[ViewVC] Diff of: cvs/gvpe/src/protocol.C

Comparing gvpe/src/protocol.C (file contents):
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

…		…
32	#include <arpa/inet.h>	32	#include <arpa/inet.h>
33	#include <errno.h>	33	#include <errno.h>
34	#include <time.h>	34	#include <time.h>
35	#include <unistd.h>	35	#include <unistd.h>
36		36
37	#include <openssl/rand.h>
38	#include <openssl/hmac.h>
39	#include <openssl/evp.h>
40	#include <openssl/rsa.h>
41	#include <openssl/err.h>
42
43	extern "C" {
44	# include "lzf/lzf.h"
45	}
46
47	#include "gettext.h"
48	#include "pidfile.h"	37	#include "pidfile.h"
49		38
50	#include "conf.h"	39	#include "connection.h"
51	#include "slog.h"	40	#include "util.h"
52	#include "device.h"
53	#include "protocol.h"	41	#include "protocol.h"
54
55	#if !HAVE_RAND_PSEUDO_BYTES
56	# define RAND_pseudo_bytes RAND_bytes
57	#endif
58
59	static time_t next_timecheck;
60
61	#define MAGIC "vped\xbd\xc6\xdb\x82" // 8 bytes of magic
62
63	static u8
64	best_protocol (u8 protset)
65	{
66	if (protset & PROT_IPv4)
67	return PROT_IPv4;
68
69	return PROT_UDPv4;
70	}
71
72	struct crypto_ctx
73	{
74	EVP_CIPHER_CTX cctx;
75	HMAC_CTX hctx;
76
77	crypto_ctx (const rsachallenge &challenge, int enc);
78	~crypto_ctx ();
79	};
80
81	crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc)
82	{
83	EVP_CIPHER_CTX_init (&cctx);
84	EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc);
85	HMAC_CTX_init (&hctx);
86	HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
87	}
88
89	crypto_ctx::~crypto_ctx ()
90	{
91	EVP_CIPHER_CTX_cleanup (&cctx);
92	HMAC_CTX_cleanup (&hctx);
93	}
94
95	static void
96	rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h)
97	{
98	EVP_MD_CTX ctx;
99
100	EVP_MD_CTX_init (&ctx);
101	EVP_DigestInit (&ctx, RSA_HASH);
102	EVP_DigestUpdate(&ctx, &chg, sizeof chg);
103	EVP_DigestUpdate(&ctx, &id, sizeof id);
104	EVP_DigestFinal (&ctx, (unsigned char *)&h, 0);
105	EVP_MD_CTX_cleanup (&ctx);
106	}
107
108	struct rsa_entry {
109	tstamp expire;
110	rsaid id;
111	rsachallenge chg;
112	};
113
114	struct rsa_cache : list<rsa_entry>
115	{
116	void cleaner_cb (tstamp &ts); time_watcher cleaner;
117
118	bool find (const rsaid &id, rsachallenge &chg)
119	{
120	for (iterator i = begin (); i != end (); ++i)
121	{
122	if (!memcmp (&id, &i->id, sizeof id) && i->expire > NOW)
123	{
124	memcpy (&chg, &i->chg, sizeof chg);
125
126	erase (i);
127	return true;
128	}
129	}
130
131	if (cleaner.at < NOW)
132	cleaner.start (NOW + RSA_TTL);
133
134	return false;
135	}
136
137	void gen (rsaid &id, rsachallenge &chg)
138	{
139	rsa_entry e;
140
141	RAND_bytes ((unsigned char *)&id, sizeof id);
142	RAND_bytes ((unsigned char *)&chg, sizeof chg);
143
144	e.expire = NOW + RSA_TTL;
145	e.id = id;
146	memcpy (&e.chg, &chg, sizeof chg);
147
148	push_back (e);
149
150	if (cleaner.at < NOW)
151	cleaner.start (NOW + RSA_TTL);
152	}
153
154	rsa_cache ()
155	: cleaner (this, &rsa_cache::cleaner_cb)
156	{ }
157
158	} rsa_cache;
159
160	void rsa_cache::cleaner_cb (tstamp &ts)
161	{
162	if (empty ())
163	ts = TSTAMP_CANCEL;
164	else
165	{
166	ts = NOW + RSA_TTL;
167
168	for (iterator i = begin (); i != end (); )
169	if (i->expire <= NOW)
170	i = erase (i);
171	else
172	++i;
173	}
174	}
175
176	typedef callback<const char *, int> run_script_cb;
177
178	// run a shell script (or actually an external program).
