| 1 | /* |
1 | /* |
| 2 | connection.C -- manage a single connection |
2 | connection.C -- manage a single connection |
| 3 | Copyright (C) 2003-2008,2010 Marc Lehmann <gvpe@schmorp.de> |
3 | Copyright (C) 2003-2008,2010,2011 Marc Lehmann <gvpe@schmorp.de> |
| 4 | |
4 | |
| 5 | This file is part of GVPE. |
5 | This file is part of GVPE. |
| 6 | |
6 | |
| 7 | GVPE is free software; you can redistribute it and/or modify it |
7 | GVPE is free software; you can redistribute it and/or modify it |
| 8 | under the terms of the GNU General Public License as published by the |
8 | under the terms of the GNU General Public License as published by the |
| … | |
… | |
| 132 | rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) |
132 | rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) |
| 133 | { |
133 | { |
| 134 | EVP_MD_CTX ctx; |
134 | EVP_MD_CTX ctx; |
| 135 | |
135 | |
| 136 | EVP_MD_CTX_init (&ctx); |
136 | EVP_MD_CTX_init (&ctx); |
| 137 | require (EVP_DigestInit (&ctx, RSA_HASH)); |
137 | require (EVP_DigestInit (&ctx, RSA_HASH)); |
| 138 | require (EVP_DigestUpdate(&ctx, &chg, sizeof chg)); |
138 | require (EVP_DigestUpdate (&ctx, &chg, sizeof chg)); |
| 139 | require (EVP_DigestUpdate(&ctx, &id, sizeof id)); |
139 | require (EVP_DigestUpdate (&ctx, &id, sizeof id)); |
| 140 | require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); |
140 | require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0)); |
| 141 | EVP_MD_CTX_cleanup (&ctx); |
141 | EVP_MD_CTX_cleanup (&ctx); |
| 142 | } |
142 | } |
| 143 | |
143 | |
| 144 | struct rsa_entry |
144 | struct rsa_entry |
| 145 | { |
145 | { |
| … | |
… | |
| 831 | } |
831 | } |
| 832 | |
832 | |
| 833 | void |
833 | void |
| 834 | connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) |
834 | connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) |
| 835 | { |
835 | { |
| 836 | slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename, |
836 | slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename, |
| 837 | vpn->conns[rid - 1]->conf->nodename, (const char *)rsi); |
837 | vpn->conns[rid - 1]->conf->nodename, (const char *)rsi, |
|
|
838 | conf->protocols); |
| 838 | |
839 | |
| 839 | connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); |
840 | connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); |
| 840 | |
841 | |
| 841 | r->hmac_set (octx); |
842 | r->hmac_set (octx); |
| 842 | send_vpn_packet (r, si); |
843 | send_vpn_packet (r, si); |
| … | |
… | |
| 923 | } |
924 | } |
| 924 | } |
925 | } |
| 925 | |
926 | |
| 926 | delete ictx; ictx = 0; |
927 | delete ictx; ictx = 0; |
| 927 | delete octx; octx = 0; |
928 | delete octx; octx = 0; |
| 928 | #if ENABLE_DNS |
|
|
| 929 | dnsv4_reset_connection (); |
|
|
| 930 | #endif |
|
|
| 931 | |
929 | |
| 932 | si.host = 0; |
930 | si.host = 0; |
| 933 | |
931 | |
| 934 | last_activity = 0.; |
932 | last_activity = 0.; |
| 935 | //last_si_change = 0.; |
933 | //last_si_change = 0.; |
| … | |
… | |
| 1067 | break; |
1065 | break; |
| 1068 | |
1066 | |
| 1069 | case vpn_packet::PT_AUTH_REQ: |
1067 | case vpn_packet::PT_AUTH_REQ: |
| 1070 | if (auth_rate_limiter.can (rsi)) |
1068 | if (auth_rate_limiter.can (rsi)) |
| 1071 | { |
1069 | { |
| 1072 | auth_req_packet *p = (auth_req_packet *) pkt; |
1070 | auth_req_packet *p = (auth_req_packet *)pkt; |
| 1073 | |
1071 | |
| 1074 | slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply"); |
1072 | slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)", |
|
|
1073 | conf->nodename, p->initiate ? "initiate" : "reply", |
|
|
1074 | p->protocols, p->features); |
| 1075 | |
1075 | |
| 1076 | if (p->chk_config () |
1076 | if (p->chk_config () |
| 1077 | && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8))) |
1077 | && (!memcmp (p->magic, MAGIC_OLD, 8) || !memcmp (p->magic, MAGIC, 8))) |
| 1078 | { |
1078 | { |
| 1079 | if (p->prot_minor != PROTOCOL_MINOR) |
1079 | if (p->prot_minor != PROTOCOL_MINOR) |
| 1080 | slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), |
1080 | slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), |
| 1081 | conf->nodename, (const char *)rsi, |
1081 | conf->nodename, (const char *)rsi, |
| 1082 | PROTOCOL_MINOR, conf->nodename, p->prot_minor); |
1082 | PROTOCOL_MINOR, conf->nodename, p->prot_minor); |
| … | |
… | |
| 1274 | if (p->id > 0 && p->id <= vpn->conns.size ()) |
1274 | if (p->id > 0 && p->id <= vpn->conns.size ()) |
| 1275 | { |
1275 | { |
| 1276 | connection *c = vpn->conns[p->id - 1]; |
1276 | connection *c = vpn->conns[p->id - 1]; |
| 1277 | conf->protocols = p->protocols; |
1277 | conf->protocols = p->protocols; |
| 1278 | |
1278 | |
| 1279 | slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]", |
1279 | slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]", |
| 1280 | conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx); |
1280 | conf->nodename, vpn->conns[p->id - 1]->conf->nodename, |
|
|
1281 | p->protocols, |
|
|
1282 | c->ictx && c->octx); |
| 1281 | |
1283 | |
| 1282 | if (c->ictx && c->octx) |
1284 | if (c->ictx && c->octx) |
| 1283 | { |
1285 | { |
| 1284 | // send connect_info packets to both sides, in case one is |
1286 | // send connect_info packets to both sides, in case one is |
| 1285 | // behind a nat firewall (or both ;) |
1287 | // behind a nat firewall (or both ;) |
| … | |
… | |
| 1308 | |
1310 | |
| 1309 | c->conf->protocols = p->protocols; |
1311 | c->conf->protocols = p->protocols; |
| 1310 | protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); |
1312 | protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); |
| 1311 | p->si.upgrade_protocol (protocol, c->conf); |
1313 | p->si.upgrade_protocol (protocol, c->conf); |
| 1312 | |
1314 | |
| 1313 | slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]", |
1315 | slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]", |
|
|
1316 | conf->nodename, |
| 1314 | conf->nodename, vpn->conns[p->id - 1]->conf->nodename, |
1317 | vpn->conns[p->id - 1]->conf->nodename, |
|
|
1318 | (const char *)p->si, |
|
|
1319 | p->protocols, |
|
|
1320 | protocol, |
|
|
1321 | p->si.supported_protocols (c->conf), |
| 1315 | (const char *)p->si, !c->ictx && !c->octx); |
1322 | !c->ictx && !c->octx); |
| 1316 | |
1323 | |
| 1317 | const sockinfo &dsi = forward_si (p->si); |
1324 | const sockinfo &dsi = forward_si (p->si); |
| 1318 | |
1325 | |
| 1319 | if (dsi.valid ()) |
1326 | if (dsi.valid ()) |
| 1320 | c->send_auth_request (dsi, true); |
1327 | c->send_auth_request (dsi, true); |
|
|
1328 | else |
|
|
1329 | slog (L_INFO, "connect info for %s received (%s), but still unable to contact.", |
|
|
1330 | vpn->conns[p->id - 1]->conf->nodename, |
|
|
1331 | (const char *)p->si); |
| 1321 | } |
1332 | } |
| 1322 | else |
1333 | else |
| 1323 | slog (L_WARN, |
1334 | slog (L_WARN, |
| 1324 | _("received authenticated connection request from unknown node #%d, config file mismatch?"), |
1335 | _("received authenticated connection request from unknown node #%d, config file mismatch?"), |
| 1325 | p->id); |
1336 | p->id); |
| … | |
… | |
| 1358 | } |
1369 | } |
| 1359 | |
1370 | |
| 1360 | void |
1371 | void |
| 1361 | connection::send_connect_request (int id) |
1372 | connection::send_connect_request (int id) |
| 1362 | { |
1373 | { |
| 1363 | connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); |
1374 | connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols); |
| 1364 | |
1375 | |
| 1365 | slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)", |
1376 | slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)", |
| 1366 | conf->nodename, vpn->conns[id - 1]->conf->nodename); |
1377 | conf->nodename, vpn->conns[id - 1]->conf->nodename, |
|
|
1378 | THISNODE->protocols); |
| 1367 | p->hmac_set (octx); |
1379 | p->hmac_set (octx); |
| 1368 | send_vpn_packet (p, si); |
1380 | send_vpn_packet (p, si); |
| 1369 | |
1381 | |
| 1370 | delete p; |
1382 | delete p; |
| 1371 | } |
1383 | } |
| … | |
… | |
| 1455 | establish_connection.set<connection, &connection::establish_connection_cb> (this); |
1467 | establish_connection.set<connection, &connection::establish_connection_cb> (this); |
| 1456 | |
1468 | |
| 1457 | last_establish_attempt = 0.; |
1469 | last_establish_attempt = 0.; |
| 1458 | octx = ictx = 0; |
1470 | octx = ictx = 0; |
| 1459 | |
1471 | |
| 1460 | if (!conf->protocols) // make sure some protocol is enabled |
|
|
| 1461 | conf->protocols = PROT_UDPv4; |
|
|
| 1462 | |
|
|
| 1463 | connectmode = conf->connectmode; |
1472 | connectmode = conf->connectmode; |
| 1464 | |
1473 | |
| 1465 | // queue a dummy packet to force an initial connection attempt |
1474 | // queue a dummy packet to force an initial connection attempt |
| 1466 | if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED) |
1475 | if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED) |
| 1467 | vpn_queue.put (new net_packet); |
1476 | vpn_queue.put (new net_packet); |
