[ViewVC] Diff of: cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.7 by pcg, Sun Mar 9 12:48:22 2003 UTC vs.
Revision 1.11 by pcg, Sat Mar 22 21:35:07 2003 UTC

…		…
16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA	16	Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	*/	17	*/
18		18
19	#include "config.h"	19	#include "config.h"
20		20
		21	#include <list>
		22
21	#include <cstdlib>	23	#include <cstdlib>
22	#include <cstring>	24	#include <cstring>
23	#include <cstdio>	25	#include <cstdio>
24		26
25	#include <sys/types.h>	27	#include <sys/types.h>
…		…
60		62
61	static const rsachallenge &	63	static const rsachallenge &
62	challenge_bytes ()	64	challenge_bytes ()
63	{	65	{
64	static rsachallenge challenge;	66	static rsachallenge challenge;
65	static time_t challenge_ttl; // time this challenge needs to be recreated	67	static double challenge_ttl; // time this challenge needs to be recreated
66		68
67	if (now > challenge_ttl)	69	if (NOW > challenge_ttl)
68	{	70	{
69	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));	71	RAND_bytes ((unsigned char *)&challenge, sizeof (challenge));
70	challenge_ttl = now + CHALLENGE_TTL;	72	challenge_ttl = NOW + CHALLENGE_TTL;
71	}	73	}
72		74
73	return challenge;	75	return challenge;
		76	}
		77
		78	// caching of rsa operations really helps slow computers
		79	struct rsa_entry {
		80	tstamp expire;
		81	rsachallenge chg;
		82	RSA *key; // which key
		83	rsaencrdata encr;
		84
		85	rsa_entry ()
		86	{
		87	expire = NOW + CHALLENGE_TTL;
		88	}
		89	};
		90
		91	struct rsa_cache : list<rsa_entry>
		92	{
		93	void cleaner_cb (tstamp &ts); time_watcher cleaner;
		94
		95	const rsaencrdata public_encrypt (RSA key, const rsachallenge &chg)
		96	{
		97	for (iterator i = begin (); i != end (); ++i)
		98	{
		99	if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg))
		100	return &i->encr;
		101	}
		102
		103	if (cleaner.at < NOW)
		104	cleaner.start (NOW + CHALLENGE_TTL);
		105
		106	resize (size () + 1);
		107	rsa_entry e = &(rbegin ());
		108
		109	e->key = key;
		110	memcpy (&e->chg, &chg, sizeof chg);
		111
		112	if (0 > RSA_public_encrypt (sizeof chg,
		113	(unsigned char )&chg, (unsigned char )&e->encr,
		114	key, RSA_PKCS1_OAEP_PADDING))
		115	fatal ("RSA_public_encrypt error");
		116
		117	return &e->encr;
		118	}
		119
		120	const rsachallenge private_decrypt (RSA key, const rsaencrdata &encr)
		121	{
		122	for (iterator i = begin (); i != end (); ++i)
		123	if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr))
		124	return &i->chg;
		125
		126	if (cleaner.at < NOW)
		127	cleaner.start (NOW + CHALLENGE_TTL);
		128
		129	resize (size () + 1);
		130	rsa_entry e = &(rbegin ());
		131
		132	e->key = key;
		133	memcpy (&e->encr, &encr, sizeof encr);
		134
		135	if (0 > RSA_private_decrypt (sizeof encr,
		136	(unsigned char )&encr, (unsigned char )&e->chg,
		137	key, RSA_PKCS1_OAEP_PADDING))
		138	{
		139	pop_back ();
		140	return 0;
		141	}
		142
		143	return &e->chg;
		144	}
		145
		146	rsa_cache ()
		147	: cleaner (this, &rsa_cache::cleaner_cb)
		148	{ }
		149
		150	} rsa_cache;
		151
		152	void rsa_cache::cleaner_cb (tstamp &ts)
		153	{
		154	if (empty ())
		155	ts = TSTAMP_CANCEL;
		156	else
		157	{
		158	ts = NOW + 3;
		159	for (iterator i = begin (); i != end (); )
		160	{
		161	if (i->expire >= NOW)
		162	i = erase (i);
		163	else
		164	++i;
		165	}
		166	}
74	}	167	}
75		168
76	// run a script. yes, it's a template function. yes, c++	169	// run a script. yes, it's a template function. yes, c++
77	// is not a functional language. yes, this suxx.	170	// is not a functional language. yes, this suxx.
78	template<class owner>	171	template<class owner>
…		…
112	struct crypto_ctx	205	struct crypto_ctx
113	{	206	{
114	EVP_CIPHER_CTX cctx;	207	EVP_CIPHER_CTX cctx;
115	HMAC_CTX hctx;	208	HMAC_CTX hctx;
116		209
117	crypto_ctx (rsachallenge &challenge, int enc);	210	crypto_ctx (const rsachallenge &challenge, int enc);
118	~crypto_ctx ();	211	~crypto_ctx ();
119	};	212	};
120		213
121	crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc)	214	crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
122	{	215	{
123	EVP_CIPHER_CTX_init (&cctx);	216	EVP_CIPHER_CTX_init (&cctx);
124	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);	217	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
125	HMAC_CTX_init (&hctx);	218	HMAC_CTX_init (&hctx);
126	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);	219	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
…		…
128		221
129	crypto_ctx::~crypto_ctx ()	222	crypto_ctx::~crypto_ctx ()
130	{	223	{
131	EVP_CIPHER_CTX_cleanup (&cctx);	224	EVP_CIPHER_CTX_cleanup (&cctx);
132	HMAC_CTX_cleanup (&hctx);	225	HMAC_CTX_cleanup (&hctx);
		226	}
		227
		228	//////////////////////////////////////////////////////////////////////////////
		229
		230	void pkt_queue::put (tap_packet *p)
		231	{
		232	if (queue[i])
		233	{
		234	delete queue[i];
		235	j = (j + 1) % QUEUEDEPTH;
		236	}
		237
		238	queue[i] = p;
		239
		240	i = (i + 1) % QUEUEDEPTH;
		241	}
		242
		243	tap_packet *pkt_queue::get ()
		244	{
		245	tap_packet *p = queue[j];
		246
		247	if (p)
		248	{
		249	queue[j] = 0;
		250	j = (j + 1) % QUEUEDEPTH;
		251	}
		252
		253	return p;
		254	}
		255
		256	pkt_queue::pkt_queue ()
		257	{
		258	memset (queue, 0, sizeof (queue));
		259	i = 0;
		260	j = 0;
		261	}
		262
		263	pkt_queue::~pkt_queue ()
		264	{
		265	for (i = QUEUEDEPTH; --i > 0; )
		266	delete queue[i];
		267	}
		268
		269	// only do action once every x seconds per host.
		270	// currently this is quite a slow implementation,
		271	// but suffices for normal operation.
		272	struct u32_rate_limiter : private map<u32, tstamp>
		273	{
		274	tstamp every;
		275
		276	bool can (u32 host);
		277
		278	u32_rate_limiter (tstamp every = 1)
		279	{
		280	this->every = every;
		281	}
		282	};
		283
		284	struct net_rate_limiter : u32_rate_limiter
		285	{
		286	bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); }
		287	bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); }
		288
		289	net_rate_limiter (tstamp every) : u32_rate_limiter (every) {}
		290	};
		291
		292	bool u32_rate_limiter::can (u32 host)
		293	{
		294	iterator i;
		295
		296	for (i = begin (); i != end (); )
		297	if (i->second <= NOW)
		298	{
		299	erase (i);
		300	i = begin ();
		301	}
		302	else
		303	++i;
		304
		305	i = find (host);
		306
		307	if (i != end ())
		308	return false;
		309
		310	insert (value_type (host, NOW + every));
		311
		312	return true;
133	}	313	}
134		314
135	/////////////////////////////////////////////////////////////////////////////	315	/////////////////////////////////////////////////////////////////////////////
136		316
137	static void next_wakeup (time_t next)	317	static void next_wakeup (time_t next)
…		…
200		380
201	unsigned int src ()	381	unsigned int src ()
202	{	382	{
203	return src1 \| ((srcdst >> 4) << 8);	383	return src1 \| ((srcdst >> 4) << 8);
204	}	384	}
		385
205	unsigned int dst ()	386	unsigned int dst ()
206	{	387	{
207	return dst1 \| ((srcdst & 0xf) << 8);	388	return dst1 \| ((srcdst & 0xf) << 8);
208	}	389	}
		390
209	ptype typ ()	391	ptype typ ()
210	{	392	{
211	return (ptype) type;	393	return (ptype) type;
212	}	394	}
213	};	395	};
…		…
252	u32 cl;	434	u32 cl;
253		435
254	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);	436	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
255	if (cl)	437	if (cl)
256	{	438	{
257	//printf ("compressed packet, %d => %d\n", l, cl);//D
258	type = PT_DATA_COMPRESSED;	439	type = PT_DATA_COMPRESSED;
259	d = cdata;	440	d = cdata;
260	l = cl + 2;	441	l = cl + 2;
261		442
262	d[0] = cl >> 8;	443	d[0] = cl >> 8;
…		…
338	#if ENABLE_COMPRESSION	519	#if ENABLE_COMPRESSION
339	if (type == PT_DATA_COMPRESSED)	520	if (type == PT_DATA_COMPRESSED)
340	{	521	{
341	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];	522	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];
342	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;	523	p->len = lzf_decompress (d + DATAHDR + 2, cl, &(*p)[6 + 6], MAX_MTU) + 6 + 6;
343	//printf ("decompressxed %d(%d) => %d\n", cl, len - data_hdr_size (), p->len);//D
344	}	524	}
345	else	525	else
346	p->len = outl + (6 + 6 - DATAHDR);	526	p->len = outl + (6 + 6 - DATAHDR);
347	#endif	527	#endif
348		528
…		…
369	u32 digest_nid;	549	u32 digest_nid;
370		550
371	const u8 curflags () const	551	const u8 curflags () const
372	{	552	{
373	return 0x80	553	return 0x80
		554	\| 0x02
		555	#if PROTOCOL_MAJOR != 2
		556	#error hi
		557	#endif
374	\| (ENABLE_COMPRESSION ? 0x01 : 0x00)	558	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);
375	\| (ENABLE_TRUST ? 0x02 : 0x00);
376	}	559	}
377		560
378	void setup (ptype type, int dst)	561	void setup (ptype type, int dst)
379	{	562	{
380	prot_major = PROTOCOL_MAJOR;	563	prot_major = PROTOCOL_MAJOR;
…		…
491	void	674	void
492	connection::send_reset (SOCKADDR *dsa)	675	connection::send_reset (SOCKADDR *dsa)
493	{	676	{
494	static net_rate_limiter limiter(1);	677	static net_rate_limiter limiter(1);
495		678
496	if (limiter.can (dsa))	679	if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED)
497	{	680	{
498	config_packet *pkt = new config_packet;	681	config_packet *pkt = new config_packet;
499		682
500	pkt->setup (vpn_packet::PT_RESET, conf->id);	683	pkt->setup (vpn_packet::PT_RESET, conf->id);
501	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);	684	vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
…		…
503	delete pkt;	686	delete pkt;
504	}	687	}
505	}	688	}
506		689
507	static rsachallenge *	690	static rsachallenge *
508	gen_challenge (SOCKADDR *sa)	691	gen_challenge (u32 seqrand, SOCKADDR *sa)
509	{	692	{
510	static rsachallenge k;	693	static rsachallenge k;
511		694
512	memcpy (&k, &challenge_bytes (), sizeof (k));	695	memcpy (&k, &challenge_bytes (), sizeof (k));
513	RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32));	696	(u32 )&k[CHG_SEQNO] ^= seqrand;
514	xor_sa (k, sa);	697	xor_sa (k, sa);
515		698
516	return &k;	699	return &k;
517	}	700	}
518		701
519	void	702	void
520	connection::send_auth (auth_subtype subtype, SOCKADDR sa, rsachallenge k)	703	connection::send_auth (auth_subtype subtype, SOCKADDR sa, const rsachallenge k)
521	{	704	{
522	static net_rate_limiter limiter(2);	705	static net_rate_limiter limiter(0.2);
523		706
524	if (subtype != AUTH_INIT \|\| limiter.can (sa))	707	if (subtype != AUTH_INIT \|\| limiter.can (sa))
525	{	708	{
		709	if (!k)
		710	k = gen_challenge (seqrand, sa);
		711
526	auth_packet *pkt = new auth_packet (conf->id, subtype);	712	auth_packet *pkt = new auth_packet (conf->id, subtype);
527		713
528	//printf ("send auth_packet subtype %d\n", subtype);//D	714	memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata));
529
530	if (!k)
531	k = gen_challenge (sa);
532
533	#if ENABLE_TRUST
534	if (0 > RSA_public_encrypt (sizeof (*k),
535	(unsigned char )k, (unsigned char )&pkt->challenge,
536	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
537	fatal ("RSA_public_encrypt error");
538	#else
539	# error untrusted mode not yet implemented: programemr does not know how to
540	rsaencrdata enc;
541
542	if (0 > RSA_private_encrypt (sizeof (*k),
543	(unsigned char )k, (unsigned char )&enc,
544	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
545	fatal ("RSA_private_encrypt error");
546
547	if (0 > RSA_public_encrypt (sizeof (enc),
548	(unsigned char )enc, (unsigned char )&pkt->challenge,
549	conf->rsa_key, RSA_NO_PADDING))
550	fatal ("RSA_public_encrypt error");
551	#endif
552		715
553	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));	716	slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554		717
555	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);	718	vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556		719
557	delete pkt;	720	delete pkt;
558	}	721	}
559	}	722	}
560		723
561	void	724	void
562	connection::establish_connection ()	725	connection::establish_connection_cb (tstamp &ts)
563	{	726	{
564	if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER)	727	if (ictx \|\| conf == THISNODE \|\| connectmode == conf_node::C_NEVER)
		728	ts = TSTAMP_CANCEL;
		729	else if (ts <= NOW)
565	{	730	{
566	if (now >= next_retry)	731	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25;
567	{
568	int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569		732
570	if (retry_cnt < (17 << 2) \| 3)	733	if (retry_int < 3600 * 8)
571	retry_cnt++;	734	retry_cnt++;
572		735
573	if (connectmode == conf_node::C_ONDEMAND	736	if (connectmode == conf_node::C_ONDEMAND
574	&& retry_int > ::conf.keepalive)	737	&& retry_int > ::conf.keepalive)
575	retry_int = ::conf.keepalive;	738	retry_int = ::conf.keepalive;
576		739
577	next_retry = now + retry_int;	740	ts = NOW + retry_int;
578	next_wakeup (next_retry);
579		741
580	if (conf->hostname)	742	if (conf->hostname)
581	{	743	{
582	reset_dstaddr ();	744	reset_dstaddr ();
583	if (sa.sin_addr.s_addr)	745	if (sa.sin_addr.s_addr)
584	if (retry_cnt < 4)	746	if (retry_cnt < 4)
585	send_auth (AUTH_INIT, &sa);	747	send_auth (AUTH_INIT, &sa);
586	else	748	else
587	send_ping (&sa, 0);	749	send_ping (&sa, 0);
588	}	750	}
589	else	751	else
590	vpn->connect_request (conf->id);	752	vpn->connect_request (conf->id);
591	}
592	}	753	}
593	}	754	}
594		755
595	void	756	void
596	connection::reset_connection ()	757	connection::reset_connection ()
…		…
601		762
602	if (::conf.script_node_down)	763	if (::conf.script_node_down)
603	run_script (this, &connection::script_node_down, false);	764	run_script (this, &connection::script_node_down, false);
604	}	765	}
605		766
606	delete ictx;	767	delete ictx; ictx = 0;
607	ictx = 0;	768	delete octx; octx = 0;
608		769
609	delete octx;	770	RAND_bytes ((unsigned char *)&seqrand, sizeof (u32));
610	octx = 0;
611		771
612	sa.sin_port = 0;	772	sa.sin_port = 0;
613	sa.sin_addr.s_addr = 0;	773	sa.sin_addr.s_addr = 0;
614		774
615	next_retry = 0;
616	next_rekey = 0;
617	last_activity = 0;	775	last_activity = 0;
		776
		777	rekey.reset ();
		778	keepalive.reset ();
		779	establish_connection.reset ();
618	}	780	}
619		781
620	void	782	void
621	connection::shutdown ()	783	connection::shutdown ()
622	{	784	{
…		…
625		787
626	reset_connection ();	788	reset_connection ();
627	}	789	}
628		790
629	void	791	void
630	connection::rekey ()	792	connection::rekey_cb (tstamp &ts)
631	{	793	{
		794	ts = TSTAMP_CANCEL;
		795
632	reset_connection ();	796	reset_connection ();
633	establish_connection ();	797	establish_connection ();
634	}	798	}
635		799
636	void	800	void
…		…
668	}	832	}
669		833
670	void	834	void
671	connection::recv_vpn_packet (vpn_packet pkt, SOCKADDR ssa)	835	connection::recv_vpn_packet (vpn_packet pkt, SOCKADDR ssa)
672	{	836	{
673	last_activity = now;	837	last_activity = NOW;
674		838
675	slog (L_NOISE, "<<%d received packet type %d from %d to %d",	839	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
676	conf->id, pkt->typ (), pkt->src (), pkt->dst ());	840	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
677		841
678	switch (pkt->typ ())	842	switch (pkt->typ ())
…		…
686	// so reset the retry counter and establish a conenction	850	// so reset the retry counter and establish a conenction
687	// when we receive a pong.	851	// when we receive a pong.
688	if (!ictx && !octx)	852	if (!ictx && !octx)
689	{	853	{
690	retry_cnt = 0;	854	retry_cnt = 0;
691	next_retry = 0;	855	establish_connection.at = 0;
692	establish_connection ();	856	establish_connection ();
693	}	857	}
694		858
695	break;	859	break;
696		860
697	case vpn_packet::PT_RESET:	861	case vpn_packet::PT_RESET:
698	{	862	{
699	reset_connection ();	863	reset_connection ();
700		864
701	config_packet p = (config_packet ) pkt;	865	config_packet p = (config_packet ) pkt;
702	if (p->chk_config ())	866	if (!p->chk_config ())
		867	{
		868	slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename);
		869	connectmode = conf_node::C_DISABLED;
		870	}
703	if (connectmode == conf_node::C_ALWAYS)	871	else if (connectmode == conf_node::C_ALWAYS)
704	establish_connection ();	872	establish_connection ();
705
706	//D slog the protocol mismatch?
707	}	873	}
708	break;	874	break;
709		875
710	case vpn_packet::PT_AUTH:	876	case vpn_packet::PT_AUTH:
711	{	877	{
…		…
721	PROTOCOL_MINOR, conf->nodename, p->prot_minor);	887	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
722		888
723	if (p->subtype == AUTH_INIT)	889	if (p->subtype == AUTH_INIT)
724	send_auth (AUTH_INITREPLY, ssa);	890	send_auth (AUTH_INITREPLY, ssa);
725		891
726	rsachallenge k;	892	const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge);
727		893
728	#if ENABLE_TRUST
729	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
730	(unsigned char )&p->challenge, (unsigned char )&k,
731	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
732	// continued below
733	#else
734	rsaencrdata j;
735		894	if (!k)
736	if (0 > RSA_private_decrypt (sizeof (rsaencrdata),
737	(unsigned char )&p->challenge, (unsigned char )&j,
738	::conf.rsa_key, RSA_NO_PADDING))
739	fatal ("RSA_private_decrypt error");
740
741	if (0 > RSA_public_decrypt (sizeof (k),
742	(unsigned char )&j, (unsigned char )&k,
743	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
744	// continued below
745	#endif
746	{	895	{
747	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"),	896	slog (L_ERR, _("challenge from %s (%s) illegal or corrupted, disabling node"),
748	conf->nodename, (const char *)sockinfo (ssa));	897	conf->nodename, (const char *)sockinfo (ssa));
		898	connectmode = conf_node::C_DISABLED;
749	break;	899	break;
750	}	900	}
751		901
752	retry_cnt = 0;	902	retry_cnt = 0;
753	next_retry = now + 8;	903	establish_connection.set (NOW + 8); //? ;)
		904	keepalive.reset ();
		905	rekey.reset ();
754		906
755	switch (p->subtype)	907	switch (p->subtype)
756	{	908	{
757	case AUTH_INIT:	909	case AUTH_INIT:
758	case AUTH_INITREPLY:	910	case AUTH_INITREPLY:
759	delete ictx;	911	delete ictx;
760	ictx = 0;	912	ictx = 0;
761		913
762	delete octx;	914	delete octx;
763		915
764	octx = new crypto_ctx (k, 1);	916	octx = new crypto_ctx (*k, 1);
765	oseqno = (u32 )&k[CHG_SEQNO] & 0x7fffffff;	917	oseqno = (u32 )&k[CHG_SEQNO] & 0x7fffffff;
766		918
767	send_auth (AUTH_REPLY, ssa, &k);	919	send_auth (AUTH_REPLY, ssa, k);
768	break;	920	break;
769		921
770	case AUTH_REPLY:	922	case AUTH_REPLY:
771		923
772	if (!memcmp ((u8 )gen_challenge (ssa) + sizeof (u32), (u8 )&k + sizeof (u32),	924	if (!memcmp ((u8 )gen_challenge (seqrand, ssa), (u8 )k, sizeof (rsachallenge)))
773	sizeof (rsachallenge) - sizeof (u32)))
774	{	925	{
775	delete ictx;	926	delete ictx;
776		927
777	ictx = new crypto_ctx (k, 0);	928	ictx = new crypto_ctx (*k, 0);
778	iseqno = (u32 )&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid	929	iseqno.reset ((u32 )&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
779	ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
780		930
781	sa = *ssa;	931	sa = *ssa;
782		932
783	next_rekey = now + ::conf.rekey;	933	rekey.set (NOW + ::conf.rekey);
784	next_wakeup (next_rekey);	934	keepalive.set (NOW + ::conf.keepalive);
785		935
786	// send queued packets	936	// send queued packets
787	while (tap_packet *p = queue.get ())	937	while (tap_packet *p = queue.get ())
788	{	938	{
789	send_data_packet (p);	939	send_data_packet (p);
…		…
834	else	984	else
835	{	985	{
836	u32 seqno;	986	u32 seqno;
837	tap_packet *d = p->unpack (this, seqno);	987	tap_packet *d = p->unpack (this, seqno);
838		988
839	if (seqno <= iseqno - 32)	989	if (iseqno.recv_ok (seqno))
840	slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
841	"possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
842	else if (seqno > iseqno + 32)
843	slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
844	"possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
845	else
846	{	990	{
847	if (seqno > iseqno)
848	{
849	ismask <<= seqno - iseqno;
850	iseqno = seqno;
851	}
852
853	u32 mask = 1 << (iseqno - seqno);
854
855	//printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
856	if (ismask & mask)
857	slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
858	"possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
859	else
860	{
861	ismask \|= mask;
862
863	vpn->tap->send (d);	991	vpn->tap->send (d);
864		992
865	if (p->dst () == 0) // re-broadcast	993	if (p->dst () == 0) // re-broadcast
866	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)	994	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
867	{	995	{
868	connection c = i;	996	connection c = i;
869		997
870	if (c->conf != THISNODE && c->conf != conf)	998	if (c->conf != THISNODE && c->conf != conf)
871	c->inject_data_packet (d);	999	c->inject_data_packet (d);
872	}
873
874	delete d;
875
876	break;
877	}	1000	}
		1001
		1002	delete d;
		1003
		1004	break;
878	}	1005	}
879	}	1006	}
880	}	1007	}
881	else	1008	else
882	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D	1009	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
…		…
953	send_reset (ssa);	1080	send_reset (ssa);
954	break;	1081	break;
955	}	1082	}
956	}	1083	}
957		1084
958	void connection::timer ()	1085	void connection::keepalive_cb (tstamp &ts)
959	{	1086	{
960	if (conf != THISNODE)	1087	if (NOW >= last_activity + ::conf.keepalive + 30)
961	{	1088	{
962	if (now >= next_retry && connectmode == conf_node::C_ALWAYS)	1089	reset_connection ();
963	establish_connection ();	1090	establish_connection ();
964		1091	}
965	if (ictx && octx)
966	{
967	if (now >= next_rekey)
968	rekey ();
969	else if (now >= last_activity + ::conf.keepalive + 30)
970	{
971	reset_connection ();
972	establish_connection ();
973	}
974	else if (now >= last_activity + ::conf.keepalive)	1092	else if (NOW < last_activity + ::conf.keepalive)
		1093	ts = last_activity + ::conf.keepalive;
975	if (conf->connectmode != conf_node::C_ONDEMAND	1094	else if (conf->connectmode != conf_node::C_ONDEMAND
976	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)	1095	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
		1096	{
977	send_ping (&sa);	1097	send_ping (&sa);
978	else	1098	ts = NOW + 5;
		1099	}
		1100	else
979	reset_connection ();	1101	reset_connection ();
980		1102
981	}
982	}
983	}	1103	}
984		1104
985	void connection::connect_request (int id)	1105	void connection::connect_request (int id)
986	{	1106	{
987	connect_req_packet *p = new connect_req_packet (conf->id, id);	1107	connect_req_packet *p = new connect_req_packet (conf->id, id);
…		…
1024	putenv ("STATE=down");	1144	putenv ("STATE=down");
1025		1145
1026	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";	1146	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1027	}	1147	}
1028		1148
		1149	connection::connection(struct vpn *vpn_)
		1150	: vpn(vpn_)
		1151	, rekey (this, &connection::rekey_cb)
		1152	, keepalive (this, &connection::keepalive_cb)
		1153	, establish_connection (this, &connection::establish_connection_cb)
		1154	{
		1155	octx = ictx = 0;
		1156	retry_cnt = 0;
		1157
		1158	connectmode = conf_node::C_ALWAYS; // initial setting
		1159	reset_connection ();
		1160	}
		1161
		1162	connection::~connection ()
		1163	{
		1164	shutdown ();
		1165	}
		1166
1029	/////////////////////////////////////////////////////////////////////////////	1167	/////////////////////////////////////////////////////////////////////////////
1030
1031	vpn::vpn (void)
1032	{}
1033		1168
1034	const char *vpn::script_if_up ()	1169	const char *vpn::script_if_up ()
1035	{	1170	{
1036	// the tunnel device mtu should be the physical mtu - overhead	1171	// the tunnel device mtu should be the physical mtu - overhead
1037	// the tricky part is rounding to the cipher key blocksize	1172	// the tricky part is rounding to the cipher key blocksize
…		…
1088	{	1223	{
1089	int oval = 1;	1224	int oval = 1;
1090	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);	1225	setsockopt (socket_fd, SOL_SOCKET, SO_REUSEADDR, &oval, sizeof oval);
1091	}	1226	}
1092		1227
		1228	udp_ev_watcher.start (socket_fd, POLLIN);
		1229
1093	tap = new tap_device ();	1230	tap = new tap_device ();
1094	if (!tap) //D this, of course, never catches	1231	if (!tap) //D this, of course, never catches
1095	{	1232	{
1096	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);	1233	slog (L_ERR, _("cannot create network interface '%s'"), conf.ifname);
1097	exit (1);	1234	exit (1);
1098	}	1235	}
1099		1236
1100	run_script (this, &vpn::script_if_up, true);	1237	run_script (this, &vpn::script_if_up, true);
		1238
		1239	vpn_ev_watcher.start (tap->fd, POLLIN);
		1240
		1241	reconnect_all ();
1101		1242
1102	return 0;	1243	return 0;
1103	}	1244	}
1104		1245
1105	void	1246	void
…		…
1170	// if ((*i)->conf->routerprio)	1311	// if ((*i)->conf->routerprio)
1171	// (*i)->establish_connection ();	1312	// (*i)->establish_connection ();
1172	}	1313	}
1173		1314
1174	void	1315	void
1175	vpn::main_loop ()	1316	vpn::udp_ev (short revents)
1176	{	1317	{
1177	struct pollfd pollfd[2];	1318	if (revents & (POLLIN \| POLLERR))
1178
1179	pollfd[0].fd = tap->fd;
1180	pollfd[0].events = POLLIN;
1181	pollfd[1].fd = socket_fd;
1182	pollfd[1].events = POLLIN;
1183
1184	events = 0;
1185	now = time (0);
1186	next_timecheck = now + 1;
1187
1188	reconnect_all ();
1189
1190	for (;;)
1191	{	1319	{
1192	int npoll = poll (pollfd, 2, (next_timecheck - now) * 1000);	1320	vpn_packet *pkt = new vpn_packet;
1193		1321	struct sockaddr_in sa;
1194	now = time (0);	1322	socklen_t sa_len = sizeof (sa);
		1323	int len;
1195		1324
		1325	len = recvfrom (socket_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
		1326
1196	if (npoll > 0)	1327	if (len > 0)
		1328	{
		1329	pkt->len = len;
		1330
		1331	unsigned int src = pkt->src ();
		1332	unsigned int dst = pkt->dst ();
		1333
		1334	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
		1335	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
		1336
		1337	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
		1338	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
		1339	pkt->typ (), pkt->src (), pkt->dst ());
		1340	else if (dst == 0 && !THISNODE->routerprio)
		1341	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
		1342	else if (dst != 0 && dst != THISNODE->id)
		1343	slog (L_WARN,
		1344	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		1345	dst, conns[dst - 1]->conf->nodename,
		1346	(const char *)sockinfo (sa),
		1347	THISNODE->id, THISNODE->nodename);
		1348	else if (src == 0 \|\| src > conns.size ())
		1349	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
		1350	else
		1351	conns[src - 1]->recv_vpn_packet (pkt, &sa);
1197	{	1352	}
1198	if (pollfd[1].revents)	1353	else
		1354	{
		1355	// probably ECONNRESET or somesuch
		1356	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
		1357	}
		1358
		1359	delete pkt;
		1360	}
		1361	else if (revents & POLLHUP)
		1362	{
		1363	// this cannot ;) happen on udp sockets
		1364	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));
		1365	exit (1);
		1366	}
		1367	else
		1368	{
		1369	slog (L_ERR,
		1370	_("FATAL: unknown revents %08x in socket, terminating\n"),
		1371	revents);
		1372	exit (1);
		1373	}
		1374	}
		1375
		1376	void
		1377	vpn::vpn_ev (short revents)
		1378	{
		1379	if (revents & POLLIN)
		1380	{
		1381	/* process data */
		1382	tap_packet *pkt;
		1383
		1384	pkt = tap->recv ();
		1385
		1386	int dst = mac2id (pkt->dst);
		1387	int src = mac2id (pkt->src);
		1388
		1389	if (src != THISNODE->id)
		1390	{
		1391	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
		1392	exit (1);
		1393	}
		1394
		1395	if (dst == THISNODE->id)
		1396	{
		1397	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
		1398	exit (1);
		1399	}
		1400
		1401	if (dst > conns.size ())
		1402	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
		1403	else
		1404	{
		1405	if (dst)
1199	{	1406	{
1200	if (pollfd[1].revents & (POLLIN \| POLLERR))	1407	// unicast
1201	{
1202	vpn_packet *pkt = new vpn_packet;
1203	struct sockaddr_in sa;
1204	socklen_t sa_len = sizeof (sa);
1205	int len;
1206
1207	len = recvfrom (socket_fd, &((pkt)[0]), MAXSIZE, 0, (sockaddr )&sa, &sa_len);
1208
1209	if (len > 0)
1210	{
1211	pkt->len = len;
1212
1213	unsigned int src = pkt->src ();
1214	unsigned int dst = pkt->dst ();
1215
1216	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1217	(const char *)sockinfo (sa), pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1218
1219	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
1220	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1221	pkt->typ (), pkt->src (), pkt->dst ());
1222	else if (dst == 0 && !THISNODE->routerprio)
1223	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1224	else if (dst != 0 && dst != THISNODE->id)	1408	if (dst != THISNODE->id)
1225	slog (L_WARN,
1226	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1227	dst, conns[dst - 1]->conf->nodename,
1228	(const char *)sockinfo (sa),
1229	THISNODE->id, THISNODE->nodename);
1230	else if (src == 0 \|\| src > conns.size ())
1231	slog (L_WARN, _("received frame from unknown node %d (%s)"), src, (const char *)sockinfo (sa));
1232	else
1233	conns[src - 1]->recv_vpn_packet (pkt, &sa);	1409	conns[dst - 1]->inject_data_packet (pkt);
1234	}
1235	else
1236	{
1237	// probably ECONNRESET or somesuch
1238	slog (L_DEBUG, _("%s: %s"), (const char *)sockinfo(sa), strerror (errno));
1239	}
1240
1241	delete pkt;
1242	}	1410	}
1243	else if (pollfd[1].revents & POLLHUP)	1411	else
1244	{	1412	{
1245	// this cannot ;) happen on udp sockets	1413	// broadcast, first check router, then self, then english
1246	slog (L_ERR, _("FATAL: POLLHUP on socket fd, terminating."));	1414	connection *router = find_router ();
1247	exit (1);	1415
1248	}	1416	if (router)
		1417	router->inject_data_packet (pkt, true);
1249	else	1418	else
1250	{	1419	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1251	slog (L_ERR,	1420	if ((*c)->conf != THISNODE)
1252	_("FATAL: unknown revents %08x in socket, terminating\n"),	1421	(*c)->inject_data_packet (pkt);
1253	pollfd[1].revents);
1254	exit (1);
1255	}
1256	}	1422	}
		1423	}
1257		1424
1258	// I use else here to give vpn_packets absolute priority	1425	delete pkt;
1259	else if (pollfd[0].revents)	1426	}
1260	{
1261	if (pollfd[0].revents & POLLIN)
1262	{
1263	/* process data */
1264	tap_packet *pkt;
1265
1266	pkt = tap->recv ();
1267
1268	int dst = mac2id (pkt->dst);
1269	int src = mac2id (pkt->src);
1270
1271	if (src != THISNODE->id)
1272	{
1273	slog (L_ERR, _("FATAL: tap packet not originating on current node received, terminating."));
1274	exit (1);
1275	}
1276
1277	if (dst == THISNODE->id)
1278	{
1279	slog (L_ERR, _("FATAL: tap packet destined for current node received, terminating."));
1280	exit (1);
1281	}
1282
1283	if (dst > conns.size ())
1284	slog (L_ERR, _("tap packet for unknown node %d received, ignoring."), dst);
1285	else
1286	{
1287	if (dst)
1288	{
1289	// unicast
1290	if (dst != THISNODE->id)
1291	conns[dst - 1]->inject_data_packet (pkt);
1292	}
1293	else
1294	{
1295	// broadcast, first check router, then self, then english
1296	connection *router = find_router ();
1297
1298	if (router)
1299	router->inject_data_packet (pkt, true);
1300	else
1301	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1302	if ((*c)->conf != THISNODE)
1303	(*c)->inject_data_packet (pkt);
1304	}
1305	}
1306
1307	delete pkt;
1308	}
1309	else if (pollfd[0].revents & (POLLHUP \| POLLERR))	1427	else if (revents & (POLLHUP \| POLLERR))
1310	{	1428	{
1311	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));	1429	slog (L_ERR, _("FATAL: POLLHUP or POLLERR on network device fd, terminating."));
1312	exit (1);	1430	exit (1);
1313	}	1431	}
1314	else	1432	else
1315	abort ();	1433	abort ();
1316	}	1434	}
1317	}
1318		1435
		1436	void
		1437	vpn::event_cb (tstamp &ts)
		1438	{
1319	if (events)	1439	if (events)
1320	{	1440	{
1321	if (events & EVENT_SHUTDOWN)	1441	if (events & EVENT_SHUTDOWN)
1322	{	1442	{
1323	shutdown_all ();	1443	shutdown_all ();
1324		1444
1325	remove_pid (pidfilename);	1445	remove_pid (pidfilename);
1326		1446
1327	slog (L_INFO, _("vped terminating"));	1447	slog (L_INFO, _("vped terminating"));
1328		1448
1329	exit (0);	1449	exit (0);
1330	}	1450	}
1331		1451
1332	if (events & EVENT_RECONNECT)	1452	if (events & EVENT_RECONNECT)
1333	reconnect_all ();	1453	reconnect_all ();
1334		1454
1335	events = 0;	1455	events = 0;
1336	}
1337
1338	// very very very dumb and crude and inefficient timer handling, or maybe not?
1339	if (now >= next_timecheck)
1340	{
1341	next_timecheck = now + TIMER_GRANULARITY;
1342
1343	for (conns_vector::iterator c = conns.begin ();
1344	c != conns.end (); ++c)
1345	(*c)->timer ();
1346	}
1347	}	1456	}
		1457
		1458	ts = TSTAMP_CANCEL;
		1459	}
		1460
		1461	vpn::vpn (void)
		1462	: udp_ev_watcher (this, &vpn::udp_ev)
		1463	, vpn_ev_watcher (this, &vpn::vpn_ev)
		1464	, event (this, &vpn::event_cb)
		1465	{
1348	}	1466	}
1349		1467
1350	vpn::~vpn ()	1468	vpn::~vpn ()
1351	{}	1469	{
		1470	}
1352		1471

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/protocol.C (file contents): Revision 1.7 by pcg, Sun Mar 9 12:48:22 2003 UTC vs. Revision 1.11 by pcg, Sat Mar 22 21:35:07 2003 UTC

Diff Legend

Comparing gvpe/src/protocol.C (file contents):
Revision 1.7 by pcg, Sun Mar 9 12:48:22 2003 UTC vs.
Revision 1.11 by pcg, Sat Mar 22 21:35:07 2003 UTC