2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
39 #include "splay_tree.h"
42 #include "connection.h"
59 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
62 static void send_udppacket(node_t *, vpn_packet_t *);
64 unsigned replaywin = 16;
65 bool localdiscovery = false;
67 #define MAX_SEQNO 1073741824
69 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
70 mtuprobes == 31: sleep pinginterval seconds
71 mtuprobes == 32: send 1 burst, sleep pingtimeout second
72 mtuprobes == 33: no response from other side, restart PMTU discovery process
74 Probes are sent in batches of three, with random sizes between the lower and
75 upper boundaries for the MTU thus far discovered.
77 In case local discovery is enabled, a fourth packet is added to each batch,
78 which will be broadcast to the local network.
81 static void send_mtu_probe_handler(int fd, short events, void *data) {
89 if(!n->status.reachable || !n->status.validkey) {
90 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
108 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
109 ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
114 if(n->minmtu > n->maxmtu)
115 n->minmtu = n->maxmtu;
117 n->maxmtu = n->minmtu;
119 ifdebug(TRAFFIC) logger(LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123 if(n->mtuprobes == 31) {
124 timeout = pinginterval;
126 } else if(n->mtuprobes == 32) {
127 timeout = pingtimeout;
130 for(i = 0; i < 3 + localdiscovery; i++) {
131 if(n->maxmtu <= n->minmtu)
134 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 packet.priority = i < 3 ? 0 : -1;
144 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
146 send_udppacket(n, &packet);
150 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
153 void send_mtu_probe(node_t *n) {
154 if(!timeout_initialized(&n->mtuevent))
155 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
156 send_mtu_probe_handler(0, 0, n);
159 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
160 ifdebug(TRAFFIC) logger(LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
162 if(!packet->data[0]) {
164 send_udppacket(n, packet);
166 if(n->mtuprobes > 30) {
180 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
182 memcpy(dest, source, len);
184 } else if(level == 10) {
186 lzo_uint lzolen = MAXSIZE;
187 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
192 } else if(level < 10) {
194 unsigned long destlen = MAXSIZE;
195 if(compress2(dest, &destlen, source, len, level) == Z_OK)
202 lzo_uint lzolen = MAXSIZE;
203 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
213 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
215 memcpy(dest, source, len);
217 } else if(level > 9) {
219 lzo_uint lzolen = MAXSIZE;
220 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
228 unsigned long destlen = MAXSIZE;
229 if(uncompress(dest, &destlen, source, len) == Z_OK)
241 static void receive_packet(node_t *n, vpn_packet_t *packet) {
242 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
243 packet->len, n->name, n->hostname);
246 n->in_bytes += packet->len;
251 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
252 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
255 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
258 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
259 vpn_packet_t pkt1, pkt2;
260 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
262 vpn_packet_t *outpkt = pkt[0];
265 if(!cipher_active(&n->incipher)) {
266 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
267 n->name, n->hostname);
271 /* Check packet length */
273 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
274 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got too short packet from %s (%s)",
275 n->name, n->hostname);
279 /* Check the message authentication code */
281 if(digest_active(&n->indigest)) {
282 inpkt->len -= n->indigest.maclength;
283 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
284 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
288 /* Decrypt the packet */
290 if(cipher_active(&n->incipher)) {
291 outpkt = pkt[nextpkt++];
294 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
295 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
299 outpkt->len = outlen;
303 /* Check the sequence number */
305 inpkt->len -= sizeof inpkt->seqno;
306 inpkt->seqno = ntohl(inpkt->seqno);
309 if(inpkt->seqno != n->received_seqno + 1) {
310 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
311 if(n->farfuture++ < replaywin >> 2) {
312 logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
313 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
316 logger(LOG_WARNING, "Lost %d packets from %s (%s)",
317 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
318 memset(n->late, 0, replaywin);
319 } else if (inpkt->seqno <= n->received_seqno) {
320 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
321 logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
322 n->name, n->hostname, inpkt->seqno, n->received_seqno);
326 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
327 n->late[(i / 8) % replaywin] |= 1 << i % 8;
332 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
335 if(inpkt->seqno > n->received_seqno)
336 n->received_seqno = inpkt->seqno;
338 if(n->received_seqno > MAX_SEQNO)
341 /* Decompress the packet */
343 length_t origlen = inpkt->len;
345 if(n->incompression) {
346 outpkt = pkt[nextpkt++];
348 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
349 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while uncompressing packet from %s (%s)",
350 n->name, n->hostname);
356 origlen -= MTU/64 + 20;
361 if(!inpkt->data[12] && !inpkt->data[13])
362 mtu_probe_h(n, inpkt, origlen);
364 receive_packet(n, inpkt);
367 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
371 if(c->options & OPTION_TCPONLY)
374 outpkt.priority = -1;
375 memcpy(outpkt.data, buffer, len);
377 receive_packet(c->node, &outpkt);
380 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
381 vpn_packet_t pkt1, pkt2;
382 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
383 vpn_packet_t *inpkt = origpkt;
385 vpn_packet_t *outpkt;
386 int origlen = origpkt->len;
388 #if defined(SOL_IP) && defined(IP_TOS)
389 static int priority = 0;
390 int origpriority = origpkt->priority;
393 if(!n->status.reachable) {
394 ifdebug(TRAFFIC) logger(LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
398 /* Make sure we have a valid key */
400 if(!n->status.validkey) {
401 time_t now = time(NULL);
403 ifdebug(TRAFFIC) logger(LOG_INFO,
404 "No valid key known yet for %s (%s), forwarding via TCP",
405 n->name, n->hostname);
407 if(n->last_req_key + 10 <= now) {
409 n->last_req_key = now;
412 send_tcppacket(n->nexthop->connection, origpkt);
417 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
418 ifdebug(TRAFFIC) logger(LOG_INFO,
419 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
420 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
423 send_packet(n->nexthop, origpkt);
425 send_tcppacket(n->nexthop->connection, origpkt);
430 /* Compress the packet */
432 if(n->outcompression) {
433 outpkt = pkt[nextpkt++];
435 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
436 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while compressing packet to %s (%s)",
437 n->name, n->hostname);
444 /* Add sequence number */
446 inpkt->seqno = htonl(++(n->sent_seqno));
447 inpkt->len += sizeof inpkt->seqno;
449 /* Encrypt the packet */
451 if(cipher_active(&n->outcipher)) {
452 outpkt = pkt[nextpkt++];
455 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
456 ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
460 outpkt->len = outlen;
464 /* Add the message authentication code */
466 if(digest_active(&n->outdigest)) {
467 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
468 inpkt->len += digest_length(&n->outdigest);
471 /* Determine which socket we have to use */
473 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
474 for(int sock = 0; sock < listen_sockets; sock++) {
475 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
482 /* Send the packet */
488 /* Overloaded use of priority field: -1 means local broadcast */
490 if(origpriority == -1 && n->prevedge) {
491 struct sockaddr_in in;
492 in.sin_family = AF_INET;
493 in.sin_addr.s_addr = -1;
494 in.sin_port = n->prevedge->address.in.sin_port;
495 sa = (struct sockaddr *)∈
499 if(origpriority == -1)
502 sa = &(n->address.sa);
503 sl = SALEN(n->address.sa);
507 #if defined(SOL_IP) && defined(IP_TOS)
508 if(priorityinheritance && origpriority != priority
509 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
510 priority = origpriority;
511 ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
512 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
513 logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
517 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
518 if(sockmsgsize(sockerrno)) {
519 if(n->maxmtu >= origlen)
520 n->maxmtu = origlen - 1;
521 if(n->mtu >= origlen)
522 n->mtu = origlen - 1;
524 logger(LOG_ERR, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
528 origpkt->len = origlen;
532 send a packet to the given vpn ip.
534 void send_packet(node_t *n, vpn_packet_t *packet) {
539 memcpy(packet->data, mymac.x, ETH_ALEN);
541 n->out_bytes += packet->len;
542 devops.write(packet);
546 ifdebug(TRAFFIC) logger(LOG_ERR, "Sending packet of %d bytes to %s (%s)",
547 packet->len, n->name, n->hostname);
549 if(!n->status.reachable) {
550 ifdebug(TRAFFIC) logger(LOG_INFO, "Node %s (%s) is not reachable",
551 n->name, n->hostname);
556 n->out_bytes += packet->len;
558 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
561 ifdebug(TRAFFIC) logger(LOG_INFO, "Sending packet to %s via %s (%s)",
562 n->name, via->name, n->via->hostname);
564 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
565 if(!send_tcppacket(via->connection, packet))
566 terminate_connection(via->connection, true);
568 send_udppacket(via, packet);
571 /* Broadcast a packet using the minimum spanning tree */
573 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
577 ifdebug(TRAFFIC) logger(LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
578 packet->len, from->name, from->hostname);
581 send_packet(myself, packet);
583 // In TunnelServer mode, do not forward broadcast packets.
584 // The MST might not be valid and create loops.
589 for(node = connection_tree->head; node; node = node->next) {
592 if(c->status.active && c->status.mst && c != from->nexthop->connection)
593 send_packet(c->node, packet);
597 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
602 static time_t last_hard_try = 0;
603 time_t now = time(NULL);
605 for(node = edge_weight_tree->head; node; node = node->next) {
611 if(sockaddrcmp_noport(from, &e->address)) {
612 if(last_hard_try == now)
617 if(!try_mac(e->to, pkt))
631 void handle_incoming_vpn_data(int sock, short events, void *data) {
635 socklen_t fromlen = sizeof from;
639 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
641 if(len <= 0 || len > MAXSIZE) {
642 if(!sockwouldblock(sockerrno))
643 logger(LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
649 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
651 n = lookup_node_udp(&from);
654 n = try_harder(&from, &pkt);
656 update_node_udp(n, &from);
657 else ifdebug(PROTOCOL) {
658 hostname = sockaddr2hostname(&from);
659 logger(LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
667 n->sock = (intptr_t)data;
669 receive_udppacket(n, &pkt);
672 void handle_device_data(int sock, short events, void *data) {
677 if(devops.read(&packet)) {
678 myself->in_packets++;
679 myself->in_bytes += packet.len;
680 route(myself, &packet);