/*
net_packet.c -- Handles in- and outgoing VPN packets
- Copyright (C) 1998-2002 Ivo Timmermans <itimmermans@bigfoot.com>,
- 2000-2002 Guus Sliepen <guus@sliepen.warande.net>
+ Copyright (C) 1998-2005 Ivo Timmermans,
+ 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
+ 2010 Timothy Redaelli <timothy@redaelli.eu>
+ 2010 Brandon Black <blblack@gmail.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
- $Id: net_packet.c,v 1.1.2.13 2002/03/27 15:01:37 guus Exp $
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "config.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#ifdef HAVE_LINUX
- #include <netinet/ip.h>
- #include <netinet/tcp.h>
-#endif
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <signal.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <sys/ioctl.h>
-/* SunOS really wants sys/socket.h BEFORE net/if.h,
- and FreeBSD wants these lines below the rest. */
-#include <arpa/inet.h>
-#include <sys/socket.h>
-#include <net/if.h>
+#include "system.h"
#include <openssl/rand.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
-#ifndef HAVE_RAND_PSEUDO_BYTES
-#define RAND_pseudo_bytes RAND_bytes
-#endif
-
+#ifdef HAVE_ZLIB
#include <zlib.h>
+#endif
-#include <utils.h>
-#include <xalloc.h>
-#include <avl_tree.h>
-#include <list.h>
+#ifdef HAVE_LZO
+#include LZO1X_H
+#endif
+#include "avl_tree.h"
#include "conf.h"
#include "connection.h"
-#include "meta.h"
+#include "device.h"
+#include "ethernet.h"
+#include "event.h"
+#include "graph.h"
+#include "logger.h"
#include "net.h"
#include "netutl.h"
-#include "process.h"
#include "protocol.h"
-#include "subnet.h"
-#include "graph.h"
#include "process.h"
#include "route.h"
-#include "device.h"
-#include "event.h"
-
-#include "system.h"
+#include "utils.h"
+#include "xalloc.h"
int keylifetime = 0;
int keyexpires = 0;
+#ifdef HAVE_LZO
+static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
+#endif
-#define MAX_SEQNO 1073741824
-
-/* VPN packet I/O */
-
-void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
-{
- vpn_packet_t pkt1, pkt2;
- vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
- int nextpkt = 0;
- vpn_packet_t *outpkt = pkt[0];
- int outlen, outpad;
- long int complen = MTU + 12;
- EVP_CIPHER_CTX ctx;
- char hmac[EVP_MAX_MD_SIZE];
-cp
- /* Check the message authentication code */
-
- if(myself->digest && myself->maclength)
- {
- inpkt->len -= myself->maclength;
- HMAC(myself->digest, myself->key, myself->keylength, (char *)&inpkt->seqno, inpkt->len, hmac, NULL);
- if(memcmp(hmac, (char *)&inpkt->seqno + inpkt->len, myself->maclength))
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname);
- return;
- }
- }
-
- /* Decrypt the packet */
-
- if(myself->cipher)
- {
- outpkt = pkt[nextpkt++];
-
- EVP_DecryptInit(&ctx, myself->cipher, myself->key, myself->key + myself->cipher->key_len);
- EVP_DecryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
- EVP_DecryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
-
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
- }
-
- /* Check the sequence number */
-
- inpkt->len -= sizeof(inpkt->seqno);
- inpkt->seqno = ntohl(inpkt->seqno);
-
- if(inpkt->seqno <= n->received_seqno)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Got late or replayed packet from %s (%s), seqno %d"), n->name, n->hostname, inpkt->seqno);
- return;
- }
-
- n->received_seqno = inpkt->seqno;
-
- if(n->received_seqno > MAX_SEQNO)
- keyexpires = 0;
-
- /* Decompress the packet */
-
- if(myself->compression)
- {
- outpkt = pkt[nextpkt++];
-
- if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK)
- {
- syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname);
- return;
- }
-
- outpkt->len = complen;
- inpkt = outpkt;
- }
-
- receive_packet(n, inpkt);
-cp
-}
+static void send_udppacket(node_t *, vpn_packet_t *);
-void receive_tcppacket(connection_t *c, char *buffer, int len)
-{
- vpn_packet_t outpkt;
-cp
- outpkt.len = len;
- memcpy(outpkt.data, buffer, len);
+unsigned replaywin = 16;
+bool localdiscovery = false;
- receive_packet(c->node, &outpkt);
-cp
-}
+#define MAX_SEQNO 1073741824
-void receive_packet(node_t *n, vpn_packet_t *packet)
-{
-cp
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"), packet->len, n->name, n->hostname);
+/* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
+ mtuprobes == 31: sleep pinginterval seconds
+ mtuprobes == 32: send 1 burst, sleep pingtimeout second
+ mtuprobes == 33: no response from other side, restart PMTU discovery process
- route_incoming(n, packet);
-cp
-}
+ Probes are sent in batches of at least three, with random sizes between the
+ lower and upper boundaries for the MTU thus far discovered.
-void send_udppacket(node_t *n, vpn_packet_t *inpkt)
-{
- vpn_packet_t pkt1, pkt2;
- vpn_packet_t *pkt[] = {&pkt1, &pkt2, &pkt1, &pkt2};
- int nextpkt = 0;
- vpn_packet_t *outpkt;
- int origlen;
- int outlen, outpad;
- long int complen = MTU + 12;
- EVP_CIPHER_CTX ctx;
- vpn_packet_t *copy;
- static int priority = 0;
- int origpriority;
- int sock;
-cp
- /* Make sure we have a valid key */
+ After the initial discovery, a fourth packet is added to each batch with a
+ size larger than the currently known PMTU, to test if the PMTU has increased.
- if(!n->status.validkey)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
- n->name, n->hostname);
+ In case local discovery is enabled, another packet is added to each batch,
+ which will be broadcast to the local network.
- /* Since packet is on the stack of handle_tap_input(),
- we have to make a copy of it first. */
-
- copy = xmalloc(sizeof(vpn_packet_t));
- memcpy(copy, inpkt, sizeof(vpn_packet_t));
+*/
- list_insert_tail(n->queue, copy);
+void send_mtu_probe(node_t *n) {
+ vpn_packet_t packet;
+ int len, i;
+ int timeout = 1;
+
+ n->mtuprobes++;
+ n->mtuevent = NULL;
+
+ if(!n->status.reachable || !n->status.validkey) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
+ n->mtuprobes = 0;
+ return;
+ }
+
+ if(n->mtuprobes > 32) {
+ if(!n->minmtu) {
+ n->mtuprobes = 31;
+ timeout = pinginterval;
+ goto end;
+ }
+
+ ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
+ n->mtuprobes = 1;
+ n->minmtu = 0;
+ n->maxmtu = MTU;
+ }
+
+ if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
+ n->mtuprobes = 31;
+ }
+
+ if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
+ if(n->minmtu > n->maxmtu)
+ n->minmtu = n->maxmtu;
+ else
+ n->maxmtu = n->minmtu;
+ n->mtu = n->minmtu;
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
+ n->mtuprobes = 31;
+ }
+
+ if(n->mtuprobes == 31) {
+ timeout = pinginterval;
+ goto end;
+ } else if(n->mtuprobes == 32) {
+ timeout = pingtimeout;
+ }
+
+ for(i = 0; i < 4 + localdiscovery; i++) {
+ if(i == 0) {
+ if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
+ continue;
+ len = n->maxmtu + 8;
+ } else if(n->maxmtu <= n->minmtu) {
+ len = n->maxmtu;
+ } else {
+ len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
+ }
+
+ if(len < 64)
+ len = 64;
+
+ memset(packet.data, 0, 14);
+ RAND_bytes(packet.data + 14, len - 14);
+ packet.len = len;
+ if(i >= 4 && n->mtuprobes <= 10)
+ packet.priority = -1;
+ else
+ packet.priority = 0;
+
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
+
+ send_udppacket(n, &packet);
+ }
+
+end:
+ n->mtuevent = new_event();
+ n->mtuevent->handler = (event_handler_t)send_mtu_probe;
+ n->mtuevent->data = n;
+ n->mtuevent->time = now + timeout;
+ event_add(n->mtuevent);
+}
- if(n->queue->count > MAXQUEUELENGTH)
- list_delete_head(n->queue);
+void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
+
+ if(!packet->data[0]) {
+ packet->data[0] = 1;
+ send_udppacket(n, packet);
+ } else {
+ if(n->mtuprobes > 30) {
+ if (len == n->maxmtu + 8) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+ n->maxmtu = MTU;
+ n->mtuprobes = 10;
+ return;
+ }
+
+ if(n->minmtu)
+ n->mtuprobes = 30;
+ else
+ n->mtuprobes = 1;
+ }
+
+ if(len > n->maxmtu)
+ len = n->maxmtu;
+ if(n->minmtu < len)
+ n->minmtu = len;
+ }
+}
- if(!n->status.waitingforkey)
- send_req_key(n->nexthop->connection, myself, n);
+static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
+ if(level == 0) {
+ memcpy(dest, source, len);
+ return len;
+ } else if(level == 10) {
+#ifdef HAVE_LZO
+ lzo_uint lzolen = MAXSIZE;
+ lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
+ return lzolen;
+#else
+ return -1;
+#endif
+ } else if(level < 10) {
+#ifdef HAVE_ZLIB
+ unsigned long destlen = MAXSIZE;
+ if(compress2(dest, &destlen, source, len, level) == Z_OK)
+ return destlen;
+ else
+#endif
+ return -1;
+ } else {
+#ifdef HAVE_LZO
+ lzo_uint lzolen = MAXSIZE;
+ lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
+ return lzolen;
+#else
+ return -1;
+#endif
+ }
+
+ return -1;
+}
- n->status.waitingforkey = 1;
+static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
+ if(level == 0) {
+ memcpy(dest, source, len);
+ return len;
+ } else if(level > 9) {
+#ifdef HAVE_LZO
+ lzo_uint lzolen = MAXSIZE;
+ if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
+ return lzolen;
+ else
+#endif
+ return -1;
+ }
+#ifdef HAVE_ZLIB
+ else {
+ unsigned long destlen = MAXSIZE;
+ if(uncompress(dest, &destlen, source, len) == Z_OK)
+ return destlen;
+ else
+ return -1;
+ }
+#endif
- return;
- }
+ return -1;
+}
- origlen = inpkt->len;
- origpriority = inpkt->priority;
+/* VPN packet I/O */
- /* Compress the packet */
+static void receive_packet(node_t *n, vpn_packet_t *packet) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
+ packet->len, n->name, n->hostname);
- if(n->compression)
- {
- outpkt = pkt[nextpkt++];
+ route(n, packet);
+}
- if(compress2(outpkt->data, &complen, inpkt->data, inpkt->len, n->compression) != Z_OK)
- {
- syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname);
- return;
- }
-
- outpkt->len = complen;
- inpkt = outpkt;
- }
+static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
+ unsigned char hmac[EVP_MAX_MD_SIZE];
- /* Add sequence number */
+ if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength)
+ return false;
- inpkt->seqno = htonl(++(n->sent_seqno));
- inpkt->len += sizeof(inpkt->seqno);
+ HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
- /* Encrypt the packet */
+ return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+}
- if(n->cipher)
- {
- outpkt = pkt[nextpkt++];
+static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
+ vpn_packet_t pkt1, pkt2;
+ vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ int nextpkt = 0;
+ vpn_packet_t *outpkt;
+ int outlen, outpad;
+ unsigned char hmac[EVP_MAX_MD_SIZE];
+ int i;
+
+ if(!n->inkey) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
+ n->name, n->hostname);
+ return;
+ }
+
+ /* Check packet length */
+
+ if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
+ n->name, n->hostname);
+ return;
+ }
+
+ /* Check the message authentication code */
+
+ if(n->indigest && n->inmaclength) {
+ inpkt->len -= n->inmaclength;
+ HMAC(n->indigest, n->inkey, n->inkeylength,
+ (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
+
+ if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
+ n->name, n->hostname);
+ return;
+ }
+ }
+
+ /* Decrypt the packet */
+
+ if(n->incipher) {
+ outpkt = pkt[nextpkt++];
+
+ if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
+ n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ return;
+ }
+
+ outpkt->len = outlen + outpad;
+ inpkt = outpkt;
+ }
+
+ /* Check the sequence number */
+
+ inpkt->len -= sizeof(inpkt->seqno);
+ inpkt->seqno = ntohl(inpkt->seqno);
+
+ if(replaywin) {
+ if(inpkt->seqno != n->received_seqno + 1) {
+ if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
+ if(n->farfuture++ < replaywin >> 2) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
+ n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
+ return;
+ }
+ ifdebug(TRAFFIC) logger(LOG_WARNING, "Lost %d packets from %s (%s)",
+ inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
+ memset(n->late, 0, replaywin);
+ } else if (inpkt->seqno <= n->received_seqno) {
+ if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
+ ifdebug(TRAFFIC) logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
+ n->name, n->hostname, inpkt->seqno, n->received_seqno);
+ return;
+ }
+ } else {
+ for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
+ n->late[(i / 8) % replaywin] |= 1 << i % 8;
+ }
+ }
+
+ n->farfuture = 0;
+ n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
+ }
+
+ if(inpkt->seqno > n->received_seqno)
+ n->received_seqno = inpkt->seqno;
+
+ if(n->received_seqno > MAX_SEQNO)
+ keyexpires = 0;
+
+ /* Decompress the packet */
+
+ length_t origlen = inpkt->len;
+
+ if(n->incompression) {
+ outpkt = pkt[nextpkt++];
+
+ if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)",
+ n->name, n->hostname);
+ return;
+ }
+
+ inpkt = outpkt;
+
+ origlen -= MTU/64 + 20;
+ }
+
+ inpkt->priority = 0;
+
+ if(!inpkt->data[12] && !inpkt->data[13])
+ mtu_probe_h(n, inpkt, origlen);
+ else
+ receive_packet(n, inpkt);
+}
- EVP_EncryptInit(&ctx, n->cipher, n->key, n->key + n->cipher->key_len);
- EVP_EncryptUpdate(&ctx, (char *)&outpkt->seqno, &outlen, (char *)&inpkt->seqno, inpkt->len);
- EVP_EncryptFinal(&ctx, (char *)&outpkt->seqno + outlen, &outpad);
+void receive_tcppacket(connection_t *c, const char *buffer, int len) {
+ vpn_packet_t outpkt;
- outpkt->len = outlen + outpad;
- inpkt = outpkt;
- }
+ if(len > sizeof outpkt.data)
+ return;
- /* Add the message authentication code */
+ outpkt.len = len;
+ if(c->options & OPTION_TCPONLY)
+ outpkt.priority = 0;
+ else
+ outpkt.priority = -1;
+ memcpy(outpkt.data, buffer, len);
- if(n->digest && n->maclength)
- {
- HMAC(n->digest, n->key, n->keylength, (char *)&inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len, &outlen);
- inpkt->len += n->maclength;
- }
+ receive_packet(c->node, &outpkt);
+}
- /* Determine which socket we have to use */
+static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
+ vpn_packet_t pkt1, pkt2;
+ vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ vpn_packet_t *inpkt = origpkt;
+ int nextpkt = 0;
+ vpn_packet_t *outpkt;
+ int origlen;
+ int outlen, outpad;
+ int origpriority;
- for(sock = 0; sock < listen_sockets; sock++)
- if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family)
- break;
+ if(!n->status.reachable) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
+ return;
+ }
- if(sock >= listen_sockets)
- sock = 0; /* If none is available, just use the first and hope for the best. */
-
- /* Send the packet */
+ /* Make sure we have a valid key */
+ if(!n->status.validkey) {
+ ifdebug(TRAFFIC) logger(LOG_INFO,
+ "No valid key known yet for %s (%s), forwarding via TCP",
+ n->name, n->hostname);
+
+ if(n->last_req_key + 10 <= now) {
+ send_req_key(n);
+ n->last_req_key = now;
+ }
+
+ send_tcppacket(n->nexthop->connection, origpkt);
+
+ return;
+ }
+
+ if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
+ ifdebug(TRAFFIC) logger(LOG_INFO,
+ "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
+ n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
+
+ if(n != n->nexthop)
+ send_packet(n->nexthop, origpkt);
+ else
+ send_tcppacket(n->nexthop->connection, origpkt);
+
+ return;
+ }
+
+ origlen = inpkt->len;
+ origpriority = inpkt->priority;
+
+ /* Compress the packet */
+
+ if(n->outcompression) {
+ outpkt = pkt[nextpkt++];
+
+ if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)",
+ n->name, n->hostname);
+ return;
+ }
+
+ inpkt = outpkt;
+ }
+
+ /* Add sequence number */
+
+ inpkt->seqno = htonl(++(n->sent_seqno));
+ inpkt->len += sizeof(inpkt->seqno);
+
+ /* Encrypt the packet */
+
+ if(n->outcipher) {
+ outpkt = pkt[nextpkt++];
+
+ if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
+ n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ goto end;
+ }
+
+ outpkt->len = outlen + outpad;
+ inpkt = outpkt;
+ }
+
+ /* Add the message authentication code */
+
+ if(n->outdigest && n->outmaclength) {
+ HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno,
+ inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
+ inpkt->len += n->outmaclength;
+ }
+
+ /* Determine which socket we have to use */
+
+ if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
+ for(int sock = 0; sock < listen_sockets; sock++) {
+ if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
+ n->sock = sock;
+ break;
+ }
+ }
+ }
+
+ /* Send the packet */
+
+ struct sockaddr *sa;
+ socklen_t sl;
+ int sock;
+ sockaddr_t broadcast;
+
+ /* Overloaded use of priority field: -1 means local broadcast */
+
+ if(origpriority == -1 && n->prevedge) {
+ sock = rand() % listen_sockets;
+ memset(&broadcast, 0, sizeof broadcast);
+ if(listen_socket[sock].sa.sa.sa_family == AF_INET6) {
+ broadcast.in6.sin6_family = AF_INET6;
+ broadcast.in6.sin6_addr.s6_addr[0x0] = 0xff;
+ broadcast.in6.sin6_addr.s6_addr[0x1] = 0x02;
+ broadcast.in6.sin6_addr.s6_addr[0xf] = 0x01;
+ broadcast.in6.sin6_port = n->prevedge->address.in.sin_port;
+ broadcast.in6.sin6_scope_id = listen_socket[sock].sa.in6.sin6_scope_id;
+ } else {
+ broadcast.in.sin_family = AF_INET;
+ broadcast.in.sin_addr.s_addr = -1;
+ broadcast.in.sin_port = n->prevedge->address.in.sin_port;
+ }
+ sa = &broadcast.sa;
+ sl = SALEN(broadcast.sa);
+ } else {
+ if(origpriority == -1)
+ origpriority = 0;
+
+ sa = &(n->address.sa);
+ sl = SALEN(n->address.sa);
+ sock = n->sock;
+ }
+
+ if(priorityinheritance && origpriority != listen_socket[n->sock].priority) {
+ listen_socket[n->sock].priority = origpriority;
+ switch(listen_socket[n->sock].sa.sa.sa_family) {
#if defined(SOL_IP) && defined(IP_TOS)
- if(priorityinheritance && origpriority != priority && listen_socket[sock].sa.sa.sa_family == AF_INET)
- {
- priority = origpriority;
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority);
- if(setsockopt(sock, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
- syslog(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno));
- }
+ case AF_INET:
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
+ if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, (void *)&origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */
+ logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
+ break;
#endif
-
- if((sendto(listen_socket[sock].udp, (char *)&inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0)
- {
- syslog(LOG_ERR, _("Error sending packet to %s (%s): %s"),
- n->name, n->hostname, strerror(errno));
- return;
- }
-
- inpkt->len = origlen;
-cp
+#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
+ case AF_INET6:
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
+ if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, (void *)&origpriority, sizeof(origpriority)))
+ logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
+ break;
+#endif
+ default:
+ break;
+ }
+ }
+
+ if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
+ if(sockmsgsize(sockerrno)) {
+ if(n->maxmtu >= origlen)
+ n->maxmtu = origlen - 1;
+ if(n->mtu >= origlen)
+ n->mtu = origlen - 1;
+ } else
+ ifdebug(TRAFFIC) logger(LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
+ }
+
+end:
+ origpkt->len = origlen;
}
/*
send a packet to the given vpn ip.
*/
-void send_packet(node_t *n, vpn_packet_t *packet)
-{
- node_t *via;
-cp
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
- packet->len, n->name, n->hostname);
-
- if(n == myself)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- {
- syslog(LOG_NOTICE, _("Packet is looping back to us!"));
- }
-
- return;
- }
-
- if(!n->status.reachable)
- {
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("Node %s (%s) is not reachable"),
- n->name, n->hostname);
- return;
- }
-
- via = (n->via == myself)?n->nexthop:n->via;
-
- if(via != n && debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_ERR, _("Sending packet to %s via %s (%s)"),
- n->name, via->name, n->via->hostname);
-
- if((myself->options | via->options) & OPTION_TCPONLY)
- {
- if(send_tcppacket(via->connection, packet))
- terminate_connection(via->connection, 1);
- }
- else
- send_udppacket(via, packet);
+void send_packet(const node_t *n, vpn_packet_t *packet) {
+ node_t *via;
+
+ if(n == myself) {
+ if(overwrite_mac)
+ memcpy(packet->data, mymac.x, ETH_ALEN);
+ devops.write(packet);
+ return;
+ }
+
+ ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)",
+ packet->len, n->name, n->hostname);
+
+ if(!n->status.reachable) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable",
+ n->name, n->hostname);
+ return;
+ }
+
+ via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
+
+ if(via != n)
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)",
+ n->name, via->name, n->via->hostname);
+
+ if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
+ if(!send_tcppacket(via->connection, packet))
+ terminate_connection(via->connection, true);
+ } else
+ send_udppacket(via, packet);
}
/* Broadcast a packet using the minimum spanning tree */
-void broadcast_packet(node_t *from, vpn_packet_t *packet)
-{
- avl_node_t *node;
- connection_t *c;
-cp
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
- packet->len, from->name, from->hostname);
-
- for(node = connection_tree->head; node; node = node->next)
- {
- c = (connection_t *)node->data;
- if(c->status.active && c->status.mst && c != from->nexthop->connection)
- send_packet(c->node, packet);
- }
-cp
+void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
+ avl_node_t *node;
+ connection_t *c;
+ node_t *n;
+
+ // Always give ourself a copy of the packet.
+ if(from != myself)
+ send_packet(myself, packet);
+
+ // In TunnelServer mode, do not forward broadcast packets.
+ // The MST might not be valid and create loops.
+ if(tunnelserver || broadcast_mode == BMODE_NONE)
+ return;
+
+ ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
+ packet->len, from->name, from->hostname);
+
+ switch(broadcast_mode) {
+ // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
+ // This guarantees all nodes receive the broadcast packet, and
+ // usually distributes the sending of broadcast packets over all nodes.
+ case BMODE_MST:
+ for(node = connection_tree->head; node; node = node->next) {
+ c = node->data;
+
+ if(c->status.active && c->status.mst && c != from->nexthop->connection)
+ send_packet(c->node, packet);
+ }
+ break;
+
+ // In direct mode, we send copies to each node we know of.
+ // However, this only reaches nodes that can be reached in a single hop.
+ // We don't have enough information to forward broadcast packets in this case.
+ case BMODE_DIRECT:
+ if(from != myself)
+ break;
+
+ for(node = node_udp_tree->head; node; node = node->next) {
+ n = node->data;
+
+ if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
+ send_packet(n, packet);
+ }
+ break;
+
+ default:
+ break;
+ }
}
-void flush_queue(node_t *n)
-{
- list_node_t *node, *next;
-cp
- if(debug_lvl >= DEBUG_TRAFFIC)
- syslog(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname);
-
- for(node = n->queue->head; node; node = next)
- {
- next = node->next;
- send_udppacket(n, (vpn_packet_t *)node->data);
- list_delete_node(n->queue, node);
- }
-cp
-}
+static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
+ avl_node_t *node;
+ edge_t *e;
+ node_t *n = NULL;
+ static time_t last_hard_try = 0;
-void handle_incoming_vpn_data(int sock)
-{
- vpn_packet_t pkt;
- int x, l = sizeof(x);
- char *hostname;
- sockaddr_t from;
- socklen_t fromlen = sizeof(from);
- node_t *n;
-cp
- if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
- {
- syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%s"),
- __FILE__, __LINE__, sock, strerror(errno));
- cp_trace();
- exit(1);
- }
- if(x)
- {
- syslog(LOG_ERR, _("Incoming data socket error: %s"), strerror(x));
- return;
- }
-
- if((pkt.len = recvfrom(sock, (char *)&pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen)) <= 0)
- {
- syslog(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
- return;
- }
-
- sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
-
- n = lookup_node_udp(&from);
-
- if(!n)
- {
- hostname = sockaddr2hostname(&from);
- syslog(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname);
- free(hostname);
- return;
- }
-
- if(n->connection)
- n->connection->last_ping_time = now;
-
- receive_udppacket(n, &pkt);
-cp
+ for(node = edge_weight_tree->head; node; node = node->next) {
+ e = node->data;
+
+ if(e->to == myself)
+ continue;
+
+ if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
+ continue;
+
+ if(!try_mac(e->to, pkt))
+ continue;
+
+ n = e->to;
+ break;
+ }
+
+ last_hard_try = now;
+ return n;
}
+void handle_incoming_vpn_data(int sock) {
+ vpn_packet_t pkt;
+ char *hostname;
+ sockaddr_t from;
+ socklen_t fromlen = sizeof(from);
+ node_t *n;
+
+ pkt.len = recvfrom(listen_socket[sock].udp, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
+
+ if(pkt.len < 0) {
+ if(!sockwouldblock(sockerrno))
+ logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
+ return;
+ }
+
+ sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
+
+ n = lookup_node_udp(&from);
+
+ if(!n) {
+ n = try_harder(&from, &pkt);
+ if(n)
+ update_node_udp(n, &from);
+ else ifdebug(PROTOCOL) {
+ hostname = sockaddr2hostname(&from);
+ logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
+ free(hostname);
+ return;
+ }
+ else
+ return;
+ }
+
+ n->sock = sock;
+
+ receive_udppacket(n, &pkt);
+}