ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/protocol.C
(Generate patch)

Comparing gvpe/src/protocol.C (file contents):
Revision 1.1 by pcg, Sat Mar 1 15:53:03 2003 UTC vs.
Revision 1.8 by pcg, Mon Mar 17 15:20:18 2003 UTC

330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); 330 EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2);
331 outl += outl2; 331 outl += outl2;
332 332
333 seqno = *(u32 *)(d + RAND_SIZE); 333 seqno = *(u32 *)(d + RAND_SIZE);
334 334
335 id2mac (dst (), p->dst); 335 id2mac (dst () ? dst() : THISNODE->id, p->dst);
336 id2mac (src (), p->src); 336 id2mac (src (), p->src);
337 337
338#if ENABLE_COMPRESSION 338#if ENABLE_COMPRESSION
339 if (type == PT_DATA_COMPRESSED) 339 if (type == PT_DATA_COMPRESSED)
340 { 340 {
341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 341 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
481connection::send_ping (SOCKADDR *dsa, u8 pong) 481connection::send_ping (SOCKADDR *dsa, u8 pong)
482{ 482{
483 ping_packet *pkt = new ping_packet; 483 ping_packet *pkt = new ping_packet;
484 484
485 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 485 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
486 vpn->send_vpn_packet (pkt, dsa); 486 vpn->send_vpn_packet (pkt, dsa, IPTOS_LOWDELAY);
487 487
488 delete pkt; 488 delete pkt;
489} 489}
490 490
491void 491void
496 if (limiter.can (dsa)) 496 if (limiter.can (dsa))
497 { 497 {
498 config_packet *pkt = new config_packet; 498 config_packet *pkt = new config_packet;
499 499
500 pkt->setup (vpn_packet::PT_RESET, conf->id); 500 pkt->setup (vpn_packet::PT_RESET, conf->id);
501 vpn->send_vpn_packet (pkt, dsa); 501 vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST);
502 502
503 delete pkt; 503 delete pkt;
504 } 504 }
505} 505}
506 506
550 fatal ("RSA_public_encrypt error"); 550 fatal ("RSA_public_encrypt error");
551#endif 551#endif
552 552
553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); 553 slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa));
554 554
555 vpn->send_vpn_packet (pkt, sa); 555 vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY);
556 556
557 delete pkt; 557 delete pkt;
558 } 558 }
559} 559}
560 560
561void 561void
562connection::establish_connection () 562connection::establish_connection ()
563{ 563{
564 if (!ictx && conf != THISNODE && conf->connectmode != conf_node::C_NEVER) 564 if (!ictx && conf != THISNODE && connectmode != conf_node::C_NEVER)
565 { 565 {
566 if (now >= next_retry) 566 if (now >= next_retry)
567 { 567 {
568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2); 568 int retry_int = retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2);
569 569
570 if (retry_cnt < (17 << 2) | 3) 570 if (retry_cnt < (17 << 2) | 3)
571 retry_cnt++; 571 retry_cnt++;
572 572
573 if (conf->connectmode == conf_node::C_ONDEMAND 573 if (connectmode == conf_node::C_ONDEMAND
574 && retry_int > ::conf.keepalive) 574 && retry_int > ::conf.keepalive)
575 retry_int = ::conf.keepalive; 575 retry_int = ::conf.keepalive;
576 576
577 next_retry = now + retry_int; 577 next_retry = now + retry_int;
578 next_wakeup (next_retry); 578 next_wakeup (next_retry);
635 635
636void 636void
637connection::send_data_packet (tap_packet * pkt, bool broadcast) 637connection::send_data_packet (tap_packet * pkt, bool broadcast)
638{ 638{
639 vpndata_packet *p = new vpndata_packet; 639 vpndata_packet *p = new vpndata_packet;
640 int tos = 0;
641
642 if (conf->inherit_tos
643 && (*pkt)[12] == 0x08 && (*pkt)[13] == 0x00 // IP
644 && ((*pkt)[14] & 0xf0) == 0x40) // IPv4
645 tos = (*pkt)[15] & IPTOS_TOS_MASK;
640 646
641 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs 647 p->setup (this, broadcast ? 0 : conf->id, &((*pkt)[6 + 6]), pkt->len - 6 - 6, ++oseqno); // skip 2 macs
642 vpn->send_vpn_packet (p, &sa); 648 vpn->send_vpn_packet (p, &sa, tos);
643 649
644 delete p; 650 delete p;
645 651
646 if (oseqno > MAX_SEQNO) 652 if (oseqno > MAX_SEQNO)
647 rekey (); 653 rekey ();
692 { 698 {
693 reset_connection (); 699 reset_connection ();
694 700
695 config_packet *p = (config_packet *) pkt; 701 config_packet *p = (config_packet *) pkt;
696 if (p->chk_config ()) 702 if (p->chk_config ())
697 if (conf->connectmode == conf_node::C_ALWAYS) 703 if (connectmode == conf_node::C_ALWAYS)
698 establish_connection (); 704 establish_connection ();
699 705
700 //D slog the protocol mismatch? 706 //D slog the protocol mismatch?
701 } 707 }
702 break; 708 break;
766 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), 772 if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32),
767 sizeof (rsachallenge) - sizeof (u32))) 773 sizeof (rsachallenge) - sizeof (u32)))
768 { 774 {
769 delete ictx; 775 delete ictx;
770 776
771 ictx = new crypto_ctx (k, 0); 777 ictx = new crypto_ctx (k, 0);
772 iseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; // at least 2**31 sequence numbers are valid 778 iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid
773 ismask = 0xffffffff; // initially, all lower sequence numbers are invalid
774 779
775 sa = *ssa; 780 sa = *ssa;
776 781
777 next_rekey = now + ::conf.rekey; 782 next_rekey = now + ::conf.rekey;
778 next_wakeup (next_rekey); 783 next_wakeup (next_rekey);
781 while (tap_packet *p = queue.get ()) 786 while (tap_packet *p = queue.get ())
782 { 787 {
783 send_data_packet (p); 788 send_data_packet (p);
784 delete p; 789 delete p;
785 } 790 }
791
792 connectmode = conf->connectmode;
786 793
787 slog (L_INFO, _("connection to %d (%s %s) established"), 794 slog (L_INFO, _("connection to %d (%s %s) established"),
788 conf->id, conf->nodename, (const char *)sockinfo (ssa)); 795 conf->id, conf->nodename, (const char *)sockinfo (ssa));
789 796
790 if (::conf.script_node_up) 797 if (::conf.script_node_up)
826 else 833 else
827 { 834 {
828 u32 seqno; 835 u32 seqno;
829 tap_packet *d = p->unpack (this, seqno); 836 tap_packet *d = p->unpack (this, seqno);
830 837
831 if (seqno <= iseqno - 32) 838 if (iseqno.recv_ok (seqno))
832 slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n"
833 "possible replay attack, or just massive packet reordering"), seqno, iseqno + 1);//D
834 else if (seqno > iseqno + 32)
835 slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n"
836 "possible replay attack, or just massive packet loss"), seqno, iseqno + 1);//D
837 else
838 { 839 {
839 if (seqno > iseqno)
840 {
841 ismask <<= seqno - iseqno;
842 iseqno = seqno;
843 }
844
845 u32 mask = 1 << (iseqno - seqno);
846
847 //printf ("received seqno %08lx, iseqno %08lx, mask %08lx is %08lx\n", seqno, iseqno, mask, ismask);
848 if (ismask & mask)
849 slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n"
850 "possible replay attack, or just packet duplication"), seqno, iseqno + 1);//D
851 else
852 {
853 ismask |= mask;
854
855 vpn->tap->send (d); 840 vpn->tap->send (d);
856 841
857 if (p->dst () == 0) // re-broadcast 842 if (p->dst () == 0) // re-broadcast
858 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i) 843 for (vpn::conns_vector::iterator i = vpn->conns.begin (); i != vpn->conns.end (); ++i)
859 { 844 {
860 connection *c = *i; 845 connection *c = *i;
861 846
862 if (c->conf != THISNODE && c->conf != conf) 847 if (c->conf != THISNODE && c->conf != conf)
863 c->inject_data_packet (d); 848 c->inject_data_packet (d);
864 }
865
866 delete d;
867
868 break;
869 } 849 }
850
851 delete d;
852
853 break;
870 } 854 }
871 } 855 }
872 } 856 }
873 else 857 else
874 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D 858 slog (L_ERR, _("received data packet from unknown source %s"), (const char *)sockinfo (ssa));//D
889 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n", 873 slog (L_TRACE, "<<%d PT_CONNECT_REQ(%d) [%d]\n",
890 conf->id, p->id, c->ictx && c->octx); 874 conf->id, p->id, c->ictx && c->octx);
891 875
892 if (c->ictx && c->octx) 876 if (c->ictx && c->octx)
893 { 877 {
878 // send connect_info packets to both sides, in case one is
879 // behind a nat firewall (or both ;)
880 {
894 sockinfo si(sa); 881 sockinfo si(sa);
895 882
896 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n", 883 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
897 c->conf->id, p->id, (const char *)si); 884 c->conf->id, conf->id, (const char *)si);
898 885
899 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si); 886 connect_info_packet *r = new connect_info_packet (c->conf->id, conf->id, si);
900 887
901 r->hmac_set (c->octx); 888 r->hmac_set (c->octx);
902 vpn->send_vpn_packet (r, &c->sa); 889 vpn->send_vpn_packet (r, &c->sa);
903 890
904 delete r; 891 delete r;
892 }
893
894 {
895 sockinfo si(c->sa);
896
897 slog (L_TRACE, ">>%d PT_CONNECT_INFO(%d,%s)\n",
898 conf->id, c->conf->id, (const char *)si);
899
900 connect_info_packet *r = new connect_info_packet (conf->id, c->conf->id, si);
901
902 r->hmac_set (octx);
903 vpn->send_vpn_packet (r, &sa);
904
905 delete r;
906 }
905 } 907 }
906 } 908 }
907 909
908 break; 910 break;
909 911
931 933
932void connection::timer () 934void connection::timer ()
933{ 935{
934 if (conf != THISNODE) 936 if (conf != THISNODE)
935 { 937 {
936 if (now >= next_retry && conf->connectmode == conf_node::C_ALWAYS) 938 if (now >= next_retry && connectmode == conf_node::C_ALWAYS)
937 establish_connection (); 939 establish_connection ();
938 940
939 if (ictx && octx) 941 if (ictx && octx)
940 { 942 {
941 if (now >= next_rekey) 943 if (now >= next_rekey)
1075 1077
1076 return 0; 1078 return 0;
1077} 1079}
1078 1080
1079void 1081void
1080vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa) 1082vpn::send_vpn_packet (vpn_packet *pkt, SOCKADDR *sa, int tos)
1081{ 1083{
1084 setsockopt (socket_fd, SOL_IP, IP_TOS, &tos, sizeof tos);
1082 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa)); 1085 sendto (socket_fd, &((*pkt)[0]), pkt->len, 0, (sockaddr *)sa, sizeof (*sa));
1083} 1086}
1084 1087
1085void 1088void
1086vpn::shutdown_all () 1089vpn::shutdown_all ()
1103 connection *conn = new connection (this); 1106 connection *conn = new connection (this);
1104 1107
1105 conn->conf = *i; 1108 conn->conf = *i;
1106 conns.push_back (conn); 1109 conns.push_back (conn);
1107 1110
1108 if (conn->conf->connectmode == conf_node::C_ALWAYS)
1109 conn->establish_connection (); 1111 conn->establish_connection ();
1110 } 1112 }
1111} 1113}
1112 1114
1113connection *vpn::find_router () 1115connection *vpn::find_router ()
1114{ 1116{
1118 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i) 1120 for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1119 { 1121 {
1120 connection *c = *i; 1122 connection *c = *i;
1121 1123
1122 if (c->conf->routerprio > prio 1124 if (c->conf->routerprio > prio
1123 && c->conf->connectmode == conf_node::C_ALWAYS 1125 && c->connectmode == conf_node::C_ALWAYS
1124 && c->conf != THISNODE 1126 && c->conf != THISNODE
1125 && c->ictx && c->octx) 1127 && c->ictx && c->octx)
1126 { 1128 {
1127 prio = c->conf->routerprio; 1129 prio = c->conf->routerprio;
1128 router = c; 1130 router = c;
1136{ 1138{
1137 connection *c = find_router (); 1139 connection *c = find_router ();
1138 1140
1139 if (c) 1141 if (c)
1140 c->connect_request (id); 1142 c->connect_request (id);
1143 //else // does not work, because all others must connect to the same router
1144 // // no router found, aggressively connect to all routers
1145 // for (conns_vector::iterator i = conns.begin (); i != conns.end (); ++i)
1146 // if ((*i)->conf->routerprio)
1147 // (*i)->establish_connection ();
1141} 1148}
1142 1149
1143void 1150void
1144vpn::main_loop () 1151vpn::main_loop ()
1145{ 1152{

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines