2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <openssl/rand.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/hmac.h>
39 #include "splay_tree.h"
42 #include "connection.h"
59 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
62 static void send_udppacket(node_t *, vpn_packet_t *);
64 unsigned replaywin = 16;
65 bool localdiscovery = false;
67 #define MAX_SEQNO 1073741824
69 /* mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
70 mtuprobes == 31: sleep pinginterval seconds
71 mtuprobes == 32: send 1 burst, sleep pingtimeout second
72 mtuprobes == 33: no response from other side, restart PMTU discovery process
74 Probes are sent in batches of three, with random sizes between the lower and
75 upper boundaries for the MTU thus far discovered.
77 In case local discovery is enabled, a fourth packet is added to each batch,
78 which will be broadcast to the local network.
81 static void send_mtu_probe_handler(int fd, short events, void *data) {
89 if(!n->status.reachable || !n->status.validkey) {
90 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send MTU probe to unreachable or rekeying node %s (%s)", n->name, n->hostname);
95 if(n->mtuprobes > 32) {
98 timeout = pinginterval;
102 logger(DEBUG_TRAFFIC, LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
108 if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
109 logger(DEBUG_TRAFFIC, LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
113 if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
114 if(n->minmtu > n->maxmtu)
115 n->minmtu = n->maxmtu;
117 n->maxmtu = n->minmtu;
119 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
123 if(n->mtuprobes == 31) {
124 timeout = pinginterval;
126 } else if(n->mtuprobes == 32) {
127 timeout = pingtimeout;
130 for(i = 0; i < 3 + localdiscovery; i++) {
131 if(n->maxmtu <= n->minmtu)
134 len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
139 memset(packet.data, 0, 14);
140 randomize(packet.data + 14, len - 14);
142 if(i >= 3 && n->mtuprobes <= 10)
143 packet.priority = -1;
147 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
149 send_udppacket(n, &packet);
153 event_add(&n->mtuevent, &(struct timeval){timeout, 0});
156 void send_mtu_probe(node_t *n) {
157 if(!timeout_initialized(&n->mtuevent))
158 timeout_set(&n->mtuevent, send_mtu_probe_handler, n);
159 send_mtu_probe_handler(0, 0, n);
162 static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
163 logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe length %d from %s (%s)", packet->len, n->name, n->hostname);
165 if(!packet->data[0]) {
167 send_udppacket(n, packet);
169 if(n->mtuprobes > 30) {
183 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
185 memcpy(dest, source, len);
187 } else if(level == 10) {
189 lzo_uint lzolen = MAXSIZE;
190 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
195 } else if(level < 10) {
197 unsigned long destlen = MAXSIZE;
198 if(compress2(dest, &destlen, source, len, level) == Z_OK)
205 lzo_uint lzolen = MAXSIZE;
206 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
216 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
218 memcpy(dest, source, len);
220 } else if(level > 9) {
222 lzo_uint lzolen = MAXSIZE;
223 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
231 unsigned long destlen = MAXSIZE;
232 if(uncompress(dest, &destlen, source, len) == Z_OK)
244 static void receive_packet(node_t *n, vpn_packet_t *packet) {
245 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
246 packet->len, n->name, n->hostname);
249 n->in_bytes += packet->len;
254 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
256 return sptps_verify_datagram(&n->sptps, (char *)inpkt->data - 4, inpkt->len);
258 if(!digest_active(&n->indigest) || inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest))
261 return digest_verify(&n->indigest, &inpkt->seqno, inpkt->len - n->indigest.maclength, (const char *)&inpkt->seqno + inpkt->len - n->indigest.maclength);
264 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
265 vpn_packet_t pkt1, pkt2;
266 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
268 vpn_packet_t *outpkt = pkt[0];
271 if(n->status.sptps) {
272 sptps_receive_data(&n->sptps, (char *)inpkt->data - 4, inpkt->len);
276 if(!cipher_active(&n->incipher)) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet",
278 n->name, n->hostname);
282 /* Check packet length */
284 if(inpkt->len < sizeof inpkt->seqno + digest_length(&n->indigest)) {
285 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
286 n->name, n->hostname);
290 /* Check the message authentication code */
292 if(digest_active(&n->indigest)) {
293 inpkt->len -= n->indigest.maclength;
294 if(!digest_verify(&n->indigest, &inpkt->seqno, inpkt->len, (const char *)&inpkt->seqno + inpkt->len)) {
295 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
299 /* Decrypt the packet */
301 if(cipher_active(&n->incipher)) {
302 outpkt = pkt[nextpkt++];
305 if(!cipher_decrypt(&n->incipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
306 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
310 outpkt->len = outlen;
314 /* Check the sequence number */
316 inpkt->len -= sizeof inpkt->seqno;
317 inpkt->seqno = ntohl(inpkt->seqno);
320 if(inpkt->seqno != n->received_seqno + 1) {
321 if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
322 if(n->farfuture++ < replaywin >> 2) {
323 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
324 n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
327 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
328 inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
329 memset(n->late, 0, replaywin);
330 } else if (inpkt->seqno <= n->received_seqno) {
331 if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
332 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
333 n->name, n->hostname, inpkt->seqno, n->received_seqno);
337 for(int i = n->received_seqno + 1; i < inpkt->seqno; i++)
338 n->late[(i / 8) % replaywin] |= 1 << i % 8;
343 n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
346 if(inpkt->seqno > n->received_seqno)
347 n->received_seqno = inpkt->seqno;
349 if(n->received_seqno > MAX_SEQNO)
352 /* Decompress the packet */
354 length_t origlen = inpkt->len;
356 if(n->incompression) {
357 outpkt = pkt[nextpkt++];
359 if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) {
360 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
361 n->name, n->hostname);
367 origlen -= MTU/64 + 20;
372 if(!inpkt->data[12] && !inpkt->data[13])
373 mtu_probe_h(n, inpkt, origlen);
375 receive_packet(n, inpkt);
378 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
382 if(c->options & OPTION_TCPONLY)
385 outpkt.priority = -1;
386 memcpy(outpkt.data, buffer, len);
388 receive_packet(c->node, &outpkt);
391 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
392 vpn_packet_t pkt1, pkt2;
393 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
394 vpn_packet_t *inpkt = origpkt;
396 vpn_packet_t *outpkt;
397 int origlen = origpkt->len;
399 #if defined(SOL_IP) && defined(IP_TOS)
400 static int priority = 0;
402 int origpriority = origpkt->priority;
404 if(!n->status.reachable) {
405 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
409 /* Make sure we have a valid key */
411 if(!n->status.validkey) {
412 time_t now = time(NULL);
414 logger(DEBUG_TRAFFIC, LOG_INFO,
415 "No valid key known yet for %s (%s), forwarding via TCP",
416 n->name, n->hostname);
418 if(n->last_req_key + 10 <= now) {
420 n->last_req_key = now;
423 send_tcppacket(n->nexthop->connection, origpkt);
428 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (inpkt->data[12] | inpkt->data[13])) {
429 logger(DEBUG_TRAFFIC, LOG_INFO,
430 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
431 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
434 send_packet(n->nexthop, origpkt);
436 send_tcppacket(n->nexthop->connection, origpkt);
441 if(n->status.sptps) {
443 if(!(inpkt->data[12] | inpkt->data[13]))
445 sptps_send_record(&n->sptps, type, (char *)inpkt->data, inpkt->len);
449 /* Compress the packet */
451 if(n->outcompression) {
452 outpkt = pkt[nextpkt++];
454 if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) {
455 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
456 n->name, n->hostname);
463 /* Add sequence number */
465 inpkt->seqno = htonl(++(n->sent_seqno));
466 inpkt->len += sizeof inpkt->seqno;
468 /* Encrypt the packet */
470 if(cipher_active(&n->outcipher)) {
471 outpkt = pkt[nextpkt++];
474 if(!cipher_encrypt(&n->outcipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
475 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
479 outpkt->len = outlen;
483 /* Add the message authentication code */
485 if(digest_active(&n->outdigest)) {
486 digest_create(&n->outdigest, &inpkt->seqno, inpkt->len, (char *)&inpkt->seqno + inpkt->len);
487 inpkt->len += digest_length(&n->outdigest);
490 /* Determine which socket we have to use */
492 if(n->address.sa.sa_family != listen_socket[n->sock].sa.sa.sa_family) {
493 for(int sock = 0; sock < listen_sockets; sock++) {
494 if(n->address.sa.sa_family == listen_socket[sock].sa.sa.sa_family) {
501 /* Send the packet */
507 /* Overloaded use of priority field: -1 means local broadcast */
509 if(origpriority == -1 && n->prevedge) {
510 struct sockaddr_in in;
511 in.sin_family = AF_INET;
512 in.sin_addr.s_addr = -1;
513 in.sin_port = n->prevedge->address.in.sin_port;
514 sa = (struct sockaddr *)∈
518 if(origpriority == -1)
521 sa = &(n->address.sa);
522 sl = SALEN(n->address.sa);
526 #if defined(SOL_IP) && defined(IP_TOS)
527 if(priorityinheritance && origpriority != priority
528 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
529 priority = origpriority;
530 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
531 if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
532 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
536 if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
537 if(sockmsgsize(sockerrno)) {
538 if(n->maxmtu >= origlen)
539 n->maxmtu = origlen - 1;
540 if(n->mtu >= origlen)
541 n->mtu = origlen - 1;
543 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
547 origpkt->len = origlen;
550 bool send_sptps_data(void *handle, uint8_t type, const char *data, size_t len) {
553 if(type >= SPTPS_HANDSHAKE) {
554 char buf[len * 4 / 3 + 5];
555 b64encode(data, buf, len);
556 if(!to->status.validkey)
557 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 -1", ANS_KEY, myself->name, to->name, buf);
559 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, myself->name, to->name, REQ_SPTPS, buf);
562 /* Send the packet */
568 sa = &(to->address.sa);
569 sl = SALEN(to->address.sa);
572 if(sendto(listen_socket[sock].udp, data, len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
573 if(sockmsgsize(sockerrno)) {
574 if(to->maxmtu >= len)
575 to->maxmtu = len - 1;
579 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", to->name, to->hostname, sockstrerror(sockerrno));
587 bool receive_sptps_record(void *handle, uint8_t type, const char *data, uint16_t len) {
588 node_t *from = handle;
590 if(type == SPTPS_HANDSHAKE) {
591 from->status.validkey = true;
592 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
597 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
603 memcpy(inpkt.data, data, len);
605 if(type == PKT_PROBE) {
606 mtu_probe_h(from, &inpkt, len);
611 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
615 receive_packet(from, &inpkt);
620 send a packet to the given vpn ip.
622 void send_packet(node_t *n, vpn_packet_t *packet) {
627 memcpy(packet->data, mymac.x, ETH_ALEN);
629 n->out_bytes += packet->len;
630 devops.write(packet);
634 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)",
635 packet->len, n->name, n->hostname);
637 if(!n->status.reachable) {
638 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable",
639 n->name, n->hostname);
644 n->out_bytes += packet->len;
646 via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
649 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)",
650 n->name, via->name, n->via->hostname);
652 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
653 if(!send_tcppacket(via->connection, packet))
654 terminate_connection(via->connection, true);
656 send_udppacket(via, packet);
659 /* Broadcast a packet using the minimum spanning tree */
661 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
666 // Always give ourself a copy of the packet.
668 send_packet(myself, packet);
670 // In TunnelServer mode, do not forward broadcast packets.
671 // The MST might not be valid and create loops.
672 if(tunnelserver || broadcast_mode == BMODE_NONE)
675 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
676 packet->len, from->name, from->hostname);
678 switch(broadcast_mode) {
679 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
680 // This guarantees all nodes receive the broadcast packet, and
681 // usually distributes the sending of broadcast packets over all nodes.
683 for(node = connection_tree->head; node; node = node->next) {
686 if(c->status.active && c->status.mst && c != from->nexthop->connection)
687 send_packet(c->node, packet);
691 // In direct mode, we send copies to each node we know of.
692 // However, this only reaches nodes that can be reached in a single hop.
693 // We don't have enough information to forward broadcast packets in this case.
698 for(node = node_udp_tree->head; node; node = node->next) {
701 if(n->status.reachable && ((n->via == myself && n->nexthop == n) || n->via == n))
702 send_packet(n, packet);
711 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
716 static time_t last_hard_try = 0;
717 time_t now = time(NULL);
719 for(node = edge_weight_tree->head; node; node = node->next) {
725 if(sockaddrcmp_noport(from, &e->address)) {
726 if(last_hard_try == now)
731 if(!try_mac(e->to, pkt))
745 void handle_incoming_vpn_data(int sock, short events, void *data) {
749 socklen_t fromlen = sizeof from;
753 len = recvfrom(sock, (char *) &pkt.seqno, MAXSIZE, 0, &from.sa, &fromlen);
755 if(len <= 0 || len > MAXSIZE) {
756 if(!sockwouldblock(sockerrno))
757 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
763 sockaddrunmap(&from); /* Some braindead IPv6 implementations do stupid things. */
765 n = lookup_node_udp(&from);
768 n = try_harder(&from, &pkt);
770 update_node_udp(n, &from);
771 else if(debug_level >= DEBUG_PROTOCOL) {
772 hostname = sockaddr2hostname(&from);
773 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
781 n->sock = (intptr_t)data;
783 receive_udppacket(n, &pkt);
786 void handle_device_data(int sock, short events, void *data) {
791 if(devops.read(&packet)) {
792 myself->in_packets++;
793 myself->in_bytes += packet.len;
794 route(myself, &packet);
projects / tinc / blob