179	static void
180	run_script (const run_script_cb &cb, bool wait)
181	{
182	int pid;
183
184	if ((pid = fork ()) == 0)
185	{
186	char *filename;
187	asprintf (&filename, "%s/%s", confbase, cb(0));
188	execl (filename, filename, (char *) 0);
189	exit (255);
190	}
191	else if (pid > 0)
192	{
193	if (wait)
194	{
195	waitpid (pid, 0, 0);
196	/* TODO: check status */
197	}
198	}
199	}
200
201	//////////////////////////////////////////////////////////////////////////////
202
203	void pkt_queue::put (tap_packet *p)
204	{
205	if (queue[i])
206	{
207	delete queue[i];
208	j = (j + 1) % QUEUEDEPTH;
209	}
210
211	queue[i] = p;
212
213	i = (i + 1) % QUEUEDEPTH;
214	}
215
216	tap_packet *pkt_queue::get ()
217	{
218	tap_packet *p = queue[j];
219
220	if (p)
221	{
222	queue[j] = 0;
223	j = (j + 1) % QUEUEDEPTH;
224	}
225
226	return p;
227	}
228
229	pkt_queue::pkt_queue ()
230	{
231	memset (queue, 0, sizeof (queue));
232	i = 0;
233	j = 0;
234	}
235
236	pkt_queue::~pkt_queue ()
237	{
238	for (i = QUEUEDEPTH; --i > 0; )
239	delete queue[i];
240	}
241
242	struct net_rateinfo {
243	u32 host;
244	double pcnt, diff;
245	tstamp last;
246	};
247
248	// only do action once every x seconds per host whole allowing bursts.
249	// this implementation ("splay list" ;) is inefficient,
250	// but low on resources.
251	struct net_rate_limiter : list<net_rateinfo>
252	{
253	static const double ALPHA = 1. - 1. / 90.; // allow bursts
254	static const double CUTOFF = 20.; // one event every CUTOFF seconds
255	static const double EXPIRE = CUTOFF * 30.; // expire entries after this time
256
257	bool can (const sockinfo &si) { return can((u32)si.host); }
258	bool can (u32 host);
259	};
260
261	net_rate_limiter auth_rate_limiter, reset_rate_limiter;
262
263	bool net_rate_limiter::can (u32 host)
264	{
265	iterator i;
266
267	for (i = begin (); i != end (); )
268	if (i->host == host)
269	break;
270	else if (i->last < NOW - EXPIRE)
271	i = erase (i);
272	else
273	i++;
274
275	if (i == end ())
276	{
277	net_rateinfo ri;
278
279	ri.host = host;
280	ri.pcnt = 1.;
281	ri.diff = CUTOFF * (1. / (1. - ALPHA));
282	ri.last = NOW;
283
284	push_front (ri);
285
286	return true;
287	}
288	else
289	{
290	net_rateinfo ri (*i);
291	erase (i);
292
293	ri.pcnt = ri.pcnt * ALPHA;
294	ri.diff = ri.diff * ALPHA + (NOW - ri.last);
295
296	ri.last = NOW;
297
298	bool send = ri.diff / ri.pcnt > CUTOFF;
299
300	if (send)
301	ri.pcnt++;
302
303	push_front (ri);
304
305	return send;
306	}
307	}
308
309	/////////////////////////////////////////////////////////////////////////////
310
311	static void next_wakeup (time_t next)
312	{
313	if (next_timecheck > next)
314	next_timecheck = next;
315	}
316
317	static unsigned char hmac_digest[EVP_MAX_MD_SIZE];
318
319	struct hmac_packet:net_packet
320	{
321	u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
322
323	void hmac_set (crypto_ctx * ctx);
324	bool hmac_chk (crypto_ctx * ctx);
325
326	private:
327	void hmac_gen (crypto_ctx * ctx)
328	{
329	unsigned int xlen;
330	HMAC_CTX *hctx = &ctx->hctx;
331
332	HMAC_Init_ex (hctx, 0, 0, 0, 0);
333	HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
334	len - sizeof (hmac_packet));
335	HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
336	}
337	};
338
339	void
340	hmac_packet::hmac_set (crypto_ctx * ctx)
341	{
342	hmac_gen (ctx);
343
344	memcpy (hmac, hmac_digest, HMACLENGTH);
345	}
346
347	bool
348	hmac_packet::hmac_chk (crypto_ctx * ctx)
349	{
350	hmac_gen (ctx);
351
352	return !memcmp (hmac, hmac_digest, HMACLENGTH);
353	}
354
355	struct vpn_packet : hmac_packet
356	{
357	enum ptype
358	{
359	PT_RESET = 0,
360	PT_DATA_UNCOMPRESSED,
361	PT_DATA_COMPRESSED,
362	PT_PING, PT_PONG, // wasting namespace space? ;)
363	PT_AUTH_REQ, // authentification request
364	PT_AUTH_RES, // authentification response
365	PT_CONNECT_REQ, // want other host to contact me
366	PT_CONNECT_INFO, // request connection to some node
367	PT_MAX
368	};
369
370	u8 type;
371	u8 srcdst, src1, dst1;
372
373	void set_hdr (ptype type, unsigned int dst);
374
375	unsigned int src () const
376	{
377	return src1 \| ((srcdst >> 4) << 8);
378	}
379
380	unsigned int dst () const
381	{
382	return dst1 \| ((srcdst & 0xf) << 8);
383	}
384
385	ptype typ () const
386	{
387	return (ptype) type;
388	}
389	};
390
391	void vpn_packet::set_hdr (ptype type, unsigned int dst)
392	{
393	this->type = type;
394
395	int src = THISNODE->id;
396
397	src1 = src;
398	srcdst = ((src >> 8) << 4) \| (dst >> 8);
399	dst1 = dst;
400	}
401
402	#define MAXVPNDATA (MAX_MTU - 6 - 6)
403	#define DATAHDR (sizeof (u32) + RAND_SIZE)
404
405	struct vpndata_packet:vpn_packet
406	{
407	u8 data[MAXVPNDATA + DATAHDR]; // seqno
408
409	void setup (connection conn, int dst, u8 d, u32 len, u32 seqno);
410	tap_packet unpack (connection conn, u32 &seqno);
411	private:
412
413	const u32 data_hdr_size () const
414	{
415	return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
416	}
417	};
418
419	void
420	vpndata_packet::setup (connection conn, int dst, u8 d, u32 l, u32 seqno)
421	{
422	EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
423	int outl = 0, outl2;
424	ptype type = PT_DATA_UNCOMPRESSED;
425
426	#if ENABLE_COMPRESSION
427	u8 cdata[MAX_MTU];
428	u32 cl;
429
430	cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7);
431	if (cl)
432	{
433	type = PT_DATA_COMPRESSED;
434	d = cdata;
435	l = cl + 2;
436
437	d[0] = cl >> 8;
438	d[1] = cl;
439	}
440	#endif
441
442	EVP_EncryptInit_ex (cctx, 0, 0, 0, 0);
443
444	struct {
445	#if RAND_SIZE
446	u8 rnd[RAND_SIZE];
447	#endif
448	u32 seqno;
449	} datahdr;
450
451	datahdr.seqno = ntohl (seqno);
452	#if RAND_SIZE
453	RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
454	#endif
455
456	EVP_EncryptUpdate (cctx,
457	(unsigned char *) data + outl, &outl2,
458	(unsigned char *) &datahdr, DATAHDR);
459	outl += outl2;
460
461	EVP_EncryptUpdate (cctx,
462	(unsigned char *) data + outl, &outl2,
463	(unsigned char *) d, l);
464	outl += outl2;
465
466	EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2);
467	outl += outl2;
468
469	len = outl + data_hdr_size ();
470
471	set_hdr (type, dst);
472
473	hmac_set (conn->octx);
474	}
475
476	tap_packet *
477	vpndata_packet::unpack (connection *conn, u32 &seqno)
478	{
479	EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
480	int outl = 0, outl2;
481	tap_packet *p = new tap_packet;
482	u8 *d;
483	u32 l = len - data_hdr_size ();
484
485	EVP_DecryptInit_ex (cctx, 0, 0, 0, 0);
486
487	#if ENABLE_COMPRESSION
488	u8 cdata[MAX_MTU];
489
490	if (type == PT_DATA_COMPRESSED)
491	d = cdata;
492	else
493	#endif
494	d = &(*p)[6 + 6 - DATAHDR];
495
496	/* this overwrites part of the src mac, but we fix that later */
497	EVP_DecryptUpdate (cctx,
498	d, &outl2,
499	(unsigned char *)&data, len - data_hdr_size ());
500	outl += outl2;
501
502	EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
503	outl += outl2;
504
505	seqno = ntohl ((u32 )(d + RAND_SIZE));
506
507	id2mac (dst () ? dst() : THISNODE->id, p->dst);
508	id2mac (src (), p->src);
509
510	#if ENABLE_COMPRESSION
511	if (type == PT_DATA_COMPRESSED)
512	{
513	u32 cl = (d[DATAHDR] << 8) \| d[DATAHDR + 1];
514
515	p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
516	&(*p)[6 + 6], MAX_MTU)
517	+ 6 + 6;
518	}
519	else
520	p->len = outl + (6 + 6 - DATAHDR);
521	#endif
522
523	return p;
524	}
525
526	struct ping_packet : vpn_packet
527	{
528	void setup (int dst, ptype type)
529	{
530	set_hdr (type, dst);
531	len = sizeof (*this) - sizeof (net_packet);
532	}
533	};
534
535	struct config_packet : vpn_packet
536	{
537	// actually, hmaclen cannot be checked because the hmac
538	// field comes before this data, so peers with other
539	// hmacs simply will not work.
540	u8 prot_major, prot_minor, randsize, hmaclen;
541	u8 flags, challengelen, pad2, pad3;
542	u32 cipher_nid, digest_nid, hmac_nid;
543
544	const u8 curflags () const
545	{
546	return 0x80
547	\| (ENABLE_COMPRESSION ? 0x01 : 0x00);
548	}
549
550	void setup (ptype type, int dst);
551	bool chk_config () const;
552	};
553
554	void config_packet::setup (ptype type, int dst)
555	{
556	prot_major = PROTOCOL_MAJOR;
557	prot_minor = PROTOCOL_MINOR;
558	randsize = RAND_SIZE;
559	hmaclen = HMACLENGTH;
560	flags = curflags ();
561	challengelen = sizeof (rsachallenge);
562
563	cipher_nid = htonl (EVP_CIPHER_nid (CIPHER));
564	digest_nid = htonl (EVP_MD_type (RSA_HASH));
565	hmac_nid = htonl (EVP_MD_type (DIGEST));
566
567	len = sizeof (*this) - sizeof (net_packet);
568	set_hdr (type, dst);
569	}
570
571	bool config_packet::chk_config () const
572	{
573	return prot_major == PROTOCOL_MAJOR
574	&& randsize == RAND_SIZE
575	&& hmaclen == HMACLENGTH
576	&& flags == curflags ()
577	&& challengelen == sizeof (rsachallenge)
578	&& cipher_nid == htonl (EVP_CIPHER_nid (CIPHER))
579	&& digest_nid == htonl (EVP_MD_type (RSA_HASH))
580	&& hmac_nid == htonl (EVP_MD_type (DIGEST));
581	}
582
583	struct auth_req_packet : config_packet
584	{
585	char magic[8];
586	u8 initiate, can_recv; // false if this is just an automatic reply
587	u8 pad2, pad3;
588	rsaid id;
589	rsaencrdata encr;
590
591	auth_req_packet (int dst, bool initiate_, u8 can_recv_)
592	{
593	config_packet::setup (PT_AUTH_REQ, dst);
594	strncpy (magic, MAGIC, 8);
595	initiate = !!initiate_;
596	can_recv = can_recv_;
597
598	len = sizeof (*this) - sizeof (net_packet);
599	}
600	};
601
602	struct auth_res_packet : config_packet
603	{
604	rsaid id;
605	u8 pad1, pad2, pad3;
606	u8 response_len; // encrypted length
607	rsaresponse response;
608
609	auth_res_packet (int dst)
610	{
611	config_packet::setup (PT_AUTH_RES, dst);
612
613	len = sizeof (*this) - sizeof (net_packet);
614	}
615	};
616
617	struct connect_req_packet : vpn_packet
618	{
619	u8 id;
620	u8 pad1, pad2, pad3;
621
622	connect_req_packet (int dst, int id_)
623	{
624	id = id_;
625	set_hdr (PT_CONNECT_REQ, dst);
626	len = sizeof (*this) - sizeof (net_packet);
627	}
628	};
629
630	struct connect_info_packet : vpn_packet
631	{
632	u8 id, can_recv;
633	u8 pad1, pad2;
634	sockinfo si;
635
636	connect_info_packet (int dst, int id_, sockinfo &si_, u8 can_recv_)
637	{
638	id = id_;
639	can_recv = can_recv_;
640	si = si_;
641	set_hdr (PT_CONNECT_INFO, dst);
642
643	len = sizeof (*this) - sizeof (net_packet);
644	}
645	};
646
647	/////////////////////////////////////////////////////////////////////////////
648
649	void
650	connection::reset_dstaddr ()
651	{
652	si.set (conf);
653	}
654
655	void
656	connection::send_ping (const sockinfo &si, u8 pong)
657	{
658	ping_packet *pkt = new ping_packet;
659
660	pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
661	send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
662
663	delete pkt;
664	}
665
666	void
667	connection::send_reset (const sockinfo &si)
668	{
669	if (reset_rate_limiter.can (si) && connectmode != conf_node::C_DISABLED)
670	{
671	config_packet *pkt = new config_packet;
672
673	pkt->setup (vpn_packet::PT_RESET, conf->id);
674	send_vpn_packet (pkt, si, IPTOS_MINCOST);
675
676	delete pkt;
677	}
678	}
679
680	void
681	connection::send_auth_request (const sockinfo &si, bool initiate)
682	{
683	auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->can_recv);
684
685	// the next line is very conservative
686	prot_send = best_protocol (THISNODE->can_send & THISNODE->can_recv & conf->can_recv);
687
688	rsachallenge chg;
689
690	rsa_cache.gen (pkt->id, chg);
691
692	if (0 > RSA_public_encrypt (sizeof chg,
693	(unsigned char )&chg, (unsigned char )&pkt->encr,
694	conf->rsa_key, RSA_PKCS1_OAEP_PADDING))
695	fatal ("RSA_public_encrypt error");
696
697	slog (L_TRACE, ">>%d PT_AUTH_REQ [%s]", conf->id, (const char *)si);
698
699	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
700
701	delete pkt;
702	}
703
704	void
705	connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg)
706	{
707	auth_res_packet *pkt = new auth_res_packet (conf->id);
708
709	pkt->id = id;
710
711	rsa_hash (id, chg, pkt->response);
712
713	pkt->hmac_set (octx);
714
715	slog (L_TRACE, ">>%d PT_AUTH_RES [%s]", conf->id, (const char *)si);
716
717	send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
718
719	delete pkt;
720	}
721
722	void
723	connection::establish_connection_cb (tstamp &ts)
724	{
725	if (ictx \|\| conf == THISNODE
726	\|\| connectmode == conf_node::C_NEVER
727	\|\| connectmode == conf_node::C_DISABLED)
728	ts = TSTAMP_CANCEL;
729	else if (ts <= NOW)
730	{
731	double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.6;
732
733	if (retry_int < 3600 * 8)
734	retry_cnt++;
735
736	ts = NOW + retry_int;
737
738	if (conf->hostname)
739	{
740	reset_dstaddr ();
741	if (si.host && auth_rate_limiter.can (si))
742	{
743	if (retry_cnt < 4)
744	send_auth_request (si, true);
745	else
746	send_ping (si, 0);
747	}
748	}
749	else
750	vpn->connect_request (conf->id);
751	}
752	}
753
754	void
755	connection::reset_connection ()
756	{
757	if (ictx && octx)
758	{
759	slog (L_INFO, _("%s(%s): connection lost"),
760	conf->nodename, (const char *)si);
761
762	if (::conf.script_node_down)
763	run_script (run_script_cb (this, &connection::script_node_down), false);
764	}
765
766	delete ictx; ictx = 0;
767	delete octx; octx = 0;
768
769	si.host= 0;
770
771	last_activity = 0;
772	retry_cnt = 0;
773
774	rekey.reset ();
775	keepalive.reset ();
776	establish_connection.reset ();
777	}
778
779	void
780	connection::shutdown ()
781	{
782	if (ictx && octx)
783	send_reset (si);
784
785	reset_connection ();
786	}
787
788	void
789	connection::rekey_cb (tstamp &ts)
790	{
791	ts = TSTAMP_CANCEL;
792
793	reset_connection ();
794	establish_connection ();
795	}
796
797	void
798	connection::send_data_packet (tap_packet *pkt, bool broadcast)
799	{
800	vpndata_packet *p = new vpndata_packet;
801	int tos = 0;
802
803	if (conf->inherit_tos
804	&& (pkt)[12] == 0x08 && (pkt)[13] == 0x00 // IP
805	&& ((*pkt)[14] & 0xf0) == 0x40) // IPv4
806	tos = (*pkt)[15] & IPTOS_TOS_MASK;
807
808	p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
809	send_vpn_packet (p, si, tos);
810
811	delete p;
812
813	if (oseqno > MAX_SEQNO)
814	rekey ();
815	}
816
817	void
818	connection::inject_data_packet (tap_packet *pkt, bool broadcast)
819	{
820	if (ictx && octx)
821	send_data_packet (pkt, broadcast);
822	else
823	{
824	if (!broadcast)//DDDD
825	queue.put (new tap_packet (*pkt));
826
827	establish_connection ();
828	}
829	}
830
831	void
832	connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
833	{
834	last_activity = NOW;
835
836	slog (L_NOISE, "<<%d received packet type %d from %d to %d",
837	conf->id, pkt->typ (), pkt->src (), pkt->dst ());
838
839	switch (pkt->typ ())
840	{
841	case vpn_packet::PT_PING:
842	// we send pings instead of auth packets after some retries,
843	// so reset the retry counter and establish a connection
844	// when we receive a ping.
845	if (!ictx)
846	{
847	if (auth_rate_limiter.can (rsi))
848	send_auth_request (rsi, true);
849	}
850	else
851	send_ping (rsi, 1); // pong
852
853	break;
854
855	case vpn_packet::PT_PONG:
856	break;
857
858	case vpn_packet::PT_RESET:
859	{
860	reset_connection ();
861
862	config_packet p = (config_packet ) pkt;
863
864	if (!p->chk_config ())
865	{
866	slog (L_WARN, _("%s(%s): protocol mismatch, disabling node"),
867	conf->nodename, (const char *)rsi);
868	connectmode = conf_node::C_DISABLED;
869	}
870	else if (connectmode == conf_node::C_ALWAYS)
871	establish_connection ();
872	}
873	break;
874
875	case vpn_packet::PT_AUTH_REQ:
876	if (auth_rate_limiter.can (rsi))
877	{
878	auth_req_packet p = (auth_req_packet ) pkt;
879
880	slog (L_TRACE, "<<%d PT_AUTH_REQ(%d)", conf->id, p->initiate);
881
882	if (p->chk_config () && !strncmp (p->magic, MAGIC, 8))
883	{
884	if (p->prot_minor != PROTOCOL_MINOR)
885	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
886	conf->nodename, (const char *)rsi,
887	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
888
889	if (p->initiate)
890	send_auth_request (rsi, false);
891
892	rsachallenge k;
893
894	if (0 > RSA_private_decrypt (sizeof (p->encr),
895	(unsigned char )&p->encr, (unsigned char )&k,
896	::conf.rsa_key, RSA_PKCS1_OAEP_PADDING))
897	slog (L_ERR, _("%s(%s): challenge illegal or corrupted"),
898	conf->nodename, (const char *)rsi);
899	else
900	{
901	retry_cnt = 0;
902	establish_connection.set (NOW + 8); //? ;)
903	keepalive.reset ();
904	rekey.reset ();
905
906	delete ictx;
907	ictx = 0;
908
909	delete octx;
910
911	octx = new crypto_ctx (k, 1);
912	oseqno = ntohl ((u32 )&k[CHG_SEQNO]) & 0x7fffffff;
913
914	conf->can_recv = p->can_recv;
915	send_auth_response (rsi, p->id, k);
916
917	break;
918	}
919	}
920
921	send_reset (rsi);
922	}
923
924	break;
925
926	case vpn_packet::PT_AUTH_RES:
927	{
928	auth_res_packet p = (auth_res_packet ) pkt;
929
930	slog (L_TRACE, "<<%d PT_AUTH_RES", conf->id);
931
932	if (p->chk_config ())
933	{
934	if (p->prot_minor != PROTOCOL_MINOR)
935	slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
936	conf->nodename, (const char *)rsi,
937	PROTOCOL_MINOR, conf->nodename, p->prot_minor);
938
939	rsachallenge chg;
940
941	if (!rsa_cache.find (p->id, chg))
942	slog (L_ERR, _("%s(%s): unrequested auth response"),
943	conf->nodename, (const char *)rsi);
944	else
945	{
946	crypto_ctx *cctx = new crypto_ctx (chg, 0);
947
948	if (!p->hmac_chk (cctx))
949	slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
950	"could be an attack, or just corruption or an synchronization error"),
951	conf->nodename, (const char *)rsi);
952	else
953	{
954	rsaresponse h;
955
956	rsa_hash (p->id, chg, h);
957
958	if (!memcmp ((u8 )&h, (u8 )p->response, sizeof h))
959	{
960	prot_minor = p->prot_minor;
961
962	delete ictx; ictx = cctx;
963
964	iseqno.reset (ntohl ((u32 )&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
965
966	si = rsi;
967
968	rekey.set (NOW + ::conf.rekey);
969	keepalive.set (NOW + ::conf.keepalive);
970
971	// send queued packets
972	while (tap_packet *p = queue.get ())
973	{
974	send_data_packet (p);
975	delete p;
976	}
977
978	connectmode = conf->connectmode;
979
980	slog (L_INFO, _("%s(%s): connection established, protocol version %d.%d"),
981	conf->nodename, (const char *)rsi,
982	p->prot_major, p->prot_minor);
983
984	if (::conf.script_node_up)
985	run_script (run_script_cb (this, &connection::script_node_up), false);
986
987	break;
988	}
989	else
990	slog (L_ERR, _("%s(%s): sent and received challenge do not match"),
991	conf->nodename, (const char *)rsi);
992	}
993
994	delete cctx;
995	}
996	}
997	}
998
999	send_reset (rsi);
1000	break;
1001
1002	case vpn_packet::PT_DATA_COMPRESSED:
1003	#if !ENABLE_COMPRESSION
1004	send_reset (rsi);
1005	break;
1006	#endif
1007
1008	case vpn_packet::PT_DATA_UNCOMPRESSED:
1009
1010	if (ictx && octx)
1011	{
1012	vpndata_packet p = (vpndata_packet )pkt;
1013
1014	if (rsi == si)
1015	{
1016	if (!p->hmac_chk (ictx))
1017	slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1018	"could be an attack, or just corruption or an synchronization error"),
1019	conf->nodename, (const char *)rsi);
1020	else
1021	{
1022	u32 seqno;
1023	tap_packet *d = p->unpack (this, seqno);
1024
1025	if (iseqno.recv_ok (seqno))
1026	{
1027	vpn->tap->send (d);
1028
1029	if (p->dst () == 0) // re-broadcast
1030	for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
1031	{
1032	connection c = i;
1033
1034	if (c->conf != THISNODE && c->conf != conf)
1035	c->inject_data_packet (d);
1036	}
1037
1038	delete d;
1039
1040	break;
1041	}
1042	}
1043	}
1044	else
1045	slog (L_ERR, _("received data packet from unknown source %s"), (const char *)rsi);
1046	}
1047
1048	send_reset (rsi);
1049	break;
1050
1051	case vpn_packet::PT_CONNECT_REQ:
1052	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1053	{
1054	connect_req_packet p = (connect_req_packet ) pkt;
1055
1056	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1057
1058	connection *c = vpn->conns[p->id - 1];
1059
1060	slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
1061	conf->id, p->id, c->ictx && c->octx);
1062
1063	if (c->ictx && c->octx)
1064	{
1065	// send connect_info packets to both sides, in case one is
1066	// behind a nat firewall (or both ;)
1067	{
1068	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1069	c->conf->id, conf->id, (const char *)si);
1070
1071	connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si, conf->can_recv);
1072
1073	r->hmac_set (c->octx);
1074	send_vpn_packet (r, c->si);
1075
1076	delete r;
1077	}
1078
1079	{
1080	slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
1081	conf->id, c->conf->id, (const char *)c->si);
1082
1083	connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, c->si, c->conf->can_recv);
1084
1085	r->hmac_set (octx);
1086	send_vpn_packet (r, si);
1087
1088	delete r;
1089	}
1090	}
1091	}
1092
1093	break;
1094
1095	case vpn_packet::PT_CONNECT_INFO:
1096	if (ictx && octx && rsi == si && pkt->hmac_chk (ictx))
1097	{
1098	connect_info_packet p = (connect_info_packet ) pkt;
1099
1100	assert (p->id > 0 && p->id <= vpn->conns.size ()); // hmac-auth does not mean we accept anything
1101
1102	connection *c = vpn->conns[p->id - 1];
1103
1104	slog (L_TRACE, "<<%d PT_CONNECT_INFO(%d,%s) (%d)",
1105	conf->id, p->id, (const char *)p->si, !c->ictx && !c->octx);
1106
1107	c->conf->can_recv = p->can_recv;
1108	c->send_auth_request (p->si, true);
1109	}
1110
1111	break;
1112
1113	default:
1114	send_reset (rsi);
1115	break;
1116
1117	}
1118	}
1119
1120	void connection::keepalive_cb (tstamp &ts)
1121	{
1122	if (NOW >= last_activity + ::conf.keepalive + 30)
1123	{
1124	reset_connection ();
1125	establish_connection ();
1126	}
1127	else if (NOW < last_activity + ::conf.keepalive)
1128	ts = last_activity + ::conf.keepalive;
1129	else if (conf->connectmode != conf_node::C_ONDEMAND
1130	\|\| THISNODE->connectmode != conf_node::C_ONDEMAND)
1131	{
1132	send_ping (si);
1133	ts = NOW + 5;
1134	}
1135	else
1136	reset_connection ();
1137	}
1138
1139	void connection::connect_request (int id)
1140	{
1141	connect_req_packet *p = new connect_req_packet (conf->id, id);
1142
1143	slog (L_TRACE, ">>%d PT_CONNECT_REQ(%d)", id, conf->id);
1144	p->hmac_set (octx);
1145	send_vpn_packet (p, si);
1146
1147	delete p;
1148	}
1149
1150	void connection::script_node ()
1151	{
1152	vpn->script_if_up (0);
1153
1154	char *env;
1155	asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1156	asprintf (&env, "DESTNODE=%s", conf->nodename); putenv (env);
1157	asprintf (&env, "DESTIP=%s", si.ntoa ()); putenv (env);
1158	asprintf (&env, "DESTPORT=%d", ntohs (si.port)); putenv (env);
1159	}
1160
1161	const char *connection::script_node_up (int)
1162	{
1163	script_node ();
1164
1165	putenv ("STATE=up");
1166
1167	return ::conf.script_node_up ? ::conf.script_node_up : "node-up";
1168	}
1169
1170	const char *connection::script_node_down (int)
1171	{
1172	script_node ();
1173
1174	putenv ("STATE=down");
1175
1176	return ::conf.script_node_up ? ::conf.script_node_down : "node-down";
1177	}
1178
1179	// send a vpn packet out to other hosts
1180	void
1181	connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
1182	{
1183	if (prot_send & PROT_IPv4)
1184	vpn->send_ipv4_packet (pkt, si, tos);
1185	else
1186	vpn->send_udpv4_packet (pkt, si, tos);
1187	}
1188
1189	connection::connection(struct vpn *vpn_)
1190	: vpn(vpn_)
1191	, rekey (this, &connection::rekey_cb)
1192	, keepalive (this, &connection::keepalive_cb)
1193	, establish_connection (this, &connection::establish_connection_cb)
1194	{
1195	octx = ictx = 0;
1196	retry_cnt = 0;
1197
1198	connectmode = conf_node::C_ALWAYS; // initial setting
1199	reset_connection ();
1200	}
1201
1202	connection::~connection ()
1203	{
1204	shutdown ();
1205	}
1206		42
1207	/////////////////////////////////////////////////////////////////////////////	43	/////////////////////////////////////////////////////////////////////////////
1208		44
1209	const char *vpn::script_if_up (int)	45	const char *vpn::script_if_up (int)
1210	{	46	{
…		…
1235	}	71	}
1236		72
1237	int	73	int
1238	vpn::setup ()	74	vpn::setup ()
1239	{	75	{
1240	u8 prots = 0;
1241
1242	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1243	i != conf.nodes.end (); ++i)
1244	prots \|= (i)->can_send \| (i)->can_recv;
1245
1246	sockinfo si;	76	sockinfo si;
1247		77
1248	si.set (THISNODE);	78	si.set (THISNODE);
1249		79
1250	udpv4_fd = -1;	80	udpv4_fd = -1;
1251		81
1252	if (prots & PROT_UDPv4)	82	if (THISNODE->protocols & PROT_UDPv4)
1253	{	83	{
1254	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);	84	udpv4_fd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP);
1255		85
1256	if (udpv4_fd < 0)	86	if (udpv4_fd < 0)
1257	return -1;	87	return -1;
…		…
1280		110
1281	udpv4_ev_watcher.start (udpv4_fd, POLLIN);	111	udpv4_ev_watcher.start (udpv4_fd, POLLIN);
1282	}	112	}
1283		113
1284	ipv4_fd = -1;	114	ipv4_fd = -1;
1285	if (prots & PROT_IPv4)	115	if (THISNODE->protocols & PROT_IPv4)
1286	{	116	{
1287	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);	117	ipv4_fd = socket (PF_INET, SOCK_RAW, ::conf.ip_proto);
1288		118
1289	if (ipv4_fd < 0)	119	if (ipv4_fd < 0)
1290	return -1;	120	return -1;
…		…
1345	unsigned int dst = pkt->dst ();	175	unsigned int dst = pkt->dst ();
1346		176
1347	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),	177	slog (L_NOISE, _("<<?/%s received possible vpn packet type %d from %d to %d, length %d"),
1348	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);	178	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst (), pkt->len);
1349		179
1350	if (dst > conns.size () \|\| pkt->typ () >= vpn_packet::PT_MAX)
1351	slog (L_WARN, _("<<? received CORRUPTED packet type %d from %d to %d"),
1352	pkt->typ (), pkt->src (), pkt->dst ());
1353	else if (dst == 0 && !THISNODE->routerprio)
1354	slog (L_WARN, _("<<%d received broadcast, but we are no router"), dst);
1355	else if (dst != 0 && dst != THISNODE->id)
1356	slog (L_WARN,
1357	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
1358	dst, conns[dst - 1]->conf->nodename,
1359	(const char *)rsi,
1360	THISNODE->id, THISNODE->nodename);
1361	else if (src == 0 \|\| src > conns.size ())	180	if (src == 0 \|\| src > conns.size ()
1362	slog (L_WARN, _("received frame from unknown node %d (%s)"),	181	\|\| dst > conns.size ()
1363	src, (const char *)rsi);	182	\|\| pkt->typ () >= vpn_packet::PT_MAX)
		183	slog (L_WARN, _("(%s): received corrupted packet type %d (src %d, dst %d)"),
		184	(const char *)rsi, pkt->typ (), pkt->src (), pkt->dst ());
1364	else	185	else
		186	{
		187	connection *c = conns[src - 1];
		188
		189	if (dst == 0 && !THISNODE->routerprio)
		190	slog (L_WARN, _("%s(%s): received broadcast, but we are no router"),
		191	c->conf->nodename, (const char *)rsi);
		192	else if (dst != 0 && dst != THISNODE->id)
		193	// FORWARDING NEEDED ;)
		194	slog (L_WARN,
		195	_("received frame for node %d ('%s') from %s, but this is node %d ('%s')"),
		196	dst, conns[dst - 1]->conf->nodename,
		197	(const char *)rsi,
		198	THISNODE->id, THISNODE->nodename);
		199	else
1365	conns[src - 1]->recv_vpn_packet (pkt, rsi);	200	c->recv_vpn_packet (pkt, rsi);
		201	}
1366	}	202	}
1367		203
1368	void	204	void
1369	vpn::udpv4_ev (short revents)	205	vpn::udpv4_ev (short revents)
1370	{	206	{
…		…
1559	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)	395	for (conns_vector::iterator c = conns.begin (); c != conns.end (); ++c)
1560	delete *c;	396	delete *c;
1561		397
1562	conns.clear ();	398	conns.clear ();
1563		399
1564	auth_rate_limiter.clear ();	400	connection_init ();
1565	reset_rate_limiter.clear ();
1566		401
1567	for (configuration::node_vector::iterator i = conf.nodes.begin ();	402	for (configuration::node_vector::iterator i = conf.nodes.begin ();
1568	i != conf.nodes.end (); ++i)	403	i != conf.nodes.end (); ++i)
1569	{	404	{
1570	connection *conn = new connection (this);	405	connection *conn = new connection (this);

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/protocol.C (file contents): Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC vs. Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC

Diff Legend

Comparing gvpe/src/protocol.C (file contents):
Revision 1.23 by pcg, Fri Mar 28 05:40:54 2003 UTC vs.
Revision 1.26 by pcg, Wed Apr 2 03:06:22 2003 UTC