… | |
… | |
481 | connection::send_ping (SOCKADDR *dsa, u8 pong) |
481 | connection::send_ping (SOCKADDR *dsa, u8 pong) |
482 | { |
482 | { |
483 | ping_packet *pkt = new ping_packet; |
483 | ping_packet *pkt = new ping_packet; |
484 | |
484 | |
485 | pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); |
485 | pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); |
486 | vpn->send_vpn_packet (pkt, dsa); |
486 | vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY); |
487 | |
487 | |
488 | delete pkt; |
488 | delete pkt; |
489 | } |
489 | } |
490 | |
490 | |
491 | void |
491 | void |
… | |
… | |
496 | if (limiter.can (dsa)) |
496 | if (limiter.can (dsa)) |
497 | { |
497 | { |
498 | config_packet *pkt = new config_packet; |
498 | config_packet *pkt = new config_packet; |
499 | |
499 | |
500 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
500 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
501 | vpn->send_vpn_packet (pkt, dsa); |
501 | vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); |
502 | |
502 | |
503 | delete pkt; |
503 | delete pkt; |
504 | } |
504 | } |
505 | } |
505 | } |
506 | |
506 | |
… | |
… | |
550 | fatal ("RSA_public_encrypt error"); |
550 | fatal ("RSA_public_encrypt error"); |
551 | #endif |
551 | #endif |
552 | |
552 | |
553 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
553 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
554 | |
554 | |
555 | vpn->send_vpn_packet (pkt, sa); |
555 | vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); |
556 | |
556 | |
557 | delete pkt; |
557 | delete pkt; |
558 | } |
558 | } |
559 | } |
559 | } |
560 | |
560 | |
561 | void |
561 | void |
562 | connection::establish_connection () |
562 | connection::establish_connection () |
563 | { |
563 | { |
564 | if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER) |
564 | if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER) |
565 | { |
565 | { |
566 | if (now >= next_retry) |
566 | if (now >= next_retry) |
567 | { |
567 | { |
568 | int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2); |
568 | int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2); |
569 | |
569 | |
570 | if (retry_cnt < (17 << 2) | 3) |
570 | if (retry_cnt < (17 << 2) | 3) |
571 | retry_cnt++; |
571 | retry_cnt++; |
572 | |
572 | |
573 | if (conf->connectmode == conf_node::C_ONDEMAND |
573 | if (connectmode == conf_node::C_ONDEMAND |
574 | && retry_int > ::conf.keepalive) |
574 | && retry_int > ::conf.keepalive) |
575 | retry_int = ::conf.keepalive; |
575 | retry_int = ::conf.keepalive; |
576 | |
576 | |
577 | next_retry = now + retry_int; |
577 | next_retry = now + retry_int; |
578 | next_wakeup (next_retry); |
578 | next_wakeup (next_retry); |
… | |
… | |
635 | |
635 | |
636 | void |
636 | void |
637 | connection::send_data_packet (tap_packet * pkt, bool broadcast) |
637 | connection::send_data_packet (tap_packet * pkt, bool broadcast) |
638 | { |
638 | { |
639 | vpndata_packet *p = new vpndata_packet; |
639 | vpndata_packet *p = new vpndata_packet; |
|
|
640 | int tos = 0; |
|
|
641 | |
|
|
642 | if (conf->inherit_tos |
|
|
643 | && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP |
|
|
644 | && ((*pkt)[14] & 0xf0) == 0x40) // IPv4 |
|
|
645 | tos = (*pkt)[15] & IPTOS_TOS_MASK; |
640 | |
646 | |
641 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
647 | p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs |
642 | vpn->send_vpn_packet (p, &sa); |
648 | vpn->send_vpn_packet (p, &sa, tos); |
643 | |
649 | |
644 | delete p; |
650 | delete p; |
645 | |
651 | |
646 | if (oseqno > MAX_SEQNO) |
652 | if (oseqno > MAX_SEQNO) |
647 | rekey (); |
653 | rekey (); |
… | |
… | |
692 | { |
698 | { |
693 | reset_connection (); |
699 | reset_connection (); |
694 | |
700 | |
695 | config_packet *p = (config_packet *) pkt; |
701 | config_packet *p = (config_packet *) pkt; |
696 | if (p->chk_config ()) |
702 | if (p->chk_config ()) |
697 | if (conf->connectmode == conf_node::C_ALWAYS) |
703 | if (connectmode == conf_node::C_ALWAYS) |
698 | establish_connection (); |
704 | establish_connection (); |
699 | |
705 | |
700 | //D slog the protocol mismatch? |
706 | //D slog the protocol mismatch? |
701 | } |
707 | } |
702 | break; |
708 | break; |
… | |
… | |
766 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
772 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
767 | sizeof (rsachallenge) - sizeof (u32))) |
773 | sizeof (rsachallenge) - sizeof (u32))) |
768 | { |
774 | { |
769 | delete ictx; |
775 | delete ictx; |
770 | |
776 | |
771 | ictx = new crypto_ctx (k, 0); |
777 | ictx = new crypto_ctx (k, 0); |
772 | iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid |
778 | iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid |
773 | ismask = 0xffffffff; // initially, all lower sequence numbers are invalid |
|
|
774 | |
779 | |
775 | sa = *ssa; |
780 | sa = *ssa; |
776 | |
781 | |
777 | next_rekey = now + ::conf.rekey; |
782 | next_rekey = now + ::conf.rekey; |
778 | next_wakeup (next_rekey); |
783 | next_wakeup (next_rekey); |
… | |
… | |
781 | while (tap_packet *p = queue.get ()) |
786 | while (tap_packet *p = queue.get ()) |
782 | { |
787 | { |
783 | send_data_packet (p); |
788 | send_data_packet (p); |
784 | delete p; |
789 | delete p; |
785 | } |
790 | } |
|
|
791 | |
|
|
792 | connectmode = conf->connectmode; |
786 | |
793 | |
787 | slog (L_INFO, _("connection to %d (%s %s) established"), |
794 | slog (L_INFO, _("connection to %d (%s %s) established"), |
788 | conf->id, conf->nodename, (const char *)sockinfo (ssa)); |
795 | conf->id, conf->nodename, (const char *)sockinfo (ssa)); |
789 | |
796 | |
790 | if (::conf.script_node_up) |
797 | if (::conf.script_node_up) |
… | |
… | |
826 | else |
833 | else |
827 | { |
834 | { |
828 | u32 seqno; |
835 | u32 seqno; |
829 | tap_packet *d = p->unpack (this, seqno); |
836 | tap_packet *d = p->unpack (this, seqno); |
830 | |
837 | |
831 | if (seqno <= iseqno - 32) |
838 | if (iseqno.recv_ok (seqno)) |
832 | slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" |
|
|
833 | "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D |
|
|
834 | else if (seqno > iseqno + 32) |
|
|
835 | slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" |
|
|
836 | "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D |
|
|
837 | else |
|
|
838 | { |
839 | { |
839 | if (seqno > iseqno) |
|
|
840 | { |
|
|
841 | ismask <<= seqno - iseqno; |
|
|
842 | iseqno = seqno; |
|
|
843 | } |
|
|
844 | |
|
|
845 | u32 mask = 1 << (iseqno - seqno); |
|
|
846 | |
|
|
847 | //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); |
|
|
848 | if (ismask & mask) |
|
|
849 | slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" |
|
|
850 | "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D |
|
|
851 | else |
|
|
852 | { |
|
|
853 | ismask |= mask; |
|
|
854 | |
|
|
855 | vpn->tap->send (d); |
840 | vpn->tap->send (d); |
856 | |
841 | |
857 | if (p->dst () == 0) // re-broadcast |
842 | if (p->dst () == 0) // re-broadcast |
858 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
843 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
859 | { |
844 | { |
860 | connection *c = *i; |
845 | connection *c = *i; |
861 | |
846 | |
862 | if (c->conf != THISNODE && c->conf != conf) |
847 | if (c->conf != THISNODE && c->conf != conf) |
863 | c->inject_data_packet (d); |
848 | c->inject_data_packet (d); |
864 | } |
|
|
865 | |
|
|
866 | delete d; |
|
|
867 | |
|
|
868 | break; |
|
|
869 | } |
849 | } |
|
|
850 | |
|
|
851 | delete d; |
|
|
852 | |
|
|
853 | break; |
870 | } |
854 | } |
871 | } |
855 | } |
872 | } |
856 | } |
873 | else |
857 | else |
874 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
858 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
… | |
… | |
949 | |
933 | |
950 | void connection::timer () |
934 | void connection::timer () |
951 | { |
935 | { |
952 | if (conf != THISNODE) |
936 | if (conf != THISNODE) |
953 | { |
937 | { |
954 | if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS) |
938 | if (now >= next_retry && connectmode == conf_node::C_ALWAYS) |
955 | establish_connection (); |
939 | establish_connection (); |
956 | |
940 | |
957 | if (ictx && octx) |
941 | if (ictx && octx) |
958 | { |
942 | { |
959 | if (now >= next_rekey) |
943 | if (now >= next_rekey) |
… | |
… | |
1093 | |
1077 | |
1094 | return 0; |
1078 | return 0; |
1095 | } |
1079 | } |
1096 | |
1080 | |
1097 | void |
1081 | void |
1098 | vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) |
1082 | vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos) |
1099 | { |
1083 | { |
|
|
1084 | setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos); |
1100 | sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); |
1085 | sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); |
1101 | } |
1086 | } |
1102 | |
1087 | |
1103 | void |
1088 | void |
1104 | vpn::shutdown_all () |
1089 | vpn::shutdown_all () |
… | |
… | |
1121 | connection *conn = new connection (this); |
1106 | connection *conn = new connection (this); |
1122 | |
1107 | |
1123 | conn->conf = *i; |
1108 | conn->conf = *i; |
1124 | conns.push_back (conn); |
1109 | conns.push_back (conn); |
1125 | |
1110 | |
1126 | if (conn->conf->connectmode == conf_node::C_ALWAYS) |
|
|
1127 | conn->establish_connection (); |
1111 | conn->establish_connection (); |
1128 | } |
1112 | } |
1129 | } |
1113 | } |
1130 | |
1114 | |
1131 | connection *vpn::find_router () |
1115 | connection *vpn::find_router () |
1132 | { |
1116 | { |
… | |
… | |
1136 | for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) |
1120 | for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) |
1137 | { |
1121 | { |
1138 | connection *c = *i; |
1122 | connection *c = *i; |
1139 | |
1123 | |
1140 | if (c->conf->routerprio > prio |
1124 | if (c->conf->routerprio > prio |
1141 | && c->conf->connectmode == conf_node::C_ALWAYS |
1125 | && c->connectmode == conf_node::C_ALWAYS |
1142 | && c->conf != THISNODE |
1126 | && c->conf != THISNODE |
1143 | && c->ictx && c->octx) |
1127 | && c->ictx && c->octx) |
1144 | { |
1128 | { |
1145 | prio = c->conf->routerprio; |
1129 | prio = c->conf->routerprio; |
1146 | router = c; |
1130 | router = c; |