[ViewVC] Diff of: cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

…		…
32	#include <arpa/inet.h>	32	#include <arpa/inet.h>
33	#include <errno.h>	33	#include <errno.h>
34	#include <time.h>	34	#include <time.h>
35	#include <unistd.h>	35	#include <unistd.h>
36		36
37	#include <openssl/rand.h>
38	#include <openssl/hmac.h>
39	#include <openssl/evp.h>
40	#include <openssl/rsa.h>
41	#include <openssl/err.h>
42
43	extern "C" {
44	# include "lzf/lzf.h"
45	}
46
47	#include "gettext.h"
48	#include "pidfile.h"	37	#include "pidfile.h"
49		38
50	#include "conf.h"	39	#include "connection.h"
51	#include "slog.h"	40	#include "util.h"
52	#include "device.h"
53	#include "protocol.h"	41	#include "protocol.h"
54
55	#if !HAVE_RAND_PSEUDO_BYTES
56	# define RAND_pseudo_bytes RAND_bytes
57	#endif
58
59	static time_t next_timecheck;
60
61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63	struct crypto_ctx
64	{
65	EVP_CIPHER_CTX cctx;
66	HMAC_CTX hctx;
67
68	crypto_ctx (const rsachallenge &challenge, int enc);
69	~crypto_ctx ();
70	};
71
72	crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
73	{
74	EVP_CIPHER_CTX_init (&cctx);
75	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
76	HMAC_CTX_init (&hctx);
77	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
78	}
79
80	crypto_ctx::~crypto_ctx ()
81	{
82	EVP_CIPHER_CTX_cleanup (&cctx);
83	HMAC_CTX_cleanup (&hctx);
84	}
85
86	static void
87	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
88	{
89	EVP_MD_CTX ctx;
90
91	EVP_MD_CTX_init (&ctx);
92	EVP_DigestInit (&ctx, RSA_HASH);
93	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
94	EVP_DigestUpdate(&ctx, &id, sizeof id);
95	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
96	EVP_MD_CTX_cleanup (&ctx);
97	}
98
99	struct rsa_entry {
100	tstamp expire;
101	rsaid id;
102	rsachallenge chg;
103	};
104
105	struct rsa_cache : list<rsa_entry>
106	{
107	void cleaner_cb (tstamp &ts); time_watcher cleaner;
108
109	bool find (const rsaid &id, rsachallenge &chg)
110	{
111	for (iterator i = begin (); i != end (); ++i)
112	{
113	if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
114	{
115	memcpy (&chg, &i->chg, sizeof chg);
116
117	erase (i);
118	return true;
119	}
120	}
121
122	if (cleaner.at < NOW)
123	cleaner.start (NOW + RSA_TTL);
124
125	return false;
126	}
127
128	void gen (rsaid &id, rsachallenge &chg)
129	{
130	rsa_entry e;
131
132	RAND_bytes ((unsigned char *)&id, sizeof id);
133	RAND_bytes ((unsigned char *)&chg, sizeof chg);
134
135	e.expire = NOW + RSA_TTL;
136	e.id = id;
137	memcpy (&e.chg, &chg, sizeof chg);
138
139	push_back (e);
140
141	if (cleaner.at < NOW)
142	cleaner.start (NOW + RSA_TTL);
143	}
144
145	rsa_cache ()
146	: cleaner (this, &rsa_cache::cleaner_cb)
147	{ }
148
149	} rsa_cache;
150
151	void rsa_cache::cleaner_cb (tstamp &ts)
152	{
153	if (empty ())
154	ts = TSTAMP_CANCEL;
155	else
156	{
157	ts = NOW + RSA_TTL;
158
159	for (iterator i = begin (); i != end (); )
160	if (i->expire <= NOW)
161	i = erase (i);
162	else
163	++i;
164	}
165	}
166
167	typedef callback<const char *, int> run_script_cb;
168
169	// run a shell script (or actually an external program).
170	static void
171	run_script (const run_script_cb &cb, bool wait)
172	{
173	int pid;
174
175	if ((pid = fork ()) == 0)
176	{
177	char *filename;
178	asprintf (&filename, "%s/%s", confbase, cb(0));
179	execl (filename, filename, (char *) 0);
180	exit (255);
181	}
182	else if (pid > 0)
183	{
184	if (wait)
185	{
186	waitpid (pid, 0, 0);
187	/* TODO: check status */
188	}
189	}
190	}
191
192	//////////////////////////////////////////////////////////////////////////////
193
194	void pkt_queue::put (tap_packet *p)
195	{
196	if (queue[i])
197	{
198	delete queue[i];
199	j = (j + 1) % QUEUEDEPTH;
200	}
201
202	queue[i] = p;
203
204	i = (i + 1) % QUEUEDEPTH;
205	}
206
207	tap_packet *pkt_queue::get ()
208	{
209	tap_packet *p = queue[j];
210
211	if (p)
212	{
213	queue[j] = 0;
214	j = (j + 1) % QUEUEDEPTH;
215	}
216
217	return p;
218	}
219
220	pkt_queue::pkt_queue ()
221	{
222	memset (queue, 0, sizeof (queue));
223	i = 0;
224	j = 0;
225	}
226
227	pkt_queue::~pkt_queue ()
228	{
229	for (i = QUEUEDEPTH; --i > 0; )
230	delete queue[i];
231	}
232
233	struct net_rateinfo {
234	u32 host;
235	double pcnt, diff;
236	tstamp last;
237	};
238
239	// only do action once every x seconds per host whole allowing bursts.
240	// this implementation ("splay list" ;) is inefficient,
241	// but low on resources.
242	struct net_rate_limiter : list<net_rateinfo>
243	{
244	static const double ALPHA = 1. - 1. / 90.; // allow bursts
245	static const double CUTOFF = 20.; // one event every CUTOFF seconds
246	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
247
248	bool can (const sockinfo &si) { return can((u32)si.host); }
249	bool can (u32 host);
250	};
251
252	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
253
254	bool net_rate_limiter::can (u32 host)
255	{
256	iterator i;
257
258	for (i = begin (); i != end (); )
259	if (i->host == host)
260	break;
261	else if (i->last < NOW - EXPIRE)
262	i = erase (i);
263	else
264	i++;
265
266	if (i == end ())
267	{
268	net_rateinfo ri;
269
270	ri.host = host;
271	ri.pcnt = 1.;
272	ri.diff = CUTOFF * (1. / (1. - ALPHA));
273	ri.last = NOW;
274
275	push_front (ri);
276
277	return true;
278	}
279	else
280	{
281	net_rateinfo ri (*i);
282	erase (i);
283
284	ri.pcnt = ri.pcnt * ALPHA;
285	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
286
287	ri.last = NOW;
288
289	bool send = ri.diff / ri.pcnt > CUTOFF;
290
291	if (send)
292	ri.pcnt++;
293
294	push_front (ri);
295
296	return send;
297	}
298	}
299
300	/////////////////////////////////////////////////////////////////////////////
301
302	static void next_wakeup (time_t next)
303	{
304	if (next_timecheck > next)
305	next_timecheck = next;
306	}
307
308	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
309
310	struct hmac_packet:net_packet
311	{
312	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
313
314	void hmac_set (crypto_ctx * ctx);
315	bool hmac_chk (crypto_ctx * ctx);
316
317	private:
318	void hmac_gen (crypto_ctx * ctx)
319	{
320	unsigned int xlen;
321	HMAC_CTX *hctx = &ctx->hctx;
322
323	HMAC_Init_ex (hctx, 0, 0, 0, 0);
324	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
325	len - sizeof (hmac_packet));
326	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
327	}
328	};
329
330	void
331	hmac_packet::hmac_set (crypto_ctx * ctx)
332	{
333	hmac_gen (ctx);
334
335	memcpy (hmac, hmac_digest, HMACLENGTH);
336	}
337
338	bool
339	hmac_packet::hmac_chk (crypto_ctx * ctx)
340	{
341	hmac_gen (ctx);
342
343	return !memcmp (hmac, hmac_digest, HMACLENGTH);
344	}
345
346	struct vpn_packet : hmac_packet
347	{
348	enum ptype
349	{
350	PT_RESET = 0,
351	PT_DATA_UNCOMPRESSED,
352	PT_DATA_COMPRESSED,
353	PT_PING, PT_PONG, // wasting namespace space? ;)
354	PT_AUTH_REQ, // authentification request
355	PT_AUTH_RES, // authentification response
356	PT_CONNECT_REQ, // want other host to contact me
