… | |
… | |
641 | |
641 | |
642 | if (conf->inherit_tos |
642 | if (conf->inherit_tos |
643 | && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP |
643 | && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP |
644 | && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 |
644 | && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 |
645 | tos = (*pkt)[15] & IPTOS_TOS_MASK; |
645 | tos = (*pkt)[15] & IPTOS_TOS_MASK; |
646 | printf ("%d %02x %02x %02x %02x = %02x\n", (int)conf->inherit_tos, (*pkt)[12],(*pkt)[13],(*pkt)[14],(*pkt)[15], tos); |
|
|
647 | |
646 | |
648 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
647 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
649 | vpn->send_vpn_packet (p, &sa, tos); |
648 | vpn->send_vpn_packet (p, &sa, tos); |
650 | |
649 | |
651 | delete p; |
650 | delete p; |
… | |
… | |
773 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
772 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
774 | sizeof (rsachallenge) - sizeof (u32))) |
773 | sizeof (rsachallenge) - sizeof (u32))) |
775 | { |
774 | { |
776 | delete ictx; |
775 | delete ictx; |
777 | |
776 | |
778 | ictx = new crypto_ctx (k, 0); |
777 | ictx = new crypto_ctx (k, 0); |
779 | iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid |
778 | iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid |
780 | ismask = 0xffffffff; // initially, all lower sequence numbers are invalid |
|
|
781 | |
779 | |
782 | sa = *ssa; |
780 | sa = *ssa; |
783 | |
781 | |
784 | next_rekey = now + ::conf.rekey; |
782 | next_rekey = now + ::conf.rekey; |
785 | next_wakeup (next_rekey); |
783 | next_wakeup (next_rekey); |
… | |
… | |
835 | else |
833 | else |
836 | { |
834 | { |
837 | u32 seqno; |
835 | u32 seqno; |
838 | tap_packet *d = p->unpack (this, seqno); |
836 | tap_packet *d = p->unpack (this, seqno); |
839 | |
837 | |
840 | if (seqno <= iseqno - 32) |
838 | if (iseqno.recv_ok (seqno)) |
841 | slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" |
|
|
842 | "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D |
|
|
843 | else if (seqno > iseqno + 32) |
|
|
844 | slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" |
|
|
845 | "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D |
|
|
846 | else |
|
|
847 | { |
839 | { |
848 | if (seqno > iseqno) |
|
|
849 | { |
|
|
850 | ismask <<= seqno - iseqno; |
|
|
851 | iseqno = seqno; |
|
|
852 | } |
|
|
853 | |
|
|
854 | u32 mask = 1 << (iseqno - seqno); |
|
|
855 | |
|
|
856 | //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); |
|
|
857 | if (ismask & mask) |
|
|
858 | slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" |
|
|
859 | "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D |
|
|
860 | else |
|
|
861 | { |
|
|
862 | ismask |= mask; |
|
|
863 | |
|
|
864 | vpn->tap->send (d); |
840 | vpn->tap->send (d); |
865 | |
841 | |
866 | if (p->dst () == 0) // re-broadcast |
842 | if (p->dst () == 0) // re-broadcast |
867 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
843 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
868 | { |
844 | { |
869 | connection *c = *i; |
845 | connection *c = *i; |
870 | |
846 | |
871 | if (c->conf != THISNODE && c->conf != conf) |
847 | if (c->conf != THISNODE && c->conf != conf) |
872 | c->inject_data_packet (d); |
848 | c->inject_data_packet (d); |
873 | } |
|
|
874 | |
|
|
875 | delete d; |
|
|
876 | |
|
|
877 | break; |
|
|
878 | } |
849 | } |
|
|
850 | |
|
|
851 | delete d; |
|
|
852 | |
|
|
853 | break; |
879 | } |
854 | } |
880 | } |
855 | } |
881 | } |
856 | } |
882 | else |
857 | else |
883 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
858 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |