo ri;
227 231
228 ri.host = host; 232 ri.host = host;
229 ri.pcnt = 1.; 233 ri.pcnt = 1.;
230 ri.diff = CUTOFF * (1. / (1. - ALPHA)); 234 ri.diff = MAXDIF;
231 ri.last = NOW; 235 ri.last = NOW;
232 236
233 push_front (ri); 237 push_front (ri);
234 238
235 return true; 239 return true;
242 ri.pcnt = ri.pcnt * ALPHA; 246 ri.pcnt = ri.pcnt * ALPHA;
243 ri.diff = ri.diff * ALPHA + (NOW - ri.last); 247 ri.diff = ri.diff * ALPHA + (NOW - ri.last);
244 248
245 ri.last = NOW; 249 ri.last = NOW;
246 250
251 double dif = ri.diff / ri.pcnt;
252
247 bool send = ri.diff / ri.pcnt > CUTOFF; 253 bool send = dif > CUTOFF;
248 254
255 if (dif > MAXDIF)
256 {
257 ri.pcnt = 1.;
258 ri.diff = MAXDIF;
259 }
249 if (send) 260 else if (send)
250 ri.pcnt++; 261 ri.pcnt++;
251 262
252 push_front (ri); 263 push_front (ri);
253 264
254 return send; 265 return send;
467 set_hdr (type, dst); 478 set_hdr (type, dst);
468} 479}
469 480
470bool config_packet::chk_config () const 481bool config_packet::chk_config () const
471{ 482{
472 return prot_major == PROTOCOL_MAJOR 483 if (prot_major != PROTOCOL_MAJOR)
473 && randsize == RAND_SIZE 484 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR);
474 && hmaclen == HMACLENGTH 485 else if (randsize != RAND_SIZE)
475 && flags == curflags () 486 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
487 else if (hmaclen != HMACLENGTH)
488 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
489 else if (flags != curflags ())
490 slog (L_WARN, _("flag mismatch (remote %x <=> local %x)"), flags, curflags ());
476 && challengelen == sizeof (rsachallenge) 491 else if (challengelen != sizeof (rsachallenge))
492 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
477 && cipher_nid == htonl (EVP_CIPHER_nid (CIPHER)) 493 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER)))
494 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER));
478 && digest_nid == htonl (EVP_MD_type (RSA_HASH)) 495 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH)))
496 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
479 && hmac_nid == htonl (EVP_MD_type (DIGEST)); 497 else if (hmac_nid != htonl (EVP_MD_type (DIGEST)))
498 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST));
499 else
500 return true;
501
502 return false;
480} 503}
481 504
482struct auth_req_packet : config_packet 505struct auth_req_packet : config_packet
483{ 506{
484 char magic[8]; 507 char magic[8];
544 len = sizeof (*this) - sizeof (net_packet); 567 len = sizeof (*this) - sizeof (net_packet);
545 } 568 }
546}; 569};
547 570
548///////////////////////////////////////////////////////////////////////////// 571/////////////////////////////////////////////////////////////////////////////
572
573void
574connection::connection_established ()
575{
576 if (ictx && octx)
577 {
578 connectmode = conf->connectmode;
579
580 rekey.start (NOW + ::conf.rekey);
581 keepalive.start (NOW + ::conf.keepalive);
582
583 // send queued packets
584 if (ictx && octx)
585 {
586 while (tap_packet *p = (tap_packet *)data_queue.get ())
587 {
588 send_data_packet (p);
589 delete p;
590 }
591
592 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
593 {
594 send_vpn_packet (p, si, IPTOS_RELIABILITY);
595 delete p;
596 }
597 }
598 }
599 else
600 {
601 retry_cnt = 0;
602 establish_connection.start (NOW + 5);
603 keepalive.stop ();
604 rekey.stop ();
605 }
606}
549 607
550void 608void
551connection::reset_si () 609connection::reset_si ()
552{ 610{
553 protocol = best_protocol (THISNODE->protocols & conf->protocols); 611 protocol = best_protocol (THISNODE->protocols & conf->protocols);
580 638
581 return si; 639 return si;
582} 640}
583 641
584void 642void
643connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
644{
645 if (!vpn->send_vpn_packet (pkt, si, tos))
646 reset_connection ();
647}
648
649void
585connection::send_ping (const sockinfo &si, u8 pong) 650connection::send_ping (const sockinfo &si, u8 pong)
586{ 651{
587 ping_packet *pkt = new ping_packet; 652 ping_packet *pkt = new ping_packet;
588 653
589 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 654 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
590 vpn->send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 655 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
591 656
592 delete pkt; 657 delete pkt;
593} 658}
594 659
595void 660void