357	PT_CONNECT_INFO, // request connection to some node
358	PT_MAX
359	};
360
361	u8 type;
362	u8 srcdst, src1, dst1;
363
364	void set_hdr (ptype type, unsigned int dst);
365
366	unsigned int src () const
367	{
368	return src1 \| ((srcdst >> 4) << 8);
369	}
370
371	unsigned int dst () const
372	{
373	return dst1 \| ((srcdst & 0xf) << 8);
374	}
375
376	ptype typ () const
377	{
378	return (ptype) type;
379	}
380	};
381
382	void vpn_packet::set_hdr (ptype type, unsigned int dst)
383	{
384	this->type = type;
385
386	int src = THISNODE->id;
387
388	src1 = src;
389	srcdst = ((src >> 8) << 4) \| (dst >> 8);
390	dst1 = dst;
391	}
392
393	#define MAXVPNDATA (MAX_MTU - 6 - 6)
394	#define DATAHDR (sizeof (u32) + RAND_SIZE)
395
396	struct vpndata_packet:vpn_packet
397	{
398	u8 data[MAXVPNDATA + DATAHDR]; // seqno
399
400	void setup (connection conn, int dst, u8 d, u32 len, u32 seqno);
401	tap_packet unpack (connection conn, u32 &seqno);
402	private:
403
404	const u32 data_hdr_size () const
405	{
406	return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
407	}
408	};
409
410	void
411	vpndata_packet::setup (connection conn, int dst, u8 d, u32 l, u32 seqno)
412	{
413	EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
414	int outl = 0, outl2;
415	ptype type = PT_DATA_UNCOMPRESSED;
416
417	#if ENABLE_COMPRESSION
418	u8 cdata[MAX_MTU];
419	u32 cl;
420
421	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
422	if (cl)
423	{
424	type = PT_DATA_COMPRESSED;
425	d = cdata;
426	l = cl + 2;
427
428	d[0] = cl >> 8;
429	d[1] = cl;
430	}
431	#endif
432
433	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
434
435	struct {
436	#if RAND_SIZE
437	u8 rnd[RAND_SIZE];
438	#endif
439	u32 seqno;
440	} datahdr;
441
442	datahdr.seqno = ntohl (seqno);
443	#if RAND_SIZE
444	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
445	#endif
446
447	EVP_EncryptUpdate (cctx,
448	(unsigned char *) data + outl, &outl2,
449	(unsigned char *) &datahdr, DATAHDR);
450	outl += outl2;
451
452	EVP_EncryptUpdate (cctx,
453	(unsigned char *) data + outl, &outl2,
454	(unsigned char *) d, l);
455	outl += outl2;
456
457	EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
458	outl += outl2;
459
460	len = outl + data_hdr_size ();
461
462	set_hdr (type, dst);
463
464	hmac_set (conn->octx);
465	}
466
467	tap_packet *
468	vpndata_packet::unpack (connection *conn, u32 &seqno)
469	{
470	EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
471	int outl = 0, outl2;
472	tap_packet *p = new tap_packet;
473	u8 *d;
474	u32 l = len - data_hdr_size ();
475
476	EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
477
478	#if ENABLE_COMPRESSION
479	u8 cdata[MAX_MTU];
480
481	if (type == PT_DATA_COMPRESSED)
482	d = cdata;
483	else
484	#endif
485	d = &(*p)[6 + 6 - DATAHDR];
486
487	/* this overwrites part of the src mac, but we fix that later */
488	EVP_DecryptUpdate (cctx,
489	d, &outl2,
490	(unsigned char *)&data, len - data_hdr_size ());
491	outl += outl2;
492
493	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
494	outl += outl2;
495
496	seqno = ntohl ((u32 )(d + RAND_SIZE));
497
498	id2mac (dst () ? dst() : THISNODE->id, p->dst);
499	id2mac (src (), p->src);
500
501	#if ENABLE_COMPRESSION
502	if (type == PT_DATA_COMPRESSED)
503	{
504	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];
505
506	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
507	&(*p)[6 + 6], MAX_MTU)
508	+ 6 + 6;
509	}
510	else
511	p->len = outl + (6 + 6 - DATAHDR);
512	#endif
513
514	return p;
515	}
516
517	struct ping_packet : vpn_packet
518	{
519	void setup (int dst, ptype type)
520	{
521	set_hdr (type, dst);
522	len = sizeof (*this) - sizeof (net_packet);
523	}
524	};
525
526	struct config_packet : vpn_packet
527	{
528	// actually, hmaclen cannot be checked because the hmac
529	// field comes before this data, so peers with other
530	// hmacs simply will not work.
