… | |
… | |
772 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
772 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
773 | sizeof (rsachallenge) - sizeof (u32))) |
773 | sizeof (rsachallenge) - sizeof (u32))) |
774 | { |
774 | { |
775 | delete ictx; |
775 | delete ictx; |
776 | |
776 | |
777 | ictx = new crypto_ctx (k, 0); |
777 | ictx = new crypto_ctx (k, 0); |
778 | iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid |
778 | iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid |
779 | ismask = 0xffffffff; // initially, all lower sequence numbers are invalid |
|
|
780 | |
779 | |
781 | sa = *ssa; |
780 | sa = *ssa; |
782 | |
781 | |
783 | next_rekey = now + ::conf.rekey; |
782 | next_rekey = now + ::conf.rekey; |
784 | next_wakeup (next_rekey); |
783 | next_wakeup (next_rekey); |
… | |
… | |
834 | else |
833 | else |
835 | { |
834 | { |
836 | u32 seqno; |
835 | u32 seqno; |
837 | tap_packet *d = p->unpack (this, seqno); |
836 | tap_packet *d = p->unpack (this, seqno); |
838 | |
837 | |
839 | if (seqno <= iseqno - 32) |
838 | if (iseqno.recv_ok (seqno)) |
840 | slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" |
|
|
841 | "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D |
|
|
842 | else if (seqno > iseqno + 32) |
|
|
843 | slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" |
|
|
844 | "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D |
|
|
845 | else |
|
|
846 | { |
839 | { |
847 | if (seqno > iseqno) |
|
|
848 | { |
|
|
849 | ismask <<= seqno - iseqno; |
|
|
850 | iseqno = seqno; |
|
|
851 | } |
|
|
852 | |
|
|
853 | u32 mask = 1 << (iseqno - seqno); |
|
|
854 | |
|
|
855 | //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask); |
|
|
856 | if (ismask & mask) |
|
|
857 | slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" |
|
|
858 | "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D |
|
|
859 | else |
|
|
860 | { |
|
|
861 | ismask |= mask; |
|
|
862 | |
|
|
863 | vpn->tap->send (d); |
840 | vpn->tap->send (d); |
864 | |
841 | |
865 | if (p->dst () == 0) // re-broadcast |
842 | if (p->dst () == 0) // re-broadcast |
866 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
843 | for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) |
867 | { |
844 | { |
868 | connection *c = *i; |
845 | connection *c = *i; |
869 | |
846 | |
870 | if (c->conf != THISNODE && c->conf != conf) |
847 | if (c->conf != THISNODE && c->conf != conf) |
871 | c->inject_data_packet (d); |
848 | c->inject_data_packet (d); |
872 | } |
|
|
873 | |
|
|
874 | delete d; |
|
|
875 | |
|
|
876 | break; |
|
|
877 | } |
849 | } |
|
|
850 | |
|
|
851 | delete d; |
|
|
852 | |
|
|
853 | break; |
878 | } |
854 | } |
879 | } |
855 | } |
880 | } |
856 | } |
881 | else |
857 | else |
882 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |
858 | slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D |