598 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED) 663 if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
599 { 664 {
600 config_packet *pkt = new config_packet; 665 config_packet *pkt = new config_packet;
601 666
602 pkt->setup (vpn_packet::PT_RESET, conf->id); 667 pkt->setup (vpn_packet::PT_RESET, conf->id);
603 vpn->send_vpn_packet (pkt, si, IPTOS_MINCOST); 668 send_vpn_packet (pkt, si, IPTOS_MINCOST);
604 669
605 delete pkt; 670 delete pkt;
606 } 671 }
607} 672}
608 673
610connection::send_auth_request (const sockinfo &si, bool initiate) 675connection::send_auth_request (const sockinfo &si, bool initiate)
611{ 676{
612 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 677 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
613 678
614 rsachallenge chg; 679 rsachallenge chg;
615
616 rsa_cache.gen (pkt->id, chg); 680 rsa_cache.gen (pkt->id, chg);
617 681 rsa_encrypt (conf->rsa_key, chg, pkt->encr);
618 if (0 > RSA_public_encrypt (sizeof chg,
619 (unsigned char *)&chg, (unsigned char *)&pkt->encr,
620 conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
621 fatal ("RSA_public_encrypt error");
622 682
623 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si); 683 slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
624 684
625 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 685 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
626
627 686
628 delete pkt; 687 delete pkt;
629} 688}
630 689
631void 690void
639 698
640 pkt->hmac_set (octx); 699 pkt->hmac_set (octx);
641 700
642 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si); 701 slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
643 702
644 vpn->send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 703 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
645 704
646 delete pkt; 705 delete pkt;
647} 706}
648 707
649void 708void
653 conf->id, rid, (const char *)rsi); 712 conf->id, rid, (const char *)rsi);
654 713
655 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 714 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
656 715
657 r->hmac_set (octx); 716 r->hmac_set (octx);
658 vpn->send_vpn_packet (r, si); 717 send_vpn_packet (r, si);
659 718
660 delete r; 719 delete r;
661} 720}
662 721
663void 722void
664connection::establish_connection_cb (time_watcher &w) 723connection::establish_connection_cb (time_watcher &w)
665{ 724{
666 if (ictx || conf == THISNODE 725 if (!ictx
726 && conf != THISNODE
667 || connectmode == conf_node::C_NEVER 727 && connectmode != conf_node::C_NEVER
668 || connectmode == conf_node::C_DISABLED) 728 && connectmode != conf_node::C_DISABLED
669 w.at = TSTAMP_CANCEL; 729 && w.at <= NOW)
670 else if (w.at <= NOW)
671 { 730 {
672 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6; 731 double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
673 732
674 if (retry_int < 3600 * 8) 733 if (retry_int < 3600 * 8)
675 retry_cnt++; 734 retry_cnt++;
676 735
677 w.at = NOW + retry_int; 736 w.start (NOW + retry_int);
678 737
679 reset_si (); 738 reset_si ();
680 739
681 if (si.prot && !si.host) 740 if (si.prot && !si.host)
682 vpn->connect_request (conf->id); 741 vpn->send_connect_request (conf->id);
683 else 742 else
684 { 743 {
685 const sockinfo &dsi = forward_si (si); 744 const sockinfo &dsi = forward_si (si);
686 745
687 if (dsi.valid () && auth_rate_limiter.can (dsi)) 746 if (dsi.valid () && auth_rate_limiter.can (dsi))
713 si.host= 0; 772 si.host= 0;
714 773
715 last_activity = 0; 774 last_activity = 0;
716 retry_cnt = 0; 775 retry_cnt = 0;
717 776
718 rekey.reset (); 777 rekey.stop ();
719 keepalive.reset (); 778 keepalive.stop ();
720 establish_connection.reset (); 779 establish_connection.stop ();
721} 780}
722 781
723void 782void
724connection::shutdown () 783connection::shutdown ()
725{ 784{
730} 789}
731 790
732void 791void
733connection::rekey_cb (time_watcher &w) 792connection::rekey_cb (time_watcher &w)
734{ 793{
735 w.at = TSTAMP_CANCEL;
736
737 reset_connection (); 794 reset_connection ();
738 establish_connection (); 795 establish_connection ();
739} 796}
740 797
741void 798void
742connection::send_data_packet (tap_packet *pkt, bool broadcast) 799connection::send_data_packet (tap_packet *pkt)
743{ 800{
744 vpndata_packet *p = new vpndata_packet; 801 vpndata_packet *p = new vpndata_packet;
745 int tos = 0; 802 int tos = 0;
746 803
747 if (conf->inherit_tos 804 // I am not hilarious about peeking into packets, but so be it.