531	u8 prot_major, prot_minor, randsize, hmaclen;
532	u8 flags, challengelen, pad2, pad3;
533	u32 cipher_nid, digest_nid, hmac_nid;
534
535	const u8 curflags () const
536	{
537	return 0x80
538	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);
539	}
540
541	void setup (ptype type, int dst);
542	bool chk_config () const;
543	};
544
545	void config_packet::setup (ptype type, int dst)
546	{
547	prot_major = PROTOCOL_MAJOR;
548	prot_minor = PROTOCOL_MINOR;
549	randsize = RAND_SIZE;
550	hmaclen = HMACLENGTH;
551	flags = curflags ();
552	challengelen = sizeof (rsachallenge);
553
554	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
555	digest_nid = htonl (EVP_MD_type (RSA_HASH));
556	hmac_nid = htonl (EVP_MD_type (DIGEST));
557
558	len = sizeof (*this) - sizeof (net_packet);
559	set_hdr (type, dst);
560	}
561
562	bool config_packet::chk_config () const
563	{
564	return prot_major == PROTOCOL_MAJOR
565	&& randsize == RAND_SIZE
566	&& hmaclen == HMACLENGTH
567	&& flags == curflags ()
568	&& challengelen == sizeof (rsachallenge)
569	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
570	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
571	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
572	}
573
574	struct auth_req_packet : config_packet
575	{
576	char magic[8];
577	u8 initiate; // false if this is just an automatic reply
578	u8 protocols; // supported protocols (will get patches on forward)
579	u8 pad2, pad3;
580	rsaid id;
581	rsaencrdata encr;
582
583	auth_req_packet (int dst, bool initiate_, u8 protocols_)
584	{
585	config_packet::setup (PT_AUTH_REQ, dst);
586	strncpy (magic, MAGIC, 8);
587	initiate = !!initiate_;
588	protocols = protocols_;
589
590	len = sizeof (*this) - sizeof (net_packet);
591	}
592	};
593
594	struct auth_res_packet : config_packet
595	{
596	rsaid id;
597	u8 pad1, pad2, pad3;
598	u8 response_len; // encrypted length
599	rsaresponse response;
600
601	auth_res_packet (int dst)
602	{
603	config_packet::setup (PT_AUTH_RES, dst);
604
605	len = sizeof (*this) - sizeof (net_packet);
606	}
607	};
608
609	struct connect_req_packet : vpn_packet
610	{
611	u8 id, protocols;
612	u8 pad1, pad2;
613
614	connect_req_packet (int dst, int id_, u8 protocols_)
615	: id(id_)
616	, protocols(protocols_)
617	{
618	set_hdr (PT_CONNECT_REQ, dst);
619	len = sizeof (*this) - sizeof (net_packet);
620	}
621	};
622
623	struct connect_info_packet : vpn_packet
624	{
625	u8 id, protocols;
626	u8 pad1, pad2;
627	sockinfo si;
628
629	connect_info_packet (int dst, int id_, const sockinfo &si_, u8 protocols_)
630	: id(id_)
631	, protocols(protocols_)
632	, si(si_)
633	{
634	set_hdr (PT_CONNECT_INFO, dst);
635
636	len = sizeof (*this) - sizeof (net_packet);
637	}
638	};
639
640	/////////////////////////////////////////////////////////////////////////////
641
642	void
643	connection::reset_dstaddr ()
644	{
645	si.set (conf);
646	}
647
648	void
649	connection::send_ping (const sockinfo &si, u8 pong)
650	{
651	ping_packet *pkt = new ping_packet;
652
653	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
654	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
655
656	delete pkt;
657	}
658
659	void
660	connection::send_reset (const sockinfo &si)
661	{
662	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
663	{
664	config_packet *pkt = new config_packet;
665
666	pkt->setup (vpn_packet::PT_RESET, conf->id);
667	send_vpn_packet (pkt, si, IPTOS_MINCOST);
668
669	delete pkt;
670	}
671	}
672
673	void
674	connection::send_auth_request (const sockinfo &si, bool initiate)
675	{
676	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
677
678	protocol = best_protocol (THISNODE->protocols & conf->protocols);
679
680	rsachallenge chg;
681
682	rsa_cache.gen (pkt->id, chg);
683
684	if (0 > RSA_public_encrypt (sizeof chg,
685	(unsigned char )&chg, (unsigned char )&pkt->encr,
686	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
687	fatal ("RSA_public_encrypt error");
688
689	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
690
691	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
692
693	delete pkt;
694	}
695
696	void
697	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
698	{
699	auth_res_packet *pkt = new auth_res_packet (conf->id);
700
701	pkt->id = id;
702
703	rsa_hash (id, chg, pkt->response);
704
705	pkt->hmac_set (octx);
706
707	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
708
709	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
710
711	delete pkt;
712	}
713
714	void
715	connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
716	{
717	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
718	conf->id, rid, (const char *)rsi);
719
720	connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
721
722	r->hmac_set (octx);
723	send_vpn_packet (r, si);
724
725	delete r;
726	}
727
728	void
729	connection::establish_connection_cb (tstamp &ts)
730	{
731	if (ictx \|\| conf == THISNODE
732	\|\| connectmode == conf_node::C_NEVER
733	\|\| connectmode == conf_node::C_DISABLED)
734	ts = TSTAMP_CANCEL;
735	else if (ts <= NOW)
736	{
737	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
738
739	if (retry_int < 3600 * 8)
740	retry_cnt++;
741
742	ts = NOW + retry_int;
743
744	if (conf->hostname)
745	{
746	reset_dstaddr ();
747	if (si.host && auth_rate_limiter.can (si))
748	{
749	if (retry_cnt < 4)
750	send_auth_request (si, true);
751	else
752	send_ping (si, 0);
753	}
754	}
755	else
756	vpn->connect_request (conf->id);
757	}
758	}
759
760	void
761	connection::reset_connection ()
762	{
763	if (ictx && octx)
764	{
765	slog (L_INFO, _("%s(%s): connection lost"),
766	conf->nodename, (const char *)si);
767
768	if (::conf.script_node_down)
769	run_script (run_script_cb (this, &connection::script_node_down), false);
770	}
771
772	delete ictx; ictx = 0;
773	delete octx; octx = 0;
774
775	si.host= 0;
776
777	last_activity = 0;
778	retry_cnt = 0;
779
780	rekey.reset ();
781	keepalive.reset ();
782	establish_connection.reset ();
783	}
784
785	void
786	connection::shutdown ()
787	{
788	if (ictx && octx)
789	send_reset (si);
790
791	reset_connection ();
792	}
793
794	void
795	connection::rekey_cb (tstamp &ts)
796	{
797	ts = TSTAMP_CANCEL;
798
799	reset_connection ();
800	establish_connection ();
801	}
802
803	void
804	connection::send_data_packet (tap_packet *pkt, bool broadcast)
805	{
806	vpndata_packet *p = new vpndata_packet;
807	int tos = 0;
808
809	if (conf->inherit_tos
810	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP
811	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
812	tos = (*pkt)[15] & IPTOS_TOS_MASK;
813
814	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
815	send_vpn_packet (p, si, tos);
816
817	delete p;
818
819	if (oseqno > MAX_SEQNO)
820	rekey ();
821	}
822
823	void
824	connection::inject_data_packet (tap_packet *pkt, bool broadcast)
825	{
826	if (ictx && octx)
827	send_data_packet (pkt, broadcast);
828	else
829	{
830	if (!broadcast)//DDDD
831	queue.put (new tap_packet (*pkt));
832
833	establish_connection ();
834	}
835	}
836
837	void
838	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
839	{
840	last_activity = NOW;
841
842	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
843	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
844
845	switch (pkt->typ ())
846	{
847	case vpn_packet::PT_PING:
848	// we send pings instead of auth packets after some retries,
849	// so reset the retry counter and establish a connection
850	// when we receive a ping.
851	if (!ictx)
852	{
853	if (auth_rate_limiter.can (rsi))
854	send_auth_request (rsi, true);
855	}
856	else
857	send_ping (rsi, 1); // pong
858
859	break;
860
861	case vpn_packet::PT_PONG:
862	break;
863
864	case vpn_packet::PT_RESET:
865	{
866	reset_connection ();
867
868	config_packet p = (config_packet ) pkt;
869
870	if (!p->chk_config ())
871	{
872	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
873	conf->nodename, (const char *)rsi);
874	connectmode = conf_node::C_DISABLED;
875	}
876	else if (connectmode == conf_node::C_ALWAYS)
877	establish_connection ();
878	}
879	break;
880
881	case vpn_packet::PT_AUTH_REQ:
882	if (auth_rate_limiter.can (rsi))
883	{
884	auth_req_packet p = (auth_req_packet ) pkt;
885
886	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
887
888	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
889	{
890	if (p->prot_minor != PROTOCOL_MINOR)
891	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
892	conf->nodename, (const char *)rsi,
893	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
894
895	if (p->initiate)
896	send_auth_request (rsi, false);
897
898	rsachallenge k;
899
900	if (0 > RSA_private_decrypt (sizeof (p->encr),
901	(unsigned char )&p->encr, (unsigned char )&k,
902	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
903	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
904	conf->nodename, (const char *)rsi);
905	else
906	{
907	retry_cnt = 0;
908	establish_connection.set (NOW + 8); //? ;)
909	keepalive.reset ();
910	rekey.reset ();
911
912	delete ictx;
913	ictx = 0;
914
915	delete octx;
916
917	octx = new crypto_ctx (k, 1);
918	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
919
920	conf->protocols = p->protocols;
921	send_auth_response (rsi, p->id, k);
922
923	break;
924	}
925	}
926
927	send_reset (rsi);
928	}
929
930	break;
931
932	case vpn_packet::PT_AUTH_RES:
933	{
934	auth_res_packet p = (auth_res_packet ) pkt;
935
936	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
937
938	if (p->chk_config ())
939	{
940	if (p->prot_minor != PROTOCOL_MINOR)
941	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
942	conf->nodename, (const char *)rsi,
943	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
944
945	rsachallenge chg;
946
947	if (!rsa_cache.find (p->id, chg))
948	slog (L_ERR, _("%s(%s): unrequested auth response"),
949	conf->nodename, (const char *)rsi);
950	else
951	{
952	crypto_ctx *cctx = new crypto_ctx (chg, 0);
953
954	if (!p->hmac_chk (cctx))
955	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
956	"could be an attack, or just corruption or an synchronization error"),
957	conf->nodename, (const char *)rsi);
958	else
959	{
960	rsaresponse h;
961
962	rsa_hash (p->id, chg, h);
963
964	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
965	{
966	prot_minor = p->prot_minor;
967
968	delete ictx; ictx = cctx;
969
970	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
971
972	si = rsi;
973
974	rekey.set (NOW + ::conf.rekey);
975	keepalive.set (NOW + ::conf.keepalive);
976
977	// send queued packets
978	while (tap_packet *p = queue.get ())
979	{
980	send_data_packet (p);
981	delete p;
982	}
983
984	connectmode = conf->connectmode;
985
986	slog (L_INFO, _("%s(%s): %s connection established, protocol version %d.%d"),
987	conf->nodename, (const char *)rsi,
988	strprotocol (protocol),
989	p->prot_major, p->prot_minor);
990
991	if (::conf.script_node_up)
992	run_script (run_script_cb (this, &connection::script_node_up), false);
993
994	break;
995	}
996	else
997	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
998	conf->nodename, (const char *)rsi);
999	}
1000
1001	delete cctx;
1002	}
1003	}
1004	}
1005
1006	send_reset (rsi);
1007	break;
1008
1009	case vpn_packet::PT_DATA_COMPRESSED:
1010	#if !ENABLE_COMPRESSION
1011	send_reset (rsi);
1012	break;
1013	#endif
1014
1015	case vpn_packet::PT_DATA_UNCOMPRESSED:
1016
1017	if (ictx && octx)
1018	{
1019	vpndata_packet p = (vpndata_packet )pkt;
1020
1021	if (rsi == si)
1022	{
1023	if (!p->hmac_chk (ictx))
1024	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1025	"could be an attack, or just corruption or an synchronization error"),
1026	conf->nodename, (const char *)rsi);
1027	else
1028	{
1029	u32 seqno;
1030	tap_packet *d = p->unpack (this, seqno);
1031
1032	if (iseqno.recv_ok (seqno))
1033	{
1034	vpn->tap->send (d);
1035
1036	if (p->dst () == 0) // re-broadcast
1037	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1038	{
1039	connection c = i;
1040
1041	if (c->conf != THISNODE && c->conf != conf)
1042	c->inject_data_packet (d);
1043	}
1044
1045	delete d;
1046
1047	break;
1048	}
1049	}
1050	}
1051	else
1052	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1053	}
1054
1055	send_reset (rsi);
1056	break;
