X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=c2552619857c89f7f53df2a7d7c6a82f27ff6dea;hb=9b9230a0a79c670b86f54fadd2807b864ff9d91f;hp=1e455434be6f48382bbe776bf46734f388027c71;hpb=61275547cdf950e1c4499f19044ff171a9a74af7;p=tinc

diff --git a/src/net_packet.c b/src/net_packet.c
index 1e455434..c2552619 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -1,7 +1,7 @@
 /*
     net_packet.c -- Handles in- and outgoing VPN packets
     Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
                   2010      Timothy Redaelli <timothy@redaelli.eu>
                   2010      Brandon Black <blblack@gmail.com>
 
@@ -22,12 +22,6 @@
 
 #include "system.h"
 
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
 #ifdef HAVE_ZLIB
 #include <zlib.h>
 #endif
@@ -70,11 +64,15 @@ bool localdiscovery = false;
    mtuprobes ==    32: send 1 burst, sleep pingtimeout second
    mtuprobes ==    33: no response from other side, restart PMTU discovery process
 
-   Probes are sent in batches of three, with random sizes between the lower and
-   upper boundaries for the MTU thus far discovered.
+   Probes are sent in batches of at least three, with random sizes between the
+   lower and upper boundaries for the MTU thus far discovered.
+
+   After the initial discovery, a fourth packet is added to each batch with a
+   size larger than the currently known PMTU, to test if the PMTU has increased.
 
-   In case local discovery is enabled, a fourth packet is added to each batch,
+   In case local discovery is enabled, another packet is added to each batch,
    which will be broadcast to the local network.
+
 */
 
 static void send_mtu_probe_handler(void *data) {
@@ -125,13 +123,18 @@ static void send_mtu_probe_handler(void *data) {
 		timeout = pingtimeout;
 	}
 
-	for(int i = 0; i < 3 + localdiscovery; i++) {
+	for(int i = 0; i < 4 + localdiscovery; i++) {
 		int len;
 
-		if(n->maxmtu <= n->minmtu)
+		if(i == 0) {
+			if(n->mtuprobes < 30 || n->maxmtu + 8 >= MTU)
+				continue;
+			len = n->maxmtu + 8;
+		} else if(n->maxmtu <= n->minmtu) {
 			len = n->maxmtu;
-		else
+		} else {
 			len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
+		}
 
 		if(len < 64)
 			len = 64;
@@ -140,7 +143,7 @@ static void send_mtu_probe_handler(void *data) {
 		memset(packet.data, 0, 14);
 		randomize(packet.data + 14, len - 14);
 		packet.len = len;
-		if(i >= 3 && n->mtuprobes <= 10)
+		if(i >= 4 && n->mtuprobes <= 10)
 			packet.priority = -1;
 		else
 			packet.priority = 0;
@@ -199,6 +202,13 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
 		/* If we haven't established the PMTU yet, restart the discovery process. */
 
 		if(n->mtuprobes > 30) {
+			if (len == n->maxmtu + 8) {
+				logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
+				n->maxmtu = MTU;
+				n->mtuprobes = 10;
+				return;
+			}
+
 			if(n->minmtu)
 				n->mtuprobes = 30;
 			else
@@ -308,10 +318,10 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
 	if(n->status.sptps)
 		return sptps_verify_datagram(&n->sptps, (char *)&inpkt->seqno, inpkt->len);
 
-	if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
+	if(!digest_active(n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest))
 		return false;
 
-	return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
+	return digest_verify(n->indigest, &inpkt->seqno, inpkt->len - digest_length(n->indigest), (const char *)&inpkt->seqno + inpkt->len - digest_length(n->indigest));
 }
 
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@@ -326,7 +336,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 		return;
 	}
 
-	if(!cipher_active(&n->incipher)) {
+	if(!cipher_active(n->incipher)) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
 					n->name, n->hostname);
 		return;
@@ -334,7 +344,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
 	/* Check packet length */
 
-	if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
+	if(inpkt->len < sizeof inpkt->seqno + digest_length(n->indigest)) {
 		logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
 					n->name, n->hostname);
 		return;
@@ -342,20 +352,20 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
 	/* Check the message authentication code */
 
-	if(digest_active(&n->indigest)) {
-		inpkt->len -= n->indigest.maclength;
-		if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
+	if(digest_active(n->indigest)) {
+		inpkt->len -= digest_length(n->indigest);
+		if(!digest_verify(n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
 	}
 	/* Decrypt the packet */
 
-	if(cipher_active(&n->incipher)) {
+	if(cipher_active(n->incipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_decrypt(n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
 			return;
 		}
@@ -433,6 +443,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 	vpn_packet_t outpkt;
 
+	if(len > sizeof outpkt.data)
+		return;
+
 	outpkt.len = len;
 	if(c->options & OPTION_TCPONLY)
 		outpkt.priority = 0;
@@ -448,7 +461,7 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
 		logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
 		if(!n->status.waitingforkey)
 			send_req_key(n);
-		else if(n->last_req_key + 10 < time(NULL)) {
+		else if(n->last_req_key + 10 < now.tv_sec) {
 			logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
 			sptps_stop(&n->sptps);
 			n->status.waitingforkey = false;
@@ -640,11 +653,11 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Encrypt the packet */
 
-	if(cipher_active(&n->outcipher)) {
+	if(cipher_active(n->outcipher)) {
 		outpkt = pkt[nextpkt++];
 		outlen = MAXSIZE;
 
-		if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
+		if(!cipher_encrypt(n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
 			logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
 			goto end;
 		}
@@ -655,9 +668,9 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Add the message authentication code */
 
-	if(digest_active(&n->outdigest)) {
-		digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
-		inpkt->len += digest_length(&n->outdigest);
+	if(digest_active(n->outdigest)) {
+		digest_create(n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
+		inpkt->len += digest_length(n->outdigest);
 	}
 
 	/* Send the packet */