… | |
… | |
481 | connection::send_ping (SOCKADDR *dsa, u8 pong) |
481 | connection::send_ping (SOCKADDR *dsa, u8 pong) |
482 | { |
482 | { |
483 | ping_packet *pkt = new ping_packet; |
483 | ping_packet *pkt = new ping_packet; |
484 | |
484 | |
485 | pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); |
485 | pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); |
486 | vpn->send_vpn_packet (pkt, dsa); |
486 | vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); |
487 | |
487 | |
488 | delete pkt; |
488 | delete pkt; |
489 | } |
489 | } |
490 | |
490 | |
491 | void |
491 | void |
… | |
… | |
496 | if (limiter.can (dsa)) |
496 | if (limiter.can (dsa)) |
497 | { |
497 | { |
498 | config_packet *pkt = new config_packet; |
498 | config_packet *pkt = new config_packet; |
499 | |
499 | |
500 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
500 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
501 | vpn->send_vpn_packet (pkt, dsa); |
501 | vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); |
502 | |
502 | |
503 | delete pkt; |
503 | delete pkt; |
504 | } |
504 | } |
505 | } |
505 | } |
506 | |
506 | |
… | |
… | |
550 | fatal ("RSA_public_encrypt error"); |
550 | fatal ("RSA_public_encrypt error"); |
551 | #endif |
551 | #endif |
552 | |
552 | |
553 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
553 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
554 | |
554 | |
555 | vpn->send_vpn_packet (pkt, sa); |
555 | vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); |
556 | |
556 | |
557 | delete pkt; |
557 | delete pkt; |
558 | } |
558 | } |
559 | } |
559 | } |
560 | |
560 | |
… | |
… | |
635 | |
635 | |
636 | void |
636 | void |
637 | connection::send_data_packet (tap_packet * pkt, bool broadcast) |
637 | connection::send_data_packet (tap_packet * pkt, bool broadcast) |
638 | { |
638 | { |
639 | vpndata_packet *p = new vpndata_packet; |
639 | vpndata_packet *p = new vpndata_packet; |
|
|
640 | int tos = 0; |
|
|
641 | |
|
|
642 | if (conf->inherit_tos |
|
|
643 | && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP |
|
|
644 | && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 |
|
|
645 | tos = (*pkt)[15] & IPTOS_TOS_MASK; |
640 | |
646 | |
641 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
647 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
642 | vpn->send_vpn_packet (p, &sa); |
648 | vpn->send_vpn_packet (p, &sa, tos); |
643 | |
649 | |
644 | delete p; |
650 | delete p; |
645 | |
651 | |
646 | if (oseqno > MAX_SEQNO) |
652 | if (oseqno > MAX_SEQNO) |
647 | rekey (); |
653 | rekey (); |
… | |
… | |
766 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
772 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
767 | sizeof (rsachallenge) - sizeof (u32))) |
773 | sizeof (rsachallenge) - sizeof (u32))) |
768 | { |
774 | { |
769 | delete ictx; |
775 | delete ictx; |
770 | |
776 | |
771 | ictx = new crypto_ctx (k, 0); |
777 | ictx = new crypto_ctx (k, 0); |
772 | iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid |
778 | iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid |
773 | ismask = 0xffffffff; // initially, all lower sequence numbers are invalid |
|
|
774 | |
779 | |
775 | sa = *ssa; |
780 | sa = *ssa; |
776 | |
781 | |
777 | next_rekey = now + ::conf.rekey; |
782 | next_rekey = now + ::conf.rekey; |
778 | next_wakeup (next_rekey); |
783 | next_wakeup (next_rekey); |
… | |
… | |
828 | else |
833 | else |
829 | { |
834 | { |
830 | u32 seqno; |
835 | u32 seqno; |
831 | tap_packet *d = p->unpack (this, seqno); |
836 | tap_packet *d = p->unpack (this, seqno); |
832 | |
837 | |
833 | if (seqno <= iseqno - 32) |
838 | if (iseqno.recv_ok (seqno)) |
834 | slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" |
|
|
835 | "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D |
|
|
836 | else if (seqno > iseqno + 32) |
|
|
837 | slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" |
|
|
838 | "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D |
|
|
839 | else |
|
|
840 | { |
839 | { |
841 | if (seqno > iseqno) |
|
|
842 | { |
|
|
843 | ismask <<= seqno - iseqno; |
|
|
844 | iseqno = seqno; |
|
|
845 | } |
|
|
846 | |
|
|
847 | u32 mask = 1 << (iseqno - seqno); |
|
|
848 | |
|
|
849 | //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); |
|
|
850 | if (ismask & mask) |
|
|
851 | slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" |
|
|
852 | "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D |
|
|
853 | else |
|
|
854 | { |
|
|
855 | ismask |= mask; |
|
|
856 | |
|
|
857 | vpn->tap->send (d); |
840 | vpn->tap->send (d); |
858 | |
841 | |
859 | if (p->dst () == 0) // re-broadcast |
842 | if (p->dst () == 0) // re-broadcast |
860 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
843 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
861 | { |
844 | { |
862 | connection *c = *i; |
845 | connection *c = *i; |
863 | |
846 | |
864 | if (c->conf != THISNODE && c->conf != conf) |
847 | if (c->conf != THISNODE && c->conf != conf) |
865 | c->inject_data_packet (d); |
848 | c->inject_data_packet (d); |
866 | } |
|
|
867 | |
|
|
868 | delete d; |
|
|
869 | |
|
|
870 | break; |
|
|
871 | } |
849 | } |
|
|
850 | |
|
|
851 | delete d; |
|
|
852 | |
|
|
853 | break; |
872 | } |
854 | } |
873 | } |
855 | } |
874 | } |
856 | } |
875 | else |
857 | else |
876 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
858 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
… | |
… | |
1095 | |
1077 | |
1096 | return 0; |
1078 | return 0; |
1097 | } |
1079 | } |
1098 | |
1080 | |
1099 | void |
1081 | void |
1100 | vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) |
1082 | vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) |
1101 | { |
1083 | { |
|
|
1084 | setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
1102 | sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); |
1085 | sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); |
1103 | } |
1086 | } |
1104 | |
1087 | |
1105 | void |
1088 | void |
1106 | vpn::shutdown_all () |
1089 | vpn::shutdown_all () |