/*
net_packet.c -- Handles in- and outgoing VPN packets
- Copyright (C) 1998-2003 Ivo Timmermans <ivo@o2w.nl>,
- 2000-2003 Guus Sliepen <guus@sliepen.eu.org>
+ Copyright (C) 1998-2005 Ivo Timmermans,
+ 2000-2006 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- $Id: net_packet.c,v 1.1.2.35 2003/07/22 20:55:20 guus Exp $
+ $Id$
*/
#include "system.h"
#include <openssl/rand.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
#include <zlib.h>
-#include <lzo1x.h>
+#include LZO1X_H
#include "avl_tree.h"
#include "conf.h"
#include "connection.h"
#include "device.h"
-#include "event.h"
+#include "ethernet.h"
#include "graph.h"
#include "list.h"
#include "logger.h"
#include "utils.h"
#include "xalloc.h"
+#ifdef WSAEMSGSIZE
+#define EMSGSIZE WSAEMSGSIZE
+#endif
+
int keylifetime = 0;
-int keyexpires = 0;
EVP_CIPHER_CTX packet_ctx;
static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
+static void send_udppacket(node_t *, vpn_packet_t *);
#define MAX_SEQNO 1073741824
+static void send_mtu_probe_handler(int fd, short events, void *data) {
+ node_t *n = data;
+ vpn_packet_t packet;
+ int len, i;
+
+ cp();
+
+ n->mtuprobes++;
+
+ if(n->mtuprobes >= 10 && !n->minmtu) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("No response to MTU probes from %s (%s)"), n->name, n->hostname);
+ return;
+ }
+
+ for(i = 0; i < 3; i++) {
+ if(n->mtuprobes >= 30 || n->minmtu >= n->maxmtu) {
+ n->mtu = n->minmtu;
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Fixing MTU of %s (%s) to %d after %d probes"), n->name, n->hostname, n->mtu, n->mtuprobes);
+ return;
+ }
+
+ len = n->minmtu + 1 + random() % (n->maxmtu - n->minmtu);
+ if(len < 64)
+ len = 64;
+
+ memset(packet.data, 0, 14);
+ RAND_pseudo_bytes(packet.data + 14, len - 14);
+ packet.len = len;
+
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
+
+ send_udppacket(n, &packet);
+ }
+
+ event_add(&n->mtuevent, &(struct timeval){1, 0});
+}
+
+void send_mtu_probe(node_t *n) {
+ if(!timeout_initialized(&n->mtuevent))
+ timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
+ send_mtu_probe_handler(0, 0, n);
+}
+
+void mtu_probe_h(node_t *n, vpn_packet_t *packet) {
+ ifdebug(TRAFFIC) logger(LOG_INFO, _("Got MTU probe length %d from %s (%s)"), packet->len, n->name, n->hostname);
+
+ if(!packet->data[0]) {
+ packet->data[0] = 1;
+ send_packet(n, packet);
+ } else {
+ if(n->minmtu < packet->len)
+ n->minmtu = packet->len;
+ }
+}
+
static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
{
if(level == 10) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Received packet of %d bytes from %s (%s)"),
packet->len, n->name, n->hostname);
- route_incoming(n, packet);
+ route(n, packet);
}
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
int nextpkt = 0;
vpn_packet_t *outpkt = pkt[0];
int outlen, outpad;
- char hmac[EVP_MAX_MD_SIZE];
+ unsigned char hmac[EVP_MAX_MD_SIZE];
int i;
cp();
+ /* Check packet length */
+
+ if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
+ n->name, n->hostname);
+ return;
+ }
+
/* Check the message authentication code */
if(myself->digest && myself->maclength) {
inpkt->len -= myself->maclength;
HMAC(myself->digest, myself->key, myself->keylength,
- (char *) &inpkt->seqno, inpkt->len, hmac, NULL);
+ (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
if(myself->cipher) {
outpkt = pkt[nextpkt++];
-// EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key,
-// myself->key + myself->cipher->key_len);
- EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL);
- EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len);
- EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
+ if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
+ n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ return;
+ }
outpkt->len = outlen + outpad;
inpkt = outpkt;
memset(n->late, 0, sizeof(n->late));
} else if (inpkt->seqno <= n->received_seqno) {
- if(inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8 || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
+ if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, _("Got late or replayed packet from %s (%s), seqno %d, last received %d"),
n->name, n->hostname, inpkt->seqno, n->received_seqno);
- } else
- for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
- n->late[(inpkt->seqno / 8) % sizeof(n->late)] |= 1 << i % 8;
+ return;
+ }
+ } else {
+ for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
+ n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
}
}
- n->received_seqno = inpkt->seqno;
- n->late[(n->received_seqno / 8) % sizeof(n->late)] &= ~(1 << n->received_seqno % 8);
+ n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8);
+
+ if(inpkt->seqno > n->received_seqno)
+ n->received_seqno = inpkt->seqno;
if(n->received_seqno > MAX_SEQNO)
- keyexpires = 0;
+ regenerate_key();
/* Decompress the packet */
outpkt = pkt[nextpkt++];
if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
- logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
- n->name, n->hostname);
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
+ n->name, n->hostname);
return;
}
inpkt = outpkt;
}
- receive_packet(n, inpkt);
+ if(!inpkt->data[12] && !inpkt->data[13])
+ mtu_probe_h(n, inpkt);
+ else
+ receive_packet(n, inpkt);
}
void receive_tcppacket(connection_t *c, char *buffer, int len)
receive_packet(c->node, &outpkt);
}
-static void send_udppacket(node_t *n, vpn_packet_t *inpkt)
+static void send_udppacket(node_t *n, vpn_packet_t *origpkt)
{
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
+ vpn_packet_t *inpkt = origpkt;
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen;
/* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */
- copy = xmalloc(sizeof(vpn_packet_t));
- memcpy(copy, inpkt, sizeof(vpn_packet_t));
+ *(copy = xmalloc(sizeof(*copy))) = *inpkt;
list_insert_tail(n->queue, copy);
outpkt = pkt[nextpkt++];
if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
- logger(LOG_ERR, _("Error while compressing packet to %s (%s)"),
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"),
n->name, n->hostname);
return;
}
if(n->cipher) {
outpkt = pkt[nextpkt++];
-// EVP_EncryptInit_ex(&packet_ctx, n->cipher, NULL, n->key, n->key + n->cipher->key_len);
- EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL);
- EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
- (char *) &inpkt->seqno, inpkt->len);
- EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
+ if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+ (unsigned char *) &inpkt->seqno, inpkt->len)
+ || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
+ n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
+ goto end;
+ }
outpkt->len = outlen + outpad;
inpkt = outpkt;
/* Add the message authentication code */
if(n->digest && n->maclength) {
- HMAC(n->digest, n->key, n->keylength, (char *) &inpkt->seqno,
- inpkt->len, (char *) &inpkt->seqno + inpkt->len, &outlen);
+ HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno,
+ inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
inpkt->len += n->maclength;
}
priority = origpriority;
ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Setting outgoing packet priority to %d"), priority);
if(setsockopt(listen_socket[sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
- logger(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt",
- strerror(errno));
+ logger(LOG_ERR, _("System call `%s' failed: %s"), "setsockopt", strerror(errno));
}
#endif
if((sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, &(n->address.sa), SALEN(n->address.sa))) < 0) {
- logger(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name,
- n->hostname, strerror(errno));
- return;
+ if(errno == EMSGSIZE) {
+ if(n->maxmtu >= origlen)
+ n->maxmtu = origlen - 1;
+ if(n->mtu >= origlen)
+ n->mtu = origlen - 1;
+ } else
+ logger(LOG_ERR, _("Error sending packet to %s (%s): %s"), n->name, n->hostname, strerror(errno));
}
- inpkt->len = origlen;
+end:
+ origpkt->len = origlen;
}
/*
send a packet to the given vpn ip.
*/
-void send_packet(node_t *n, vpn_packet_t *packet)
+void send_packet(const node_t *n, vpn_packet_t *packet)
{
node_t *via;
cp();
- ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
- packet->len, n->name, n->hostname);
-
if(n == myself) {
- ifdebug(TRAFFIC) logger(LOG_NOTICE, _("Packet is looping back to us!"));
+ if(overwrite_mac)
+ memcpy(packet->data, mymac.x, ETH_ALEN);
+ write_packet(packet);
return;
}
+ ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
+ packet->len, n->name, n->hostname);
+
if(!n->status.reachable) {
ifdebug(TRAFFIC) logger(LOG_INFO, _("Node %s (%s) is not reachable"),
n->name, n->hostname);
/* Broadcast a packet using the minimum spanning tree */
-void broadcast_packet(node_t *from, vpn_packet_t *packet)
+void broadcast_packet(const node_t *from, vpn_packet_t *packet)
{
avl_node_t *node;
connection_t *c;
ifdebug(TRAFFIC) logger(LOG_INFO, _("Broadcasting packet of %d bytes from %s (%s)"),
packet->len, from->name, from->hostname);
+ if(from != myself)
+ send_packet(myself, packet);
+
for(node = connection_tree->head; node; node = node->next) {
- c = (connection_t *) node->data;
+ c = node->data;
if(c->status.active && c->status.mst && c != from->nexthop->connection)
send_packet(c->node, packet);
for(node = n->queue->head; node; node = next) {
next = node->next;
- send_udppacket(n, (vpn_packet_t *) node->data);
+ send_udppacket(n, node->data);
list_delete_node(n->queue, node);
}
}
-void handle_incoming_vpn_data(int sock)
+void handle_incoming_vpn_data(int sock, short events, void *data)
{
vpn_packet_t pkt;
- int x, l = sizeof(x);
char *hostname;
sockaddr_t from;
socklen_t fromlen = sizeof(from);
cp();
- if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &x, &l) < 0) {
- logger(LOG_ERR, _("This is a bug: %s:%d: %d:%s"),
- __FILE__, __LINE__, sock, strerror(errno));
- cp_trace();
- exit(1);
- }
-
- if(x) {
- logger(LOG_ERR, _("Incoming data socket error: %s"), strerror(x));
- return;
- }
-
pkt.len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
- if(pkt.len <= 0) {
+ if(pkt.len < 0) {
logger(LOG_ERR, _("Receiving packet failed: %s"), strerror(errno));
return;
}
return;
}
- if(n->connection)
- n->connection->last_ping_time = now;
-
receive_udppacket(n, &pkt);
}
+
+void handle_device_data(int sock, short events, void *data)
+{
+ vpn_packet_t packet;
+
+ if(read_packet(&packet))
+ route(myself, &packet);
+}