X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_packet.c;h=f9907ee7d73aafdd6b6272cfa7c16bdf15eaaa5d;hb=1545909dcb3ac618754486f4ccd4d8f237d64bb7;hp=ce2361cb08cbc4757cd72dd1e5226b2de0ac376f;hpb=0b2361a9399944cd57def87226f2be7f92646aa5;p=tinc diff --git a/src/net_packet.c b/src/net_packet.c index ce2361cb..f9907ee7 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2017 Guus Sliepen + 2000-2021 Guus Sliepen 2010 Timothy Redaelli 2010 Brandon Black @@ -23,13 +23,21 @@ #include "system.h" #ifdef HAVE_ZLIB +#define ZLIB_CONST #include +#include + #endif #ifdef HAVE_LZO #include LZO1X_H #endif +#ifdef LZ4_H +#include LZ4_H +#endif + +#include "address_cache.h" #include "cipher.h" #include "conf.h" #include "connection.h" @@ -39,14 +47,12 @@ #include "ethernet.h" #include "ipv4.h" #include "ipv6.h" -#include "graph.h" #include "logger.h" #include "net.h" #include "netutl.h" #include "protocol.h" #include "route.h" #include "utils.h" -#include "xalloc.h" #ifndef MAX #define MAX(a, b) ((a) > (b) ? (a) : (b)) @@ -62,6 +68,12 @@ int keylifetime = 0; static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS]; #endif +#ifdef HAVE_LZ4_BUILTIN +static LZ4_stream_t lz4_stream; +#else +static void *lz4_state = NULL; +#endif /* HAVE_LZ4_BUILTIN */ + static void send_udppacket(node_t *, vpn_packet_t *); unsigned replaywin = 32; @@ -100,6 +112,7 @@ static void udp_probe_timeout_handler(void *data) { logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname); n->status.udp_confirmed = false; + n->udp_ping_rtt = -1; n->maxrecentlen = 0; n->mtuprobes = 0; n->minmtu = 0; @@ -138,7 +151,8 @@ static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { if(!DATA(packet)[0]) { logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname); - return send_udp_probe_reply(n, packet, len); + send_udp_probe_reply(n, packet, len); + return; } if(DATA(packet)[0] == 2) { @@ -148,15 +162,31 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { len = ntohs(len16); } - logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname); + if(n->status.ping_sent) { // a probe in flight + gettimeofday(&now, NULL); + struct timeval rtt; + timersub(&now, &n->udp_ping_sent, &rtt); + n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec; + n->status.ping_sent = false; + logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000); + } else { + logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname); + } /* It's a valid reply: now we know bidirectional communication is possible using the address and socket that the reply packet used. */ - n->status.udp_confirmed = true; + if(!n->status.udp_confirmed) { + n->status.udp_confirmed = true; + + if(!n->address_cache) { + n->address_cache = open_address_cache(n); + } + + reset_address_cache(n->address_cache, &n->address); + } // Reset the UDP ping timer. - n->udp_ping_sent = now; if(udp_discovery) { timeout_del(&n->udp_ping_timeout); @@ -186,69 +216,157 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) { } } -static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { - if(level == 0) { - memcpy(dest, source, len); - return len; - } else if(level == 10) { +#ifdef HAVE_LZ4 +static length_t compress_packet_lz4(uint8_t *dest, const uint8_t *source, length_t len) { +#ifdef HAVE_LZ4_BUILTIN + return LZ4_compress_fast_extState(&lz4_stream, (const char *) source, (char *) dest, len, MAXSIZE, 0); +#else + + /* @FIXME: Put this in a better place, and free() it too. */ + if(lz4_state == NULL) { + lz4_state = malloc(LZ4_sizeofState()); + } + + if(lz4_state == NULL) { + logger(DEBUG_ALWAYS, LOG_ERR, "Failed to allocate lz4_state, error: %i", errno); + return 0; + } + + return LZ4_compress_fast_extState(lz4_state, (const char *) source, (char *) dest, len, MAXSIZE, 0); +#endif /* HAVE_LZ4_BUILTIN */ +} +#endif /* HAVE_LZ4 */ + #ifdef HAVE_LZO - lzo_uint lzolen = MAXSIZE; - lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem); +static length_t compress_packet_lzo(uint8_t *dest, const uint8_t *source, length_t len, int level) { + assert(level == 10 || level == 11); + + lzo_uint lzolen = MAXSIZE; + int result; + + if(level == 11) { + result = lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem); + } else { // level == 10 + result = lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem); + } + + if(result == LZO_E_OK) { return lzolen; -#else - return -1; + } else { + return 0; + } +} #endif - } else if(level < 10) { -#ifdef HAVE_ZLIB - unsigned long destlen = MAXSIZE; - if(compress2(dest, &destlen, source, len, level) == Z_OK) { - return destlen; - } else +static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { + switch(level) { +#ifdef HAVE_LZ4 + + case 12: + return compress_packet_lz4(dest, source, len); #endif - return -1; - } else { + #ifdef HAVE_LZO - lzo_uint lzolen = MAXSIZE; - lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem); - return lzolen; -#else - return -1; + + case 11: + case 10: + return compress_packet_lzo(dest, source, len, level); #endif +#ifdef HAVE_ZLIB + + case 9: + case 8: + case 7: + case 6: + case 5: + case 4: + case 3: + case 2: + case 1: { + unsigned long dest_len = MAXSIZE; + + if(compress2(dest, (unsigned long *) &dest_len, source, len, level) == Z_OK) { + return dest_len; + } else { + return 0; + } } - return -1; -} +#endif -static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { - if(level == 0) { + case 0: memcpy(dest, source, len); return len; - } else if(level > 9) { -#ifdef HAVE_LZO - lzo_uint lzolen = MAXSIZE; - if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK) { - return lzolen; - } else + default: + return 0; + } +} + +static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) { + switch(level) { +#ifdef HAVE_LZ4 + + case 12: + return LZ4_decompress_safe((char *)source, (char *) dest, len, MAXSIZE); + #endif - return -1; +#ifdef HAVE_LZO + + case 11: + case 10: { + lzo_uint dst_len = MAXSIZE; + + if(lzo1x_decompress_safe(source, len, dest, (lzo_uint *) &dst_len, NULL) == LZO_E_OK) { + return dst_len; + } else { + return 0; + } } +#endif #ifdef HAVE_ZLIB - else { + + case 9: + case 8: + case 7: + case 6: + case 5: + case 4: + case 3: + case 2: + case 1: { unsigned long destlen = MAXSIZE; + static z_stream stream; + + if(stream.next_in) { + inflateReset(&stream); + } else { + inflateInit(&stream); + } + + stream.next_in = source; + stream.avail_in = len; + stream.next_out = dest; + stream.avail_out = destlen; + stream.total_out = 0; - if(uncompress(dest, &destlen, source, len) == Z_OK) { - return destlen; + if(inflate(&stream, Z_FINISH) == Z_STREAM_END) { + return stream.total_out; } else { - return -1; + return 0; } } #endif - return -1; + case 0: + memcpy(dest, source, len); + return len; + + default: + return 0; + } } /* VPN packet I/O */ @@ -272,7 +390,7 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) { return false; #else - if(!n->status.validkey_in || !digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) { + if(!n->status.validkey_in || !digest_active(n->indigest) || (size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) { return false; } @@ -281,13 +399,6 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) { } static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { - vpn_packet_t pkt1, pkt2; - vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; - int nextpkt = 0; - size_t outlen; - pkt1.offset = DEFAULT_PACKET_OFFSET; - pkt2.offset = DEFAULT_PACKET_OFFSET; - if(n->status.sptps) { if(!n->sptps.state) { if(!n->status.waitingforkey) { @@ -323,6 +434,12 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { #ifdef DISABLE_LEGACY return false; #else + vpn_packet_t pkt1, pkt2; + vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; + int nextpkt = 0; + size_t outlen; + pkt1.offset = DEFAULT_PACKET_OFFSET; + pkt2.offset = DEFAULT_PACKET_OFFSET; if(!n->status.validkey_in) { logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname); @@ -331,7 +448,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { /* Check packet length */ - if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) { + if((size_t)inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) { logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)", n->name, n->hostname); return false; @@ -393,7 +510,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { return false; } } else { - for(int i = n->received_seqno + 1; i < seqno; i++) { + for(seqno_t i = n->received_seqno + 1; i < seqno; i++) { n->late[(i / 8) % replaywin] |= 1 << i % 8; } } @@ -420,7 +537,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { if(n->incompression) { vpn_packet_t *outpkt = pkt[nextpkt++]; - if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) { + if(!(outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression))) { logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)", n->name, n->hostname); return false; @@ -428,7 +545,11 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { inpkt = outpkt; - origlen -= MTU / 64 + 20; + if(origlen > MTU / 64 + 20) { + origlen -= MTU / 64 + 20; + } else { + origlen = 0; + } } if(inpkt->len > n->maxrecentlen) { @@ -447,7 +568,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { #endif } -void receive_tcppacket(connection_t *c, const char *buffer, int len) { +void receive_tcppacket(connection_t *c, const char *buffer, size_t len) { vpn_packet_t outpkt; outpkt.offset = DEFAULT_PACKET_OFFSET; @@ -468,7 +589,7 @@ void receive_tcppacket(connection_t *c, const char *buffer, int len) { receive_packet(c->node, &outpkt); } -bool receive_tcppacket_sptps(connection_t *c, const char *data, int len) { +bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) { if(len < sizeof(node_id_t) + sizeof(node_id_t)) { logger(DEBUG_PROTOCOL, LOG_ERR, "Got too short TCP SPTPS packet from %s (%s)", c->name, c->hostname); return false; @@ -509,7 +630,10 @@ bool receive_tcppacket_sptps(connection_t *c, const char *data, int len) { /* If we're not the final recipient, relay the packet. */ if(to != myself) { - send_sptps_data(to, from, 0, data, len); + if(to->status.validkey) { + send_sptps_data(to, from, 0, data, len); + } + try_tx(to, true); return true; } @@ -559,9 +683,9 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) { if(n->outcompression) { outpkt.offset = 0; - int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression); + length_t len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression); - if(len < 0) { + if(!len) { logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname); } else if(len < origpkt->len - offset) { outpkt.len = len + offset; @@ -662,6 +786,19 @@ static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *so } static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { + if(!n->status.reachable) { + logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname); + return; + } + + if(n->status.sptps) { + send_sptps_packet(n, origpkt); + return; + } + +#ifdef DISABLE_LEGACY + return; +#else vpn_packet_t pkt1, pkt2; vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 }; vpn_packet_t *inpkt = origpkt; @@ -674,18 +811,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { pkt1.offset = DEFAULT_PACKET_OFFSET; pkt2.offset = DEFAULT_PACKET_OFFSET; - if(!n->status.reachable) { - logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname); - return; - } - - if(n->status.sptps) { - return send_sptps_packet(n, origpkt); - } - -#ifdef DISABLE_LEGACY - return; -#else /* Make sure we have a valid key */ if(!n->status.validkey) { @@ -715,7 +840,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { if(n->outcompression) { outpkt = pkt[nextpkt++]; - if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) { + if(!(outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression))) { logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname); return; @@ -869,7 +994,7 @@ bool send_sptps_data(node_t *to, node_t *from, int type, const void *data, size_ if(relay_supported) { if(direct) { /* Inform the recipient that this packet was sent directly. */ - node_id_t nullid = {}; + node_id_t nullid = {0}; memcpy(buf_ptr, &nullid, sizeof(nullid)); buf_ptr += sizeof(nullid); } else { @@ -929,7 +1054,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t if(!from->status.validkey) { from->status.validkey = true; from->status.waitingforkey = false; - logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname); + logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) successful", from->name, from->hostname); } return true; @@ -979,7 +1104,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t if(type & PKT_COMPRESSED) { length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression); - if(ulen < 0) { + if(!ulen) { return false; } else { inpkt.len = ulen + offset; @@ -1045,6 +1170,12 @@ static void try_sptps(node_t *n) { static void send_udp_probe_packet(node_t *n, int len) { vpn_packet_t packet; + + if(len > sizeof(packet.data)) { + logger(DEBUG_TRAFFIC, LOG_INFO, "Truncating probe length %d to %s (%s)", len, n->name, n->hostname); + len = sizeof(packet.data); + } + packet.offset = DEFAULT_PACKET_OFFSET; memset(DATA(&packet), 0, 14); randomize(DATA(&packet) + 14, len - 14); @@ -1093,8 +1224,10 @@ static void try_udp(node_t *n) { int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval; if(ping_tx_elapsed.tv_sec >= interval) { + gettimeofday(&now, NULL); + n->udp_ping_sent = now; // a probe in flight + n->status.ping_sent = true; send_udp_probe_packet(n, MIN_PROBE_SIZE); - n->udp_ping_sent = now; if(localdiscovery && !n->status.udp_confirmed && n->prevedge) { n->status.send_locally = true; @@ -1190,9 +1323,8 @@ static length_t choose_initial_maxmtu(node_t *n) { return mtu; #else - + (void)n; return MTU; - #endif } @@ -1286,14 +1418,19 @@ static void try_mtu(node_t *n) { const length_t minmtu = MAX(n->minmtu, 512); const float interval = n->maxmtu - minmtu; - /* The core of the discovery algorithm is this exponential. - It produces very large probes early in the cycle, and then it very quickly decreases the probe size. - This reflects the fact that in the most difficult cases, we don't get any feedback for probes that - are too large, and therefore we need to concentrate on small offsets so that we can quickly converge - on the precise MTU as we are approaching it. - The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one - reply per cycle so that we can make progress. */ - const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1)); + length_t offset = 0; + + /* powf can be underflowed if n->maxmtu is less than 512 due to the minmtu MAX bound */ + if(interval > 0) { + /* The core of the discovery algorithm is this exponential. + It produces very large probes early in the cycle, and then it very quickly decreases the probe size. + This reflects the fact that in the most difficult cases, we don't get any feedback for probes that + are too large, and therefore we need to concentrate on small offsets so that we can quickly converge + on the precise MTU as we are approaching it. + The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one + reply per cycle so that we can make progress. */ + offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1)); + } length_t maxmtu = n->maxmtu; send_udp_probe_packet(n, minmtu + offset); @@ -1347,7 +1484,8 @@ static void try_tx_sptps(node_t *n, bool mtu) { return; } - return try_tx(via, mtu); + try_tx(via, mtu); + return; } /* Otherwise, try to establish UDP connectivity. */ @@ -1569,7 +1707,7 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, sockaddr_t *addr) { char *hostname; - node_id_t nullid = {}; + node_id_t nullid = {0}; node_t *from, *to; bool direct = false; @@ -1588,7 +1726,7 @@ static void handle_incoming_vpn_packet(listen_socket_t *ls, vpn_packet_t *pkt, s pkt->offset = 2 * sizeof(node_id_t); from = lookup_node_id(SRCID(pkt)); - if(from && !memcmp(DSTID(pkt), &nullid, sizeof(nullid)) && from->status.sptps) { + if(from && from->status.sptps && !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) { if(sptps_verify_datagram(&from->sptps, DATA(pkt), pkt->len - 2 * sizeof(node_id_t))) { n = from; } else { @@ -1624,7 +1762,7 @@ skip_harder: pkt->len -= pkt->offset; } - if(!memcmp(DSTID(pkt), &nullid, sizeof(nullid)) || !relay_enabled) { + if(!relay_enabled || !memcmp(DSTID(pkt), &nullid, sizeof(nullid))) { direct = true; from = n; to = myself; @@ -1686,6 +1824,8 @@ skip_harder: } void handle_incoming_vpn_data(void *data, int flags) { + (void)data; + (void)flags; listen_socket_t *ls = data; #ifdef HAVE_RECVMMSG @@ -1701,14 +1841,14 @@ void handle_incoming_vpn_data(void *data, int flags) { iov[i] = (struct iovec) { .iov_base = DATA(&pkt[i]), - .iov_len = MAXSIZE, + .iov_len = MAXSIZE, }; msg[i].msg_hdr = (struct msghdr) { .msg_name = &addr[i].sa, - .msg_namelen = sizeof(addr)[i], - .msg_iov = &iov[i], - .msg_iovlen = 1, + .msg_namelen = sizeof(addr)[i], + .msg_iov = &iov[i], + .msg_iovlen = 1, }; } @@ -1734,13 +1874,13 @@ void handle_incoming_vpn_data(void *data, int flags) { #else vpn_packet_t pkt; - sockaddr_t addr = {}; + sockaddr_t addr = {0}; socklen_t addrlen = sizeof(addr); pkt.offset = 0; int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen); - if(len <= 0 || len > MAXSIZE) { + if(len <= 0 || (size_t)len > MAXSIZE) { if(!sockwouldblock(sockerrno)) { logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno)); } @@ -1755,6 +1895,8 @@ void handle_incoming_vpn_data(void *data, int flags) { } void handle_device_data(void *data, int flags) { + (void)data; + (void)flags; vpn_packet_t packet; packet.offset = DEFAULT_PACKET_OFFSET; packet.priority = 0;