1057
1058	case vpn_packet::PT_CONNECT_REQ:
1059	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1060	{
1061	connect_req_packet p = (connect_req_packet ) pkt;
1062
1063	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1064	conf->protocols = p->protocols;
1065	connection *c = vpn->conns[p->id - 1];
1066
1067	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1068	conf->id, p->id, c->ictx && c->octx);
1069
1070	if (c->ictx && c->octx)
1071	{
1072	// send connect_info packets to both sides, in case one is
1073	// behind a nat firewall (or both ;)
1074	c->send_connect_info (conf->id, si, conf->protocols);
1075	send_connect_info (c->conf->id, c->si, c->conf->protocols);
1076	}
1077	}
1078
1079	break;
1080
1081	case vpn_packet::PT_CONNECT_INFO:
1082	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1083	{
1084	connect_info_packet p = (connect_info_packet ) pkt;
1085
1086	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1087	conf->protocols = p->protocols;
1088	connection *c = vpn->conns[p->id - 1];
1089
1090	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1091	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1092
1093	c->send_auth_request (p->si, true);
1094	}
1095
1096	break;
1097
1098	default:
1099	send_reset (rsi);
1100	break;
1101
1102	}
1103	}
1104
1105	void connection::keepalive_cb (tstamp &ts)
1106	{
1107	if (NOW >= last_activity + ::conf.keepalive + 30)
1108	{
1109	reset_connection ();
1110	establish_connection ();
1111	}
1112	else if (NOW < last_activity + ::conf.keepalive)
1113	ts = last_activity + ::conf.keepalive;
1114	else if (conf->connectmode != conf_node::C_ONDEMAND
1115	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1116	{
1117	send_ping (si);
1118	ts = NOW + 5;
1119	}
1120	else
1121	reset_connection ();
1122	}
1123
1124	void connection::connect_request (int id)
1125	{
1126	connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols);
1127
1128	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", conf->id, id);
1129	p->hmac_set (octx);
1130	send_vpn_packet (p, si);
1131
1132	delete p;
1133	}
1134
1135	void connection::script_node ()
1136	{
1137	vpn->script_if_up (0);
1138
1139	char *env;
1140	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1141	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1142	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1143	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1144	}
1145
1146	const char *connection::script_node_up (int)
1147	{
1148	script_node ();
1149
1150	putenv ("STATE=up");
1151
1152	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1153	}
1154
1155	const char *connection::script_node_down (int)
1156	{
1157	script_node ();
1158
1159	putenv ("STATE=down");
1160
1161	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1162	}
1163
1164	// send a vpn packet out to other hosts
1165	void
1166	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1167	{
1168	if (protocol & PROT_IPv4)
1169	vpn->send_ipv4_packet (pkt, si, tos);
1170	else
1171	vpn->send_udpv4_packet (pkt, si, tos);
1172	}
1173
1174	connection::connection(struct vpn *vpn_)
1175	: vpn(vpn_)
1176	, rekey (this, &connection::rekey_cb)
1177	, keepalive (this, &connection::keepalive_cb)
1178	, establish_connection (this, &connection::establish_connection_cb)
1179	{
1180	octx = ictx = 0;
1181	retry_cnt = 0;
1182
1183	connectmode = conf_node::C_ALWAYS; // initial setting
1184	reset_connection ();
1185	}
1186
1187	connection::~connection ()
1188	{
1189	shutdown ();
1190	}
1191		42
1192	/////////////////////////////////////////////////////////////////////////////	43	/////////////////////////////////////////////////////////////////////////////
1193		44
1194	const char *vpn::script_if_up (int)	45	const char *vpn::script_if_up (int)
1195	{	46	{
…		…
1544	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	395	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1545	delete *c;	396	delete *c;
1546		397
1547	conns.clear ();	398	conns.clear ();
1548		399
1549	auth_rate_limiter.clear ();	400	connection_init ();
1550	reset_rate_limiter.clear ();
1551		401
1552	for (configuration::node_vector::iterator i = conf.nodes.begin ();	402	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1553	i != conf.nodes.end (); ++i)	403	i != conf.nodes.end (); ++i)
1554	{	404	{
1555	connection *conn = new connection (this);	405	connection *conn = new connection (this);

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/protocol.C (file contents): Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC vs. Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

Diff Legend

Comparing gvpe/src/protocol.C (file contents):
Revision 1.25 by pcg, Fri Mar 28 16:21:09 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC