X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_packet.c;h=de6ae550ed24ddeeede7cb7c87a58b36f2d8c27a;hp=8b877c21a93e59349695fac2aef00542b3db1522;hb=2c67eafc6e6c5e210636c0d2bad15827bf2d7cf0;hpb=412f3fb5101514d9a7d4d9e5729ee9c665a07cb6 diff --git a/src/net_packet.c b/src/net_packet.c index 8b877c21..de6ae550 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2006 Guus Sliepen + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,7 +29,7 @@ #include #include -#include +#include LZO1X_H #include "avl_tree.h" #include "conf.h" @@ -90,13 +90,14 @@ void send_mtu_probe(node_t *n) memset(packet.data, 0, 14); RAND_pseudo_bytes(packet.data + 14, len - 14); packet.len = len; + packet.priority = 0; ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname); send_udppacket(n, &packet); } - n->mtuevent = xmalloc(sizeof(*n->mtuevent)); + n->mtuevent = new_event(); n->mtuevent->handler = (event_handler_t)send_mtu_probe; n->mtuevent->data = n; n->mtuevent->time = now + 1; @@ -167,6 +168,18 @@ static void receive_packet(node_t *n, vpn_packet_t *packet) route(n, packet); } +static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) +{ + unsigned char hmac[EVP_MAX_MD_SIZE]; + + if(!n->indigest || !n->inmaclength || !n->inkey || inpkt->len < sizeof inpkt->seqno + n->inmaclength) + return false; + + HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); + + return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); +} + static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { vpn_packet_t pkt1, pkt2; @@ -179,9 +192,15 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) cp(); + if(!n->inkey) { + ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got packet from %s (%s) but he hasn't got our key yet"), + n->name, n->hostname); + return; + } + /* Check packet length */ - if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) { + if(inpkt->len < sizeof(inpkt->seqno) + n->inmaclength) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"), n->name, n->hostname); return; @@ -189,12 +208,12 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Check the message authentication code */ - if(myself->digest && myself->maclength) { - inpkt->len -= myself->maclength; - HMAC(myself->digest, myself->key, myself->keylength, + if(n->indigest && n->inmaclength) { + inpkt->len -= n->inmaclength; + HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) { + if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname); return; @@ -203,13 +222,13 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Decrypt the packet */ - if(myself->cipher) { + if(n->incipher) { outpkt = pkt[nextpkt++]; - if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) + || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; @@ -252,10 +271,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) /* Decompress the packet */ - if(myself->compression) { + if(n->incompression) { outpkt = pkt[nextpkt++]; - if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) { + if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, n->incompression)) < 0) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while uncompressing packet from %s (%s)"), n->name, n->hostname); return; @@ -264,6 +283,8 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) inpkt = outpkt; } + inpkt->priority = 0; + if(n->connection) n->connection->last_ping_time = now; @@ -280,6 +301,10 @@ void receive_tcppacket(connection_t *c, char *buffer, int len) cp(); outpkt.len = len; + if(c->options & OPTION_TCPONLY) + outpkt.priority = 0; + else + outpkt.priority = -1; memcpy(outpkt.data, buffer, len); receive_packet(c->node, &outpkt); @@ -294,7 +319,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) vpn_packet_t *outpkt; int origlen; int outlen, outpad; - vpn_packet_t *copy; static int priority = 0; int origpriority; int sock; @@ -305,22 +329,25 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) if(!n->status.validkey) { ifdebug(TRAFFIC) logger(LOG_INFO, - _("No valid key known yet for %s (%s), queueing packet"), + _("No valid key known yet for %s (%s), forwarding via TCP"), n->name, n->hostname); - /* Since packet is on the stack of handle_tap_input(), we have to make a copy of it first. */ + if(!n->status.waitingforkey) + send_req_key(n); - *(copy = xmalloc(sizeof(*copy))) = *inpkt; + n->status.waitingforkey = true; - list_insert_tail(n->queue, copy); + send_tcppacket(n->nexthop->connection, origpkt); - if(n->queue->count > MAXQUEUELENGTH) - list_delete_head(n->queue); + return; + } - if(!n->status.waitingforkey) - send_req_key(n->nexthop->connection, myself, n); + if(n->options & OPTION_PMTU_DISCOVERY && !n->minmtu && (inpkt->data[12] | inpkt->data[13])) { + ifdebug(TRAFFIC) logger(LOG_INFO, + _("No minimum MTU established yet for %s (%s), forwarding via TCP"), + n->name, n->hostname); - n->status.waitingforkey = true; + send_tcppacket(n->nexthop->connection, origpkt); return; } @@ -330,10 +357,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Compress the packet */ - if(n->compression) { + if(n->outcompression) { outpkt = pkt[nextpkt++]; - if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) { + if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->outcompression)) < 0) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while compressing packet to %s (%s)"), n->name, n->hostname); return; @@ -349,13 +376,13 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Encrypt the packet */ - if(n->cipher) { + if(n->outcipher) { outpkt = pkt[nextpkt++]; - if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL) - || !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) + || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); goto end; @@ -367,10 +394,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) /* Add the message authentication code */ - if(n->digest && n->maclength) { - HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno, + if(n->outdigest && n->outmaclength) { + HMAC(n->outdigest, n->outkey, n->outkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL); - inpkt->len += n->maclength; + inpkt->len += n->outmaclength; } /* Determine which socket we have to use */ @@ -433,13 +460,13 @@ void send_packet(const node_t *n, vpn_packet_t *packet) return; } - via = (n->via == myself) ? n->nexthop : n->via; + via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via; if(via != n) - ifdebug(TRAFFIC) logger(LOG_ERR, _("Sending packet to %s via %s (%s)"), + ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending packet to %s via %s (%s)"), n->name, via->name, n->via->hostname); - if((myself->options | via->options) & OPTION_TCPONLY) { + if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) { if(!send_tcppacket(via->connection, packet)) terminate_connection(via->connection, true); } else @@ -469,19 +496,28 @@ void broadcast_packet(const node_t *from, vpn_packet_t *packet) } } -void flush_queue(node_t *n) -{ - list_node_t *node, *next; +static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { + avl_node_t *node; + edge_t *e; + node_t *n = NULL; - cp(); + for(node = edge_weight_tree->head; node; node = node->next) { + e = node->data; + + if(sockaddrcmp_noport(from, &e->address)) + continue; - ifdebug(TRAFFIC) logger(LOG_INFO, _("Flushing queue for %s (%s)"), n->name, n->hostname); + if(!n) + n = e->to; - for(node = n->queue->head; node; node = next) { - next = node->next; - send_udppacket(n, node->data); - list_delete_node(n->queue, node); + if(!try_mac(e->to, pkt)) + continue; + + n = e->to; + break; } + + return n; } void handle_incoming_vpn_data(int sock) @@ -506,11 +542,15 @@ void handle_incoming_vpn_data(int sock) n = lookup_node_udp(&from); if(!n) { - hostname = sockaddr2hostname(&from); - logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), - hostname); - free(hostname); - return; + n = try_harder(&from, &pkt); + if(n) + update_node_udp(n, &from); + else { + hostname = sockaddr2hostname(&from); + logger(LOG_WARNING, _("Received UDP packet from unknown source %s"), hostname); + free(hostname); + return; + } } receive_udppacket(n, &pkt);