748 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP 805 if (conf->inherit_tos && pkt->is_ipv4 ())
749 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
750 tos = (*pkt)[15] & IPTOS_TOS_MASK; 806 tos = (*pkt)[15] & IPTOS_TOS_MASK;
751 807
752 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 808 p->setup (this, conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
753 vpn->send_vpn_packet (p, si, tos); 809 send_vpn_packet (p, si, tos);
754 810
755 delete p; 811 delete p;
756 812
757 if (oseqno > MAX_SEQNO) 813 if (oseqno > MAX_SEQNO)
758 rekey (); 814 rekey ();
759} 815}
760 816
761void 817void
762connection::inject_data_packet (tap_packet *pkt, bool broadcast) 818connection::inject_data_packet (tap_packet *pkt, bool broadcast/*TODO DDD*/)
763{ 819{
764 if (ictx && octx) 820 if (ictx && octx)
765 send_data_packet (pkt, broadcast); 821 send_data_packet (pkt);
766 else 822 else
767 { 823 {
768 if (!broadcast)//DDDD 824 if (!broadcast)//DDDD
769 queue.put (new tap_packet (*pkt)); 825 data_queue.put (new tap_packet (*pkt));
770 826
771 establish_connection (); 827 establish_connection ();
772 } 828 }
773} 829}
774 830
775void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 831void connection::inject_vpn_packet (vpn_packet *pkt, int tos)
776{ 832{
777 if (ictx && octx) 833 if (ictx && octx)
778 vpn->send_vpn_packet (pkt, si, tos); 834 send_vpn_packet (pkt, si, tos);
779 else 835 else
836 {
837 vpn_queue.put (new vpn_packet (*pkt));
838
780 establish_connection (); 839 establish_connection ();
840 }
781} 841}
782 842
783void 843void
784connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 844connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
785{ 845{
841 if (p->initiate) 901 if (p->initiate)
842 send_auth_request (rsi, false); 902 send_auth_request (rsi, false);
843 903
844 rsachallenge k; 904 rsachallenge k;
845 905
846 if (0 > RSA_private_decrypt (sizeof (p->encr), 906 if (!rsa_decrypt (::conf.rsa_key, p->encr, k))
847 (unsigned char *)&p->encr, (unsigned char *)&k, 907 {
848 ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
849 slog (L_ERR, _("%s(%s): challenge illegal or corrupted"), 908 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
850 conf->nodename, (const char *)rsi); 909 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
910 break;
911 }
851 else 912 else
852 { 913 {
853 retry_cnt = 0;
854 establish_connection.start (NOW + 8); //? ;)
855 keepalive.reset ();
856 rekey.reset ();
857
858 delete ictx;
859 ictx = 0;
860
861 delete octx; 914 delete octx;
862 915
863 octx = new crypto_ctx (k, 1); 916 octx = new crypto_ctx (k, 1);
864 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 917 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff;
865 918
866 conf->protocols = p->protocols; 919 conf->protocols = p->protocols;
920
867 send_auth_response (rsi, p->id, k); 921 send_auth_response (rsi, p->id, k);
922
923 connection_established ();
868 924
869 break; 925 break;
870 } 926 }
871 } 927 }
928 else
929 slog (L_WARN, _("%s(%s): protocol mismatch"),
930 conf->nodename, (const char *)rsi);
872 931
873 send_reset (rsi); 932 send_reset (rsi);
874 } 933 }
875 934
876 break; 935 break;
889 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 948 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
890 949
891 rsachallenge chg; 950 rsachallenge chg;
892 951
893 if (!rsa_cache.find (p->id, chg)) 952 if (!rsa_cache.find (p->id, chg))
953 {
894 slog (L_ERR, _("%s(%s): unrequested auth response"), 954 slog (L_ERR, _("%s(%s): unrequested auth response ignored"),
895 conf->nodename, (const char *)rsi); 955 conf->nodename, (const char *)rsi);
956 break;
957 }
896 else 958 else
897 { 959 {
898 crypto_ctx *cctx = new crypto_ctx (chg, 0); 960 crypto_ctx *cctx = new crypto_ctx (chg, 0);
899 961
900 if (!p->hmac_chk (cctx)) 962 if (!p->hmac_chk (cctx))
963 {
901 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n" 964 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
902 "could be an attack, or just corruption or an synchronization error"), 965 "could be an attack, or just corruption or an synchronization error"),
903 conf->nodename, (const char *)rsi); 966 conf->nodename, (const char *)rsi);
967 break;
968 }
904 else 969 else
905 { 970 {
906 rsaresponse h; 971 rsaresponse h;
907 972
908 rsa_hash (p->id, chg, h); 973 rsa_hash (p->id, chg, h);
916 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid 981 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
917 982
918 si = rsi; 983 si = rsi;
919 protocol = rsi.prot; 984 protocol = rsi.prot;
920 985
921 rekey.start (NOW + ::conf.rekey); 986 connection_established ();
922 keepalive.start (NOW + ::conf.keepalive);
923
924 // send queued packets
925 while (tap_packet *p = queue.get ())
926 {
927 send_data_packet (p);
928 delete p;
929 }
930
931 connectmode = conf->connectmode;
932 987
933 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"), 988 slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
934 conf->nodename, (const char *)rsi, 989 conf->nodename, (const char *)rsi,
935 p->prot_major, p->prot_minor); 990 p->prot_major, p->prot_minor);
936 991
962 1017
963 if (ictx && octx) 1018 if (ictx && octx)
964 { 1019 {
965 vpndata_packet *p = (vpndata_packet *)pkt; 1020 vpndata_packet *p = (vpndata_packet *)pkt;
966 1021
967 if (rsi == si) 1022 if (!p->hmac_chk (ictx))
1023 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1024 "could be an attack, or just corruption or an synchronization error"),
1025 conf->nodename, (const char *)rsi);
1026 else
968 { 1027 {
969 if (!p->hmac_chk (ictx))
970 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
971 "could be an attack, or just corruption or an synchronization error"),
972 conf->nodename, (const char *)rsi);
973 else 1028 u32 seqno;
1029 tap_packet *d = p->unpack (this, seqno);
1030
1031 if (iseqno.recv_ok (seqno))
974 { 1032 {
975 u32 seqno; 1033 vpn->tap->send (d);
976 tap_packet *d = p->unpack (this, seqno);
977 1034
978 if (iseqno.recv_ok (seqno)) 1035 if (si != rsi)
979 { 1036 {
980 vpn->tap->send (d); 1037 // fast re-sync on connection changes, useful especially for tcp/ip
981
982 if (p->dst () == 0) // re-broadcast
983 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
984 {
985 connection *c = *i;
986
987 if (c->conf != THISNODE && c->conf != conf)
988 c->inject_data_packet (d);
989 }
990
991 delete d;
992
993 break; 1038 si = rsi;
1039
1040 slog (L_INFO, _("%s(%s): socket address changed to %s"),
1041 conf->nodename, (const char *)si, (const char *)rsi);
994 } 1042 }
1043
1044 delete d;
1045
1046 break;
995 } 1047 }
996 } 1048 }
997 else
998 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
999 } 1049 }
1000 1050
1001 send_reset (rsi); 1051 send_reset (rsi);
1002 break; 1052 break;
1003 1053
1018 // send connect_info packets to both sides, in case one is 1068 // send connect_info packets to both sides, in case one is
1019 // behind a nat firewall (or both ;) 1069 // behind a nat firewall (or both ;)
1020 c->send_connect_info (conf->id, si, conf->protocols); 1070 c->send_connect_info (conf->id, si, conf->protocols);
1021 send_connect_info (c->conf->id, c->si, c->conf->protocols); 1071 send_connect_info (c->conf->id, c->si, c->conf->protocols);
1022 } 1072 }
1073 else
1074 c->establish_connection ();
1023 } 1075 }
1024 1076
1025 break; 1077 break;
1026 1078
1027 case vpn_packet::PT_CONNECT_INFO: 1079 case vpn_packet::PT_CONNECT_INFO:
1060 { 1112 {
1061 reset_connection (); 1113 reset_connection ();
1062 establish_connection (); 1114 establish_connection ();
1063 } 1115 }
1064 else if (NOW < last_activity + ::conf.keepalive) 1116 else if (NOW < last_activity + ::conf.keepalive)
1065 w.at = last_activity + ::conf.keepalive; 1117 w.start (last_activity + ::conf.keepalive);
1066 else if (conf->connectmode != conf_node::C_ONDEMAND 1118 else if (conf->connectmode != conf_node::C_ONDEMAND
1067 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1119 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1068 { 1120 {
1069 send_ping (si); 1121 send_ping (si);
1070 w.at = NOW + 5; 1122 w.start (NOW + 5);
1071 } 1123 }
1124 else if (NOW < last_activity + ::conf.keepalive + 10)
1125 // hold ondemand connections implicitly a few seconds longer
1126 // should delete octx, though, or something like that ;)
1127 w.start (last_activity + ::conf.keepalive + 10);
1072 else 1128 else
1073 reset_connection (); 1129 reset_connection ();
1074} 1130}
1075 1131
1076void connection::connect_request (int id) 1132void connection::send_connect_request (int id)
1077{ 1133{
1078 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1134 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1079 1135
1080 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id); 1136 slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1081 p->hmac_set (octx); 1137 p->hmac_set (octx);
1082 vpn->send_vpn_packet (p, si); 1138 send_vpn_packet (p, si);
1083 1139
1084 delete p; 1140 delete p;
1085} 1141}
1086 1142
1087void connection::script_node () 1143void connection::script_node ()

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines