/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2006 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2009 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
- $Id$
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "system.h"
int keylifetime = 0;
int keyexpires = 0;
-EVP_CIPHER_CTX packet_ctx;
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
static void send_udppacket(node_t *, vpn_packet_t *);
#define MAX_SEQNO 1073741824
-void send_mtu_probe(node_t *n)
-{
+void send_mtu_probe(node_t *n) {
vpn_packet_t packet;
int len, i;
n->mtuprobes++;
n->mtuevent = NULL;
+ if(!n->status.reachable) {
+ logger(LOG_DEBUG, _("Trying to send MTU probe to unreachable node %s (%s)"), n->name, n->hostname);
+ return;
+ }
+
if(n->mtuprobes >= 10 && !n->minmtu) {
ifdebug(TRAFFIC) logger(LOG_INFO, _("No response to MTU probes from %s (%s)"), n->name, n->hostname);
return;
return;
}
- len = n->minmtu + 1 + random() % (n->maxmtu - n->minmtu);
+ len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
if(len < 64)
len = 64;
event_add(n->mtuevent);
}
-void mtu_probe_h(node_t *n, vpn_packet_t *packet) {
+void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
ifdebug(TRAFFIC) logger(LOG_INFO, _("Got MTU probe length %d from %s (%s)"), packet->len, n->name, n->hostname);
if(!packet->data[0]) {
packet->data[0] = 1;
send_packet(n, packet);
} else {
- if(n->minmtu < packet->len)
- n->minmtu = packet->len;
+ if(n->minmtu < len)
+ n->minmtu = len;
}
}
-static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
-{
+static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
if(level == 10) {
lzo_uint lzolen = MAXSIZE;
lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
return -1;
}
-static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
-{
+static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
if(level > 9) {
lzo_uint lzolen = MAXSIZE;
if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
/* VPN packet I/O */
-static void receive_packet(node_t *n, vpn_packet_t *packet)
-{
+static void receive_packet(node_t *n, vpn_packet_t *packet) {
cp();
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"),
route(n, packet);
}
-static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
-{
+static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
+ unsigned char hmac[EVP_MAX_MD_SIZE];
+
+ if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
+ return false;
+
+ HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
+
+ return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+}
+
+static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
cp();
+ if(!n->inkey) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got packet from %s (%s) but he hasn't got our key yet"),
+ n->name, n->hostname);
+ return;
+ }
+
/* Check packet length */
- if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) {
+ if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
n->name, n->hostname);
return;
/* Check the message authentication code */
- if(myself->digest && myself->maclength) {
- inpkt->len -= myself->maclength;
- HMAC(myself->digest, myself->key, myself->keylength,
+ if(n->indigest && n->inmaclength) {
+ inpkt->len -= n->inmaclength;
+ HMAC(n->indigest, n->inkey, n->inkeylength,
(unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
- if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
+ if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
n->name, n->hostname);
return;
/* Decrypt the packet */
- if(myself->cipher) {
+ if(n->incipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
/* Decompress the packet */
- if(myself->compression) {
+ length_t origlen = inpkt->len;
+
+ if(n->incompression) {
outpkt = pkt[nextpkt++];
- if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
+ if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
n->name, n->hostname);
return;
}
inpkt = outpkt;
+
+ origlen -= MTU/64 + 20;
}
inpkt->priority = 0;
n->connection->last_ping_time = now;
if(!inpkt->data[12] && !inpkt->data[13])
- mtu_probe_h(n, inpkt);
+ mtu_probe_h(n, inpkt, origlen);
else
receive_packet(n, inpkt);
}
-void receive_tcppacket(connection_t *c, char *buffer, int len)
-{
+void receive_tcppacket(connection_t *c, char *buffer, int len) {
vpn_packet_t outpkt;
cp();
receive_packet(c->node, &outpkt);
}
-static void send_udppacket(node_t *n, vpn_packet_t *origpkt)
-{
+static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
vpn_packet_t *inpkt = origpkt;
cp();
+ if(!n->status.reachable) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Trying to send UDP packet to unreachable node %s (%s)"), n->name, n->hostname);
+ return;
+ }
+
/* Make sure we have a valid key */
if(!n->status.validkey) {
n->name, n->hostname);
if(!n->status.waitingforkey)
- send_req_key(n->nexthop->connection, myself, n);
+ send_req_key(n);
n->status.waitingforkey = true;
return;
}
- if(!n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
+ if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
ifdebug(TRAFFIC) logger(LOG_INFO,
- _("No minimum MTU established yet for %s (%s), forwarding via TCP"),
+ _("Packet for %s (%s) larger than minimum MTU, forwarding via TCP"),
n->name, n->hostname);
send_tcppacket(n->nexthop->connection, origpkt);
+
+ return;
}
origlen = inpkt->len;
/* Compress the packet */
- if(n->compression) {
+ if(n->outcompression) {
outpkt = pkt[nextpkt++];
- if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
+ if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"),
n->name, n->hostname);
return;
/* Encrypt the packet */
- if(n->cipher) {
+ if(n->outcipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;
/* Add the message authentication code */
- if(n->digest && n->maclength) {
- HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno,
+ if(n->outdigest && n->outmaclength) {
+ HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
- inpkt->len += n->maclength;
+ inpkt->len += n->outmaclength;
}
/* Determine which socket we have to use */
/*
send a packet to the given vpn ip.
*/
-void send_packet(const node_t *n, vpn_packet_t *packet)
-{
+void send_packet(const node_t *n, vpn_packet_t *packet) {
node_t *via;
cp();
/* Broadcast a packet using the minimum spanning tree */
-void broadcast_packet(const node_t *from, vpn_packet_t *packet)
-{
+void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
avl_node_t *node;
connection_t *c;
ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
packet->len, from->name, from->hostname);
- if(from != myself)
+ if(from != myself) {
send_packet(myself, packet);
+ // In TunnelServer mode, do not forward broadcast packets.
+ // The MST might not be valid and create loops.
+ if(tunnelserver)
+ return;
+ }
+
for(node = connection_tree->head; node; node = node->next) {
c = node->data;
}
}
-void handle_incoming_vpn_data(int sock)
-{
+static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
+ avl_node_t *node;
+ edge_t *e;
+ node_t *n = NULL;
+
+ for(node = edge_weight_tree->head; node; node = node->next) {
+ e = node->data;
+
+ if(sockaddrcmp_noport(from, &e->address))
+ continue;
+
+ if(!n)
+ n = e->to;
+
+ if(!try_mac(e->to, pkt))
+ continue;
+
+ n = e->to;
+ break;
+ }
+
+ return n;
+}
+
+void handle_incoming_vpn_data(int sock) {
vpn_packet_t pkt;
char *hostname;
sockaddr_t from;
pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
if(pkt.len < 0) {
- logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
+ if(errno != EAGAIN && errno != EINTR)
+ logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
return;
}
n = lookup_node_udp(&from);
if(!n) {
- hostname = sockaddr2hostname(&from);
- logger(LOG_WARNING, _("Received UDP packet from unknown source %s"),
- hostname);
- free(hostname);
- return;
+ n = try_harder(&from, &pkt);
+ if(n)
+ update_node_udp(n, &from);
+ else ifdebug(PROTOCOL) {
+ hostname = sockaddr2hostname(&from);
+ logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname);
+ free(hostname);
+ return;
+ }
+ else
+ return;
}
receive_udppacket(n, &